NSE4 Flashcards
(169 cards)
1
Q
Which user group types does FortiGate support for firewall authentication? (Choose three.) A. RSSO B. Firewall C. LDAP D. NTLM E. FSSO
A
A. RSSO
B. Firewall
E. FSSO
2
Q
Which of the following settings can be configured per VDOM? (Choose three)
A. Operating mode (NAT/route or transparent)
B. Static routes
C. Hostname
D. System time
E. Firewall Policies
A
A. Operating mode (NAT/route or transparent)
B. Static routes
E. Firewall Policies
3
Q
Which best describes the mechanism of a TCP SYN flood?
A. The attackers keeps open many connections with slow data transmission so that other clients cannot start new connections.
B. The attackers sends a packets designed to sync with the FortiGate
C. The attacker sends a specially crafted malformed packet, intended to crash the target by exploiting its parser.
D. The attacker starts many connections, but never acknowledges to fully form them.
A
D. The attacker starts many connections, but never acknowledges to fully form them.
4
Q
What attributes are always included in a log header? (Choose three.) A. policyid B. level C. user D. time E. subtype F. duration
A
B. level
D. time
E. subtype
5
Q
When does a FortiGate load-share traffic between two static routes to the same destination subnet?
A. When they have the same cost and distance.
B. When they have the same distance and the same weight.
C. When they have the same distance and different priority.
D. When they have the same distance and same priority.
A
D. When they have the same distance and same priority.
6
Q
Which statement is in advantage of using a hub and spoke IPsec VPN configuration instead of a fully-meshed set of IPsec tunnels?
A. Using a hub and spoke topology provides full redundancy.
B. Using a hub and spoke topology requires fewer tunnels.
C. Using a hub and spoke topology uses stronger encryption protocols.
D. Using a hub and spoke topology requires more routes
A
B. Using a hub and spoke topology requires fewer tunnels.
7
Q
An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
A. The IPsec firewall policies must be placed at the top of the list.
B. This VPN cannot be used as a part of a hub and spoke topology.
C. Routes are automatically created based on the quick mode selectors.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.
A
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.
8
Q
Which of the following email spam filtering features is NOT supported on a FortiGate unit?
A. Multipurpose Internet Mail Extensions (MIME) Header Check
B. HELO DNS Lookup
C. Greylisting
D. Banned Word
A
C. Greylisting
9
Q
Which IPSec mode includes the peer id information in the first packet? A. Main mode. B. Quick mode. C. Aggressive mode. D. IKEv2 mode.
A
C. Aggressive mode.
10
Q
What actions are possible with Application Control? (Choose three.) A. Warn B. Allow C. Block D. Traffic Shaping E. Quarantine
A
B. Allow
C. Block
D. Traffic Shaping
11
Q
Which is not a FortiGate feature? A. Database auditing B. Intrusion prevention C. Web filtering D. Application control
A
A. Database auditing
12
Q
In FortiOS session table output, what is the correct proto_state number for an established, non-proxied TCP connection? A. 00 B. 11 C. 01 D. 05
A
C. 01
13
Q
A FortiGate devices is configured with four VDOMs: ‘root’ and ‘vdom1’ are in NAT/route mode; ‘vdom2’ and ‘vdom2’ are in transparent mode. The management VDOM is ‘root’.
Which of the following statements are true? (Choose two.)
A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.
C. An inter-VDOM link between ‘vdom2’ and vdom3’ can created.
D. Inter-VDOM link links must be manually configured for FortiGuard traffic.
A
A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.
14
Q
Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype=”Webfilter_Profile” profile=”default” status=”passthrough” msg=”URL belongs to a category with warnings enabled”
A. The traffic was blocked.
B. The user failed authentication.
C. The category action was set to warning.
D. The website was allowed
A
C. The category action was set to warning.
D. The website was allowed
15
Q
Which of the following statements are true about PKI users created in a FortiGate device?
(Choose two.)
A. Can be used for token-based authentication
B. Can be used for two-factor authentication
C. Are used for certificate-based authentication
D. Cannot be members of user groups
A
A. Can be used for token-based authentication
B. Can be used for two-factor authentication
16
Q
Which is a more accurate description of a modern firewall?
A. A device that inspects network traffic at an entry point to the internet and within a simple, easily defined network perimeter
B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points
A
B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points
17
Q
Which solution, specific to Fortinet, enhances performance and reduces latency for specific features and traffic?
A. Acceleration hardware, called SPUs (Security Processing Units)
B. Increased RAM and CPU power
A
A. Acceleration hardware, called SPUs (Security Processing Units)
18
Q
Which protocol does FortiGate use to download antivirus and IPS packages?
A. UDP
B. TCP
A
B. TCP
19
Q
How does FortiGate check content for spam or malicious websites?
A. Live queries to FortiGuard over UDP or HTTPS
B. Local verification using downloaded web filter database locally on FortiGate
A
A. Live queries to FortiGuard over UDP or HTTPS
20
Q
How do you restrict logins to FortiGate from only specific IP addresses?
A. Change FortiGate management interface IP addresses
B. Configure trusted host
A
B. Configure trusted host
21
Q
As a best security practice when configuring administrative access to FortiGate, which protocol should you disable?
A. Telnet
B. SSH
A
A. Telnet
22
Q
When configuring FortiGate as a DHCP server, to restrict access by MAC address, what does the Assign IP option do?
A. Assigns a specific IP address to a MAC address
B. Dynamically assigns an IP to a MAC address
A
B. Dynamically assigns an IP to a MAC address
23
Q
When configuring FortiGate as a DNS server, which resolution method only uses the FortiGate DNS database to try to resolve queries?
A. Non-recursive
B. Recursive
A
A. Non-recursive
24
Q
Which traffic is always generated from the management VDOM?
A. Link Health Monitor
B. FortiGuard
A
B. FortiGuard
25
Which statement about the management VDOM is true?
A. It is root by default and cannot be changed in multi-vdom mode.
B. It is root by default, but can be changed to any VDOM in multi-vdom mode.
B. It is root by default, but can be changed to any VDOM in multi-vdom mode.
26
When restoring an encrypted system configuration file, in addition to needing the FortiGate model and firmware version from the time the configuration file was produced, what must you also provied?
A. The password to decrypt the file
B. The private decryption key to decrypt the file
A. The password to decrypt the file
27
Which document should you consult to increase the chances of success before upgrading or downgrading firmware?
A. Cookbook
B. Release Notes
B. Release Notes
28
What is the Fortinet Security Fabric?
A. A Fortinet solution that enables communication and visibility among devices of your network
B. A device that can manage all your firewalls
A. A Fortinet solution that enables communication and visibility among devices of your network
29
Which combination of devices must participate in the Security Fabric
A. A FortiAnalyzer and two or more FortiGate devices
B. A device that can manage all your firewalls
A. A FortiAnalyzer and two or more FortiGate devices
30
What are the two mandatory settings of the Security Fabric configuration?
A. Fabric name and Security Fabric role
B. Fabric name and FortiManager IP address
A. Fabric name and Security Fabric role
31
From where do you authorize a device to participate in the Security Fabric?
A. From the downstream FortiGate
B. From the root FortiGate
B. From the root FortiGate
32
Why should an administrator extend the Security Fabric to other devices?
A. To provide a single pane of glass for management and reporting purposes
B. To eliminate the need to purschase the licenses for FortiGate devices in the Security Fabric
A. To provide a single pane of glass for management and reporting purposes
33
What is the purpose of Security Fabric external connectors?
A. External connectors allow you to integrate multi-cloud support with the Security Fabric
B. External connectors allow you to connect the FortiGate command line interface (CLI)
A. External connectors allow you to integrate multi-cloud support with the Security Fabric
34
Which one is a part of the Security Rating scorecard?
A. Firewall Policy
B. Optimization
B. Optimization
35
From which view can an administrator deauthorize a device from the Security Fabric?
A. From the physical topology view
B. From the Fortiview
A. From the physical topology view
36
What criteria does FortiGate use to match traffic to a firewall policy?
A. Secure and destination interfaces
B. Security profiles
A. Secure and destination interfaces
37
What must be selected in the Source field of a firewall policy?
A. At least one address object or ISDB
B. At least one source user and one source address object
A. At least one address object or ISDB
38
To configure a firewall policy, you must include a firewall policy name when configuring using the ____.
A. CLI
B. GUI
B. GUI
39
What is the purpose of applying security profiles to a firewall policy?
A. To allow access to specific subnets
B. To protect your network from threats, and control access to specific applications and URLs
B. To protect your network from threats, and control access to specific applications and URLs
40
If you configure a firewall policy with any interface, you can view the firewall policy list only in which view?____.
A. The By Sequence View
B. The Interface Pair View
A. The By Sequence View
41
Which of the following naming formats is correct when configuring a name for a firewall address object?
A. Good_Training
B. Good(Training)
A. Good_Training
42
What is the purpose of the policy lookup feature on FortiGate?
A. To find a matching policy based on input criteria
B. To block traffic based on input criteria
A. To find a matching policy based on input criteria
43
What is NAT used for?
A. Preserving IP addresses
B. Traffic shaping
A. Preserving IP addresses
44
Which statement about NAT66 is true?
A. It is NAT between two IPv6 networks.
B. It is NAT between two IPv4 networks.
A. It is NAT between two IPv6 networks.
45
What is the default IP pool type?
A. One-to-one
B. Overload
B. Overload
46
Which of the following is the default VIP type?
A. static-nat
B. load-balance
A. static-nat
47
Which statement is true?
A. Central NAT is not enabled by default
B. Both central NAT and firewall policy NAT can be enabled together
A. Central NAT is not enabled by default
48
What happens if there is no matching central SNAT policy or no central SNAT policy configured?
A. The egress interface IP will be used.
B. NAT will not be applied to the firewall session.
B. NAT will not be applied to the firewall session.
49
Which method would you use for advanced application tracking and control?
A. Session helper
B. Application layer gateway
B. Application layer gateway
50
Which profile is an example of application layer gateway?
A. WAF (Web Application Firewall) profile
B. VOIP (Voice over IP) profile
B. VOIP (Voice over IP) profile
51
If session diagnostic output indicates that a TCP protocol state is proto_state=01, which is true?
A. The session is established
B. The session is not established
A. The session is established
52
An administrator wants to check the total number of TCP sessions for an IP pool named INTERNAL. Which CLI command should the administrator use?
A. diagnose firewall ippool-all stats INTERNAL
B. diagnose firewall ippool-all list INTERNAL
A. diagnose firewall ippool-all stats INTERNAL
53
Which firewall authentication method does FortiGate support?
A. Local password authentication
B. Biometric authentication
A. Local password authentication
54
Which type of token can generate OTPs to provide two-factor authentication to users in your network?
A. FortiToken Mobile
B. USB FortiToken
A. FortiToken Mobile
55
When FortiGate uses a RADIUS server for remote authentication, which statement about RADIUS is true?
A. FortiGate must query the remote RADIUS server using the distinguished name (dn).
B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.
B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.
56
What is a valid reply from RADIUS server to an ACCESS_REQUEST packet from FortiGate?
A. ACCESS-PENDING
B. ACCESS-REJECT
B. ACCESS-REJECT
57
A remote LDAP user is trying to authenticate with a username and password. How does FortiGate verify the login credentials?
A. FortiGate queries its own database for user credentials.
B. FortiGate sends the user-entered credentials to the remote server verification.
B. FortiGate sends the user-entered credentials to the remote server verification.
58
Which statement about guest user groups is true?
A. Guest user group accounts are temporary.
B. Guest user group accounts passwords are temporary.
A. Guest user group accounts are temporary.
59
Guests accounts are most commonly used for which purposes?
A. To provide temporary visitor access to corporate network resources
B. To provide temporary visitor access to wireless networks
B. To provide temporary visitor access to wireless networks
60
Firewall policies dictate whether a user or device can or cannot authenticate on a network. Which statement about firewall authentication is true?
A. Firewall policies can be configured to authenticate certificate users.
B. The order of the firewall polices always determines whether user's credentials are determined actively or passively.
A. Firewall policies can be configured to authenticate certificate users.
61
Which statement about active authentication is true?
A. Active authentication is always used before passive authentication.
B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.
B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.
62
Which statement about captive portal is true?
A. Captive portal must be hosted on a FortiGate device.
B. Captive portal can exempt specific devices from authenticating.
B. Captive portal can exempt specific devices from authenticating.
63
Which statement best describes the authentication idle timeout feature on FortiGate?
A. The length of time FortiGate waits for the user to enter their authentication credentials
B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device
B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device
64
Which command would you use to identify the IP addresses of all authenticated users?
A. diagnose firewall auth clear
B. diagnose firewall auth list
B. diagnose firewall auth list
65
Which type of logs are application control, web filter, antivirus, and DLP?
A. Event
B. Security
B. Security
66
The log _______ contains fields that are common to all log types, such as originating date and time, log identifier, log category, and VDOM.
A. header
B. body
A. header
67
Which storage type is preferred for logging?
A. Remote Logging
B. Hard drive
A. Remote Logging
68
Which protocol does FortiGate use to send encrypted logs to FortiAnalyzer?
A. OFTPS
B. SSL
A. OFTPS
69
If you enable reliable logging, which transport protocol will FortiGate use?
A. UDP
B. TCP
B. TCP
70
In your firewall policy, which setting must you enable to generate logs on traffic sent through that firewall policy?
A. Log Allowed Traffic
B. Event Logging
A. Log Allowed Traffic
71
With email alerts, you can trigger alert emails based on ____ or log severity level.
A. event
B. threat weight
A. event
72
What happens when logs roll?
A. It lowers the space requirements needed to contain those logs.
B. They are uploaded to an FTP server.
A. It lowers the space requirements needed to contain those logs.
73
When you download logs on the GUI, ____
A. all logs in the SQL database are downloaded.
B. only your current view, including any filters set, are downloaded.
B. only your current view, including any filters set, are downloaded.
74
Which attribute or extension identifies the owner or a certificate?`
A. The subject name in the certificate
B. The unique serial number in the certificate
A. The subject name in the certificate
75
How does FortiGate determine if a certificate has been revoked?
A. It checks the CRL that resides on the FortiGate
B. It retrieves the CRL from a directory server
A. It checks the CRL that resides on the FortiGate
76
Which certificate extension and value is required in the FortiGate CA certificate in order to enable full SSL inspection?
A. CRL DP=ca_arl.arl
B. cA=True
B. cA=True
77
Which configuration requires FortiGate to act as a CA for full SSL inspection?
A. Multiple clients connecting to multiple servers
B. Protecting the SSL server
A. Multiple clients connecting to multiple servers
78
Which CSR enrollment method is supported by FortiGate?
A. Enrollment over Secure Transport (EST)
B. Simple Certificate Enrollment Protocol (SCEP)
B. Simple Certificate Enrollment Protocol (SCEP)
79
After a CSR has been enrolled and imported into FortiGate, the status of the certificate should change to:
A. Valid
B. Pending
A. Valid
80
Which is the default inspection mode on a firewall policy?
A. Proxy based
B. Flow based
B. Flow based
81
How does NGFW policy-based mode differ from profile-based mode?
A. Policy-based flow inspection supports web profile overrides.
B. Policy-based flow inspection defines URL filters directly in the firewall policy.
B. Policy-based flow inspection defines URL filters directly in the firewall policy.
82
Which statement about proxy-based web filtering is true?
A. It requires more resources than flow-based
B. It transparently analyzes the TCP flow of the traffic
A. It requires more resources than flow-based
83
Which is a valid action for FortiGuard web category filtering?
A. Allow
B. Deny
A. Allow
84
Which is a valid action for static URL filtering?
A. Exempt
B. Warning
A. Exempt
85
Which action can be used with the FortiGuard quota feature?
A. Monitor
B. Shape
A. Monitor
86
Which statement about web profile overrides is true?
A. It is used to change the website category.
B. Configured users can activate this setting through an override link on the FortiGurd block page.
B. Configured users can activate this setting through an override link on the FortiGurd block page.
87
Which is required to configure YouTube video filtering?
A. YouTube API key
B. username
A. YouTube API key
88
Which action can be used with the video FortiGuard categories?
A. Authenticate
B. Monitor
B. Monitor
89
Which statement about blocking the known bothnet command and control domains is true?
A. DNS lookups are checked against the botnet command and control database.
B. The botnet command and control domains can be enabled on the web filter profile.
A. DNS lookups are checked against the botnet command and control database.
90
Which security profile inspects only the fully qualified domain name?
A. Web Filter
B. DNS Filter
B. DNS Filter
91
You have configured your security profiles, but they are not performing web or DNS inspection. Why?
A. The certificate is not installed correctly
B. The profiles is not associated with the correct firewall policy.
B. The profiles is not associated with the correct firewall policy.
92
Which statement about application control is true?
A. Application control uses the IPS engine to scan traffic for application patterns.
B. Application control is unable to scan P2P architecture traffic.
A. Application control uses the IPS engine to scan traffic for application patterns.
93
Which statement about the application control database is true?
A. The application control database is separate from the IPS database.
B.A. The application control database must be updated manually.
A. The application control database is separate from the IPS database.
94
Which statement about application control in a NGFW policy-based configuration is true?
A. Applications are applied directly to the security policies.
B. The application control profiles must be applied to firewall polices.
A. Applications are applied directly to the security policies.
95
Which statement about the HTTP block page for application control is true?
A. It can be used only for web applications.
B. It works for all types of applications.
A. It can be used only for web applications.
96
Where do you enable logging of application control events?
A. Application control logs are enabled in the firewall policy configuration.
B. Application control logs are enabled on the FortiView Applications page of FortiGate.
A. Application control logs are enabled in the firewall policy configuration.
97
Which piece of information is not included in the application event log when using NGFW policy-based mode?
A. Application control profile name
B. Application name
A. Application control profile name
98
Which protocol does FortiGate use with FortiGuard to recive updates for application control?
A. UDP
B. TCP
B. TCP
99
Which SSL/SSH inspection method is recommended for use with application control scanning to improve application detection?
A. Certificate-based inspection profile
B. Deep-inspection profile
B. Deep-inspection profile
100
If antivirus, grayware, and AI scans are enabled, in what order are they performed?
A. AI scan. followed by grayware scan, followed by antivirus scan
B. Antivirus scan, followed by grayware scan, followed by AI scan
B. Antivirus scan, followed by grayware scan, followed by AI scan
101
Which database can be manually selected for use in antivirus scanning?
A. Extended and Extreme
B. Quick, Normal, and Extreme
A. Extended and Extreme
102
What three additional features of an antivirus profile are available in proxy-based inspection mode?
A. MAPI, SSH and CDR
B. Full and quick
A. MAPI, SSH and CDR
103
What antivirus database is limited to specific FortiGate models?
A. Extended
B. Extreme
B. Extreme
104
What is the default scanning behavior for files over 10 MB?
A. Allow the file without scanning
B. Block all large files that exceed the buffer threshold
A. Allow the file without scanning
105
Which type of inspection mode can be offloaded using NTurbo hardware acceleration?
A. Proxy-based
B. Flow-based
B. Flow-based
106
What does the logging of oversized files option do?
A. Enables logging of all files that cannot be scanned because of oversize limit
B. Logs all files that are over 5 MB
A. Enables logging of all files that cannot be scanned because of oversize limit
107
What command do you use to force FortiGate to check for a new antivirus updates?
A. execute update antivirus
B. execute update-av
B. execute update-av
108
Which IPS action allows traffic and logs the activity?
A. Allow
B. Monitor
B. Monitor
109
Which IPS component is updated most frequently?
A. Protocol decoders?
B. IPS signature database
B. IPS signature database
110
Which behavior is a characteristic of a DoS attack?
A. Attempts to exploit a known application vulnerability
B. Attempts to overload a server with TCP SYN packets
B. Attempts to overload a server with TCP SYN packets
111
Which DoS anomaly sensor can be used to detect and block the probing attempts of a port scanner?
A. tcp_syn_flood
B. tcp_port_scan
B. tcp_port_scan
112
WAF protocol constraints protect against which type of attacks?
A. Buffer overload
B. ICMP sweep
A. Buffer overload
113
To use WAF feature, which inspection mode should be used in the firewall policy?
A. Flow
B. Proxy
B. Proxy
114
Which chipset uses NTurbo to accelerate IPS sessions?
A. CP9
B. SoC4
B. SoC4
115
Which feature requires full SSL inspection to maximize its detection capability?
A. WAF
B. DoS
A. WAF
116
Which FQDN does FortiGate use to obtain IPS updates?
A. update.fortiguard.net
B. service.fortiguard.com
A. update.fortiguard.net
117
When IPS fail open is triggered, what is the expected behavior, if the IPS fail-open option is set to enabled?
A. New packets pass through without inspection
B. New packets dropped
A. New packets pass through without inspection
118
What does a VPN do?
A. Extends a private network across a public network
B. Protects a network from external attacks
A. Extends a private network across a public network
119
Which statement about SSL VPNs is true?
A. An SSL VPN can be established between workstation and a FortiGate device only.
B. An SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices.
B. An SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices.
120
A web-mode SSL VPN user connects to a remote web server. What is the source IP address of the HTTP request the web server recives?
A. The remote user IP address
B. The FortiGate device internal IP address
B. The FortiGate device internal IP address
121
Which statement about tunnel-mode SSL VPN is correct?
A. It supports split tunneling.
B. It requires bookmarks.
A. It supports split tunneling.
122
A web-mode SSL VPN user uses ____ to access internal network resources.
A. bookmarks
B. FortiClient
A. bookmarks
123
Which step is necessary to configure SSL VPN connections?
A. Create a firewall policy from the SSL VPN interface to the internal interface.
B. Enable event logs for SSL VPN traffic: users, VPN, and endpoints.
A. Create a firewall policy from the SSL VPN interface to the internal interface.
124
Which action may allow internet access in tunnel mode, if the remote network does not allow internet access to SSL VPN users?
A. Enable split tunneling
B. Configure the DNS server to use the same DNS server as the client DNS
A. Enable split tunneling
125
What does the SSL VPN monitor feature allow you to do?
A. Monitor SSL VPN user actions, such as authentication
B. Force SSL VPN user disconnects
B. Force SSL VPN user disconnects
126
Which statement about SSL VPN timers is correct?
A. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency.
B. The login timeout is a non-customizable hard value.
A. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency.
127
Which components issues and signs the client certificate?
A. FortiClient EMS
B. FortiClient
A. FortiClient EMS
128
Which internet browser supports Fortinet ZTNA?
A. Firefox
B. Chrome
B. Chrome
129
What does FortiClient EMS integration ensure?
A. Device identification
B. User identification
A. Device identification
130
An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?
A. VLAN interface
B. Software Switch interface
C. Aggregate interface
D. Redundant interface
C. Aggregate interface
131
Refer to the exhibit, which contains a static route configuration.
An administrator created a static route for Amazon Web Services.
What CLI command must the administrator use to view the route?
A. get router info routing-table all
B. get internet service route list
C. get router info routing-table database
D. diagnose firewall proute list
D. diagnose firewall proute list
132
Which three statements are true regarding session-based authentication? (Choose three.)
A. HTTP sessions are treated as a single user.
B. IP sessions from the same source IP address are treated as a single user.
C. It can differentiate among multiple clients behind the same source IP address.
D. It requires more resources.
E. It is not recommended if multiple users are behind the source NAT
A. HTTP sessions are treated as a single user.
C. It can differentiate among multiple clients behind the same source IP address.
D. It requires more resources.
133
What is the primary FortiGate election process when the HA override setting is disabled?
A. Connected monitored ports > System uptime > Priority > FortiGate Serial number
B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
D.Connected monitored ports > Priority > System uptime > FortiGate Serial number
B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
134
Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?
A. Fabric Coverage
B. Automated Response
C. Security Posture
D. Optimization
C. Security Posture
135
Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?
Select one:
A. It captures the login events and forwards them to the collector agent.
B. It captures the user IP address and workstation name and forwards them to FortiGate.
C. It captures the login and logoff events and forwards them to the collector agent.
D. It captures the login events and forwards them to FortiGate.
A. It captures the login events and forwards them to the collector agent.
136
FortiGate has been configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.
What is the most likely reason for this situation?
Select one:
A. No matching user account exists for this user.
B. The user is using a guest account profile.
C. The user is using a super admin account.
D. The user was authenticated using passive authentication.
D. The user was authenticated using passive authentication.
137
Which two statements about FortiGate antivirus databases are true? (Choose two.)
Select one or more:
A. The quick scan database is part of the normal database.
B. The extended database is available only if AI scanning is enabled.
C. The extended database is available on all FortiGate models.
D. The extreme database is available only on certain FortiGate models.
C. The extended database is available on all FortiGate models.
D. The extreme database is available only on certain FortiGate models.
138
Examine the exhibit, which shows a firewall policy configured with multiple security profiles.
```
Which two security profiles are handled by the IPS engine? (Choose two.)
Select one or more:
A. Web Filter
B. AntiVirus
C. Application Control
D. IPS
```
C. Application Control
| D. IPS
139
View the exhibit.
A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.
Exhib_route
Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two.)
Select one or more:
A. Strict RPF check will deny the traffic.
B. Loose RPF check will deny the traffic.
C. Strict RPF check will allow the traffic.
D. Loose RPF check will allow the traffic.
C. Strict RPF check will allow the traffic.
| D. Loose RPF check will allow the traffic.
140
What two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)
Select one or more:
A. Fabric name
B. FortiAnalyzer IP address
C. FortiManager IP address
D. Pre-authorize downstream FortiGate devices
A. Fabric name
| B. FortiAnalyzer IP address
141
Examine this FortiGate configuration:
config system global
set av-failopen pass
end
config ips global
set fail-open disable
end
Examine the output of the following debug command:
# diagnose hardware sysinfo conserve
memory conserve mode: on
total RAM: 3040 MB
memory used: 2706 MB 89% of total RAM
memory freeable: 334 MB 11% of total RAM
memory used + freeable threshold extreme: 2887 MB 95% of total RAM
memory used threshold red: 2675 MB 88% of total RAM
memory used threshold green: 2492 MB 82% of total RAM
Based on the diagnostic outputs above, how is FortiGate handling new packets that require IPS inspection?
Select one:
A. They are allowed and inspected as long as no additional proxy-based inspection is required.
B. They are allowed, but with no inspection.
C. They are allowed and inspected.
D. They are dropped.
D. They are dropped.
142
Examine the following log message attributes:
subtype="webfilter" hostname=www.youtube.com profile="default" action="passthrough" msg="URL belongs to a category with warnings enabled"
Which two statements about the log are correct? (Choose two.)
Select one or more:
A. The user failed authentication.
B. The user was prompted to decide whether to proceed or go back.
C. The category action was set to warning.
D. The website was allowed on the first attempt.
B. The user was prompted to decide whether to proceed or go back.
C. The category action was set to warning.
143
```
Which two configuration settings are global settings? (Choose two.)
Select one or more:
A. FortiGuard settings
B. User & Device settings
C. Firewall policies
D. HA settings
```
A. FortiGuard settings
| D. HA settings
144
An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the internet. The web server is connected to port1. The internet is connected to port2. Both interfaces belong to the VDOM named Corporation.
```
What interface must be used as the source for the firewall policy that will allow this traffic?
Select one:
A. ssl.Corporation
B. ssl.root
C. port2
D. port1
```
A. ssl.Corporation
145
Which statement about firewall policy NAT is true?
Select one:
A. DNAT is not supported.
B. SNAT can automatically apply to multiple firewall policies, based on SNAT policies.
C. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
D. You must configure SNAT for each firewall policy.
D. You must configure SNAT for each firewall policy.
146
Which two statements about advanced AD access mode for the FSSO collector agent are true? (Choose two.)
Select one or more:
A. It supports monitoring of nested groups.
B. FortiGate can act as an LDAP client to configure the group filters.
C. It uses the Windows convention for naming; that is, Domain\Username.
D. It is only supported if DC agents are deployed.
A. It supports monitoring of nested groups.
| B. FortiGate can act as an LDAP client to configure the group filters.
147
What is eXtended Authentication (XAuth)?
Select one:
A. It is an IPsec extension that authenticates remote VPN peers using a preshared key.
B. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
C. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
C. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
148
```
Which three methods can be used to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)
Select one or more:
A. SMS text message
B. Email
C. Voicemail message
D. Instant message app
E. FortiToken
```
A. SMS text message
B. Email
E. FortiToken
149
What does the command diagnose debug fsso-polling refresh-user
do?
Select one:
A. It enables agentless polling mode real-time debug.
B. It refreshes user group information from any servers connected to FortiGate using a collector agent.
C. It displays status information and some statistics related to the polls done by FortiGate on each DC.
D. It refreshes all users learned through agentless polling.
D. It refreshes all users learned through agentless polling.
150
An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.
Which two items must they configure on their FortiGate to accomplish this? (Choose two.)
Select one or more:
A. An application control profile and set all application signatures to monitor
B. An IPS sensor to monitor all signatures applicable to the server
C. A DoS policy, and log all UDP and TCP scan attempts
D. A web application firewall profile to check protocol constraints
B. An IPS sensor to monitor all signatures applicable to the server
C. A DoS policy, and log all UDP and TCP scan attempts
151
Examine the exhibit, which shows a FortiGate with two VDOMs: VDOM1 and VDOM2.
Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.
Which two static routes are required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link? (Choose two.)
Select one or more:
A. A static route in VDOM1 for the destination subnet of 10.0.2.0/24
B. A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link
C. A static route in VDOM2 for the destination subnet 10.0.1.0/24
D. A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link
C. A static route in VDOM2 for the destination subnet 10.0.1.0/24
152
Examine this partial output from the diagnose sys session list
CLI command:
diagnose sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
```
What does this output state?
Select one:
A. proto_state=05 is the ICMP state.
B. proto_state=05 means there is only one-way traffic.
C. proto_state=05 is the UDP state.
D. proto_state=05 is the TCP state.
```
D. proto_state=05 is the TCP state.
153
Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)
Select one or more:
A. Only the any interface can be chosen as an incoming interface.
B. Multiple interfaces can be selected as incoming and outgoing interfaces.
C. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
D. A zone can be chosen as the outgoing interface.
B. Multiple interfaces can be selected as incoming and outgoing interfaces.
D. A zone can be chosen as the outgoing interface.
154
Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)
Select one or more:
A. Aggressive mode supports XAuth, while main mode does not.
B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
D. Main mode cannot be used for dialup VPNs, while aggressive mode can.
B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
155
Which two statements about the application control profile mode are true? (Choose two.)
Select one or more:
A. It uses flow-based scanning techniques, regardless of the inspection mode used.
B. It cannot be used in conjunction with IPS scanning.
C. It can be selected in either flow-based or proxy-based firewall policy.
D. It can scan only unsecure protocols.
A. It uses flow-based scanning techniques, regardless of the inspection mode used.
C. It can be selected in either flow-based or proxy-based firewall policy.
156
Which two statements about the SD-WAN feature on FortiGate are true? (Choose two.)
Select one or more:
A. An SD-WAN static route does not require a next-hop gateway IP address.
B. Each member interface requires its own firewall policy to allow traffic.
C. SD-WAN provides route failover protection, but cannot load balance traffic.
D. FortiGate supports only one SD-WAN interface per VDOM.
A. An SD-WAN static route does not require a next-hop gateway IP address.
D. FortiGate supports only one SD-WAN interface per VDOM.
157
View the exhibit.
Which two behaviors result from this full (deep) SSL configuration? (Choose two.)
Select one or more:
A. The browser bypasses all certificate warnings and allows the connection.
B. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
D. A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.
B. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
158
An administrator has configured central DNAT and virtual IPs.
Which item can be selected in the firewall policy Destination field?
Select one:
A. An IP pool
B. A VIP object
C. A VIP group
D. The mapped IP address object of the VIP object
D. The mapped IP address object of the VIP object
159
An administrator configured antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.
What is causing this issue?
Select one:
A. Full content inspection for HTTPS is disabled.
B. The test file is larger than the oversize limit.
C. Hardware acceleration is in use.
D. HTTPS protocol is not enabled under Inspected Protocols.
A. Full content inspection for HTTPS is disabled.
160
Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode are true? (Choose two.)
Select one or more:
A. The client must wait for the antivirus scan to finish scanning before it receives the file.
B. A file does not need to be buffered completely before it is moved to the antivirus engine for scanning.
C. If a virus is detected, a block replacement message is displayed immediately.
D. FortiGate sends a reset packet to the client if antivirus reports the file as infected.
A. The client must wait for the antivirus scan to finish scanning before it receives the file.
C. If a virus is detected, a block replacement message is displayed immediately.
161
View the exhibit.
Which statement about the configuration settings is true?
Select one:
A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.
C. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
D. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.
C. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
162
```
Which three actions are valid for static URL filtering? (Choose three.)
Select one or more:
A. Warning
B. Exempt
C. Allow
D. Block
E. Shape
```
B. Exempt
C. Allow
D. Block
163
Which statement about traffic flow in an active-active HA cluster is true?
Select one:
A. The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client.
B. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.
C. The ACK from the client is received on the physical MAC address of the primary device.
D. The SYN packet from the client always arrives at the primary device first.
D. The SYN packet from the client always arrives at the primary device first.
164
Examine the exhibit showing a routing table.
Exhib_route
Which route will be selected when trying to reach 10.20.30.254?
Select one:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3
B. 0.0.0.0/0 [10/0] via 172.20.121.2, port1
C. 10.30.20.0/24 [10/0] via 172.20.121.2, port1
D. 10.20.30.0/26 [10/0] via 172.20.168.254, port2
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3
165
```
Which load balancing method is not supported in equal cost multipath (ECMP) load balancing, but is supported in SD-WAN?
Select one:
A. Source-destination IP based
B. Weight based
C. Source IP based
D. Volume based
```
C. Source IP based
166
Which statement about the HA override setting in FortiGate HA clusters is true?
Select one:
A. You must configure override settings manually and separately for each cluster member.
B. It reboots FortiGate.
C. It synchronizes device priority on all cluster members.
D. It enables monitored ports.
A. You must configure override settings manually and separately for each cluster member.
167
View the exhibit.
date=2021-03-16 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=1 sessionid=31232959 user="anonymous" group="ldap_users" srcip=192.168.1.24 srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80 dstintf="port1" service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile" profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304 rcvdbyte=60135 msg="URL belongs to an allowed category in policy" method=domain class=0 cat=140 catdesc="custom1"
What does this raw log indicate? (Choose two.)
Select one or more:
A. 192.168.1.24 is the IP address for www.fortinet.com.
B. FortiGate allowed the traffic to pass
C. The traffic matches the webfilter profile on firewall policy ID 2.
D. The traffic originated from 66.171.121.44.
B. FortiGate allowed the traffic to pass
| C. The traffic matches the webfilter profile on firewall policy ID 2.
168
```
Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
Select one or more:
A. HTTPS
B. FortiTelemetry
C. Trusted authentication
D. SSH
E. Trusted host
```
A. HTTPS
D. SSH
E. Trusted host
169
A client workstation is connected to FortiGate port2. FortiGate port1 is connected to an ISP router. port2 and port3 are both configured as a software switch.
Which IP address must be configured on the workstation as the default gateway?
Select one:
A. The software switch interface IP address
B. The FortiGate management IP address
C. The port2 IP address
D. The router IP address
A. The software switch interface IP address
