An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.
When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)
AThe selected SSL inspection profile has certificate inspection enabled.
BThe website is exempted from SSL inspection.
CThe El CAR test file exceeds the protocol options oversize limit.
DThe browser does not trust the FortiGate self-signed CA certificate.
An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set number of times during a specific time period.
How can the administrator achieve the objective?
AUse IPS group signatures, set rate-mode 60.
BUse IPS packet logging option with periodical filter option.
CUse IPS filter, rate-mode periodical option.
DUse IPS filter, rate-mode periodical option.
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.
Based on the exhibit, which statement is true?
AThe Underlay zone is the zone by default.
BThe Underlay zone contains no member.
Cport2 and port3 are not assigned to a zone.
DThe virtual-wan-link and overlay zones can be deleted.
Refer to the exhibit.
What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?
AFortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields.
BFortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields.
CFortiGate will close the connection if the SNI does not match the CN or SAN fields.
DFortiGate will close the connection if the SNI does not match the CN and SAN fields
Question 6
Security profiles
0
Question 7
VPN
Question 8
Security profiles
Question 9
System configuration
Question 10
Central management
Question 11
System configuration
Question 12
VPN
Question 13
System configuration
Question 14
Routing
Question 15
Security profiles
Question 16
Security profiles
Question 17
System configuration
Question 18
System configuration
Question 19
Security profiles
Question 20
System configuration
Question 21
Routing
Question 22
Security profiles
Question 23
Security profiles
Question 24
System configuration
Question 25
VPN
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is NOT part of the expected process?
AThe DC agent sends login event data directly to FortiGate.
BThe user logs into the windows domain.
CThe collector agent forwards login event data to FortiGate.
DFortiGate determines user identity based on the IP address in the FSSO list.
You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment.
In which two ways can you effectively resolve the problem? (Choose two.)
AYou can turn off IKE fragmentation to fix large certificate negotiation problems.
BYou should use IPsec to solve issues with fragment drops and large certificate exchanges.
CYou can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
DYou can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.
What FortiGate settings should you check to resolve this issue?
AFortiGuard category ratings
BApplication and Filter Overrides
CNetwork Protocol Enforcement
DReplacement Messages for UDP-based Applications
Which two statements are correct when FortiGate enters conserve mode? (Choose two.)
AFortiGate continues to run critical security actions, such as quarantine.
BFortiGate refuses to accept configuration changes.
CFortiGate halts complete system operation and requires a reboot to regain available resources.
DFortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled.
Which two statements describe characteristics of automation stitches? (Choose two.)
AActions involve only devices included in the Security Fabric.
BAn automation stitch can have multiple triggers.
CMultiple actions can run in parallel.
DTriggers can involve external connectors.
Refer to the exhibit.
Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.)
AAdministrators cannot change the configuration.
BFortiGate skips quarantine actions.
CAdministrators must restart FortiGate to allow new session.
DFortiGate drops new sessions requiring inspection.
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)
AOn BR1-FGT, set Seconds to 43200.
BOn HQ-NGFW, enable Diffie-Hellman Group 2.
COn BR1-FGT, set Remote Address to10.0.11.0/255.255.255.0
DOn HQ-NGFW. set Encryption to AES256
What is the primary FortiGate election process when the HA override setting is enabled?
AConnected monitored ports > Priority > HA uptime > FortiGate serial number
BConnected monitored ports > Priority > System uptime > FortiGate serial number
CConnected monitored ports > HA uptime > Priority > FortiGate serial number
DConnected monitored ports > System uptime > Priority > FortiGate serial number
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
AIf SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
BIf SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP.
CIf SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
DIf SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
Refer to the exhibit.
The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?
AMove NOC_Access to the top of the list to ensure all profile settings take effect.
BIncrease the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
CEnsure that all NOC_Access users are assigned the super_admin role to guarantee access
DIncrease the admintimeout value under config system accprofile NOC_Access.
Which three statements explain a flow-based antivirus profile? (Choose three.)
AFortiGate buffers the whole file but transmits to the client at the same time.
BFlow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
CIf a virus is detected, the last packet is delivered to the client.
DFlow-based inspection optimizes performance compared to proxy-based inspection.
EThe IPS engine handles the process as a standalone.
Which two statements are true about an HA cluster? (Choose two.)
AAn HA cluster cannot have both in-band and out-of-band management interfaces at the same time.
BLink failover triggers a failover if the administrator sets the interface down on the primary device.
CWhen sniffing the heartbeat interface, the administrator must see the IP address 169.254.0.2.
DHA incremental synchronization includes FIB entries and IPsec SAs.
You have configured the below commands on a FortiGate.
What would be the impact of this configuration on FortiGate?
AFortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing.
BFortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.
CPort1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF
DThe global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.
Refer to the exhibit.
The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit.
For which two reasons are these web categories exempted? (Choose two.)
AThe FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security.
BThese websites are in an allowlist of reputable domain names maintained by FortiGuard.
CThe resources utilization is optimized because these websites are in the trusted domain list on FortiGate.
DThe legal regulation aims to prioritize user privacy and protect sensitive information for these websites.
Refer to the exhibits.
Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.
What would be the expected outcome in the HA cluster?
AHQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.
BHQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
CHQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
DThe HA cluster will become out of sync because the override setting must match on all HA members.
What are three key routing principles in SD-WAN? (Choose three.)
ABy default, SD-WAN rules are skipped if the included SD-WAN members do not have a valid route to the destination.
BSD-WAN rules have precedence over any other type of routes.
CRegular policy routes have precedence over SD-WAN rules.
DBy default. SD-WAN rules are skipped if only one route to the destination is available.
EBy default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
You have created a web filter profile named restrict_media-profile with a daily category usage quota.
When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down.
What could be the reason?
AThe firewall policy is in no-inspection mode instead of deep-inspection.
BThe inspection mode in the firewall policy is not matching with web filter profile feature set.
CThe web filter profile is already referenced in another firewall policy.
DThe naming convention used in the web filter profile is restricting it in the firewall policy.
Refer to the exhibit.
As an administrator you have created an IPS profile, but it is not performing as expected. While testing you got the output as shown in the exhibit.
What could be the possible reason of the diagnose output shown in the exhibit?
AThere is a no firewall policy configured with an IPS security profile.
BFortiGate entered into IPS fail open state.
CAdministrator entered the command diagnose test application ipsmonitor 5.
DAdministrator entered the command diagnose test application ipsmonitor 99.
Refer to the exhibits.
The exhibits show the system performance output and default configuration of high memory usage thresholds on a FortiGate device.
Based on the system performance output, what are the two possible outcomes? (Choose two.)
AFortiGate has entered conserve mode.
BAdministrators can access FortiGate only through the console port.
CAdministrators can change the configuration.
DFortiGate drops new sessions.
An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues.
What should the administrator check first?
AEnsure that the affected users are using the correct port number.
BEnsure that user traffic is hitting the firewall policy.
CEnsure that forced tunneling is enabled to reroute all traffic through the SSL VPN
DEnsure that the HTTPS service is enabled on SSL VPN tunnel interface
