You are checking an enterprise network and see a suspicious packet with the MAC address 00:09:0f:09:18:81.
Which two statements about the suspicious packet are correct? (Choose two.)
AThe suspicious packet is related to a cluster with a group-id value lower than 255.
BThe suspicious packet corresponds to a port with a physical index equal to 2.
CThe suspicious packet is related to a cluster that has VDOMs enabled
DThe suspicious packet is related to a cluster configured with the FortiGate Session Life Protocol (FGSP).
To secure your enterprise network traffic, which step does FortiGate perform first, when handling the first packets of a session?
ADecryption
BInstallation of the session key in the network processor (NP)
CA reverse path forwarding (RPF) check
DIP integrity header checking
Refer to the exhibits.
The system administrator settings configured on a root FortiGate and the Security Fabric settings configured on a downstream FortiGate are shown.
When prompted to sign in with Security Fabric to the downstream FortiGate. a user enters the single sign-on (SSO) provider credentials.
What happens next for the user?
AThe user is redirected to the root FortiGate.
BThe user accesses the downstream FortiGate with super_admin_readonly privileges.
CThe user accesses the root FortiGate with AdminSSO privileges.
DThe user receives an authentication failure message.
You must update a firewall policy to block multiple websites within the subnet 172.165.58.0/24.
What must you do to block these addresses efficiently?
ACreate an application sensor and apply the application control profile to the firewall policy.
BCreate a URL niter and apply the web filter profile to the firewall policy.
CCreate an IP address external connector and apply it to the destination field of the firewall policy.
DCreate an Internet Service Database (ISDB) group and apply it to the destination field of the firewall policy.
You are setting up an ADVPN configuration and want to ensure that peer IDs are not exposed during VPN establishment.
Which protocol can the administrator use to enhance security?
AUse SSL VPN tunnel mode with certificates.
BUse IKEv2, which encrypts peer IDs and prevents exposure.
CUse IKEv1 aggressive mode with certificates.
DUse IKEv1 main mode with AES-GCM security proposal.
Refer to the exhibit.
A physical topology along with a traffic log is shown.
You are using FortiAnalyzer to monitor traffic from the device with IP address 10.0.2.51, which is located behind the FortiGate internal segmentation firewall (ISFW) device.
Unified threat management (UTM) is not enabled in the firewall policy on the HQ-ISFW device, and you are surprised to see a log with the action Malware, as shown in the exhibit.
What are two reasons why FortiAnalyzer would display this log? (Choose two.)
ASecurity rating is enabled in HQ-ISFW.
BUTM is enabled in the firewall policy in HQ-NGFW-1.
CHQ-ISFW is in a Security Fabric environment.
DHQ-ISFW is not connected to FortiAnalyzer and traffic must go through HQ-NGFW-1.
Refer to the exhibit.
An enterprise network connected to an ISP is shown.
You must configure a loopback as a BGP source to connect to the ISP.
Which two commands must you use to establish the connection? (Choose two.)
Aibgp-enfогсе-multihop
Bebgp-enfоrce-multihop
Crecursive-next-hop
Dupdate-source
Which action can you take on FortiGate to block traffic using intrusion prevention system (IPS) protocol decoders, focusing on network transmission patterns and application signatures?
AEnable inspect all ports in flow mode
BUse application control to limit non-URL-based software handling.
CEnable application detection-based SD-WAN rules.
DUse the DNS filter to block application signatures and protocol decoders.
Refer to the exhibit.
You are deploying a hub and spokes network and using OSPF as a dynamic protocol.
Which configuration is recommended for neighbor adjacency through the hub?
ASet virtual-link enable in the OSPF configuration
BSet rfc1583-compatible enable in the router configuration
CSet network-type point-to-multipoint in the hub interface
DSet route-reflector-client enable in the router configuration
Refer to the exhibit.
A partial VPN configuration is shown.
Which statement about this VPN IPsec phase 1 configuration is correct?
AFortiGate will not add a route to its routing information base (RIB) or forwarding information base (FIB) when the dynamic tunnel is negotiated.
BThis configuration must include certificates associated peer IDs to enhance security.
CA separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.
DThis configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
Refer to the exhibit.
A network diagram with a hub and spokes deployment is shown.
You must deploy several spokes, including the BGP configuration for the spokes that connect to the hub.
Which two commands would you use to minimize the amount of configuration needed on the hub? (Choose two.)
Aebgp-multipath
Broute-overlap
Cneighbor-range
Dneighbor-group
If you implement IKEv2 in a VPN topology, which two statements are true? (Choose two.)
AUnlike IKEv1, it supports mode config.
BIt includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
CIt supports the extensible authentication protocol (EAP).
DIt exchanges a minimum of two messages to establish a secure tunnel.
Refer to the exhibit.
Based on the exhibit, what is the first message that Spoke 1 replies to the hub instructing it to bring up the dynamic tunnel if a client generates traffic destined to Spoke 2?
AShortcut query
BShortcut forward
CShortcut offer
DShortcut reply
Refer to the exhibit.
A network diagram showing the corporate network and a new remote office network is shown.
You must integrate the new remote office network with the corporate enterprise network.
What must you do to allow routing between the two networks?
AImplement BGP to inject the new remote office network into the corporate FortiGate device.
BAdd the network 192.168.1.0/24 in the OSPF section on the corporate FortiGate device.
CImplement OSPF over IPsec on both FortiGate devices.
DConfigure virtual links on both FortiGate devices.
In a transparent VDOM interface, what does the command set forward-domain <domain_ID> do?
AIt allows the interface to access the configured admin domain.
BIt restricts the interface to managing traffic from only the specified VLAN, effectively segregating network traffic.
CIt isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID.
DIt assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.
Refer to the exhibits.
The ADVPN network topology and partial BGP configuration are shown.
Which two parameters must you configure in the config neighbor range for spokes shown in the exhibit? (Choose two.)
Aset prefix 10.0.12.0 255.255.255.0
Bset route-reflector-client enable
Cset neighbor-group advpn
Dset prefix 172.16.1.0 255.255.255.0
You need to install a new intrusion prevention system (IPS) profile without triggering false positives that can impact applications and disrupt normal traffic flow.
How can you prevent false positives on IPS analysis?
AUse an IPS profile with action default and analyze the applications.
BUse the IPS profile extension to select an OS, protocol, and application for all the network internal services and users to prevent false positives.
CUse an IPS profile with Scan Outgoing Connections to block botnets, which can create false positives.
DUse an IPS profile with action monitor; however, you must be aware that this can compromise network integrity.
During the last network migration, the IT department discovered that all zero phase selectors in phase 2 IPsec configurations impact network operations.
What are two valid recommendations to prevent potential invalid paths during future migrations? (Choose two.)
AConfigure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.
BConfigure the VPN with the exact segments that will be encrypted in the phase two selectors.
CConfigure an IPsec aggregate to create redundancy between each firewall peer.
DConfigure routing protocols to specify allowed subnets over the tunnel.
You must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic.
Which SSL inspection setting reduces system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?
AEnable SSL certificate inspection mode to perform basic checks without decrypting traffic.
BDisable SSL inspection to preserve resources.
CUse deep SSL inspection to inspect encrypted HTTPS traffic.
DConfigure SSL inspection to handle HTTPS traffic efficiently.
Refer to the exhibit.
An OSPF network is shown.
Which configuration must you apply to optimize the OSPF database?
ASet the area 0.0.0.1 to the type Stub in the area border FortiGate.
BSet a route map in the autonomous system boundary FortiGate.
CSet the area 0.0.0.l to the type NSSA in the area border FortiGate.
DSet a prefix list in the autonomous system boundary FortiGate.
Refer to the exhibit.
A network topology and a FortiGate routing table is shown.
What must you configure in the BGP section to add only the subnet 100.64.2.0/24 in the routing table of FortiGate_A?
AConfigure route-map-in on FortiGate_A.
BConfigure connected routes redistribution on FortiGate_C.
CConfigure BGP route redistribution on FortiGate_B.
DConfigure the 100.64.2.0/24 network on FortiGate_C.
You receive a FortiAnalyzer alert warning that a 1 ТВ disk filled up in a day. Upon investigation, you find thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. You later discover that DNS exfiltration is occurring through both UDP and TLS.
How can you prevent this data theft technique?
AUse a file filter profile to protect against DNS exfiltration.
BUse an intrusion prevention system (IPS) profile and DNS exfiltration-related signatures.
CEnable DNS filter to protect against DNS exfiltration.
DEnable data loss prevention (DLP) to prevent DNS exfiltration.
Refer to the exhibits.
A policy package conflict status and information from the import device wizard in the Core1 VDOM are shown.
When you import a policy package, the following message appears for the Web_restrictions web filter profile and the deep-inspection SSL-SSH profile:
The following objects were found having conflicts. Please confirm your settings, then continue.
The Web_restrictions and deep-inspection profiles are used by other FortiGate devices within FortiManager.
Which step must you take to resolve the issue?
ACreate uniquely named objects on FortiGate and reimport them into the policy package.
BRetrieve the FortiGate configuration to automatically export correct objects and policies.
CUse non-default object values because FortiManager is unable to alter default values.
DSelect the FortiManager configuration that accepts changes on FortiManager and preserves existing configurations on FortiGate devices.
Refer to the exhibits.
The configuration of Windows PC, PC 1, with a default MTU of 1500 bytes, FortiGate interfaces with an MTU of 1000 bytes, and the results of PC 1 pinging over server 172.16.0.251 are shown.
Why is the PC1 user unable to ping server 172.16.0.254 and seeing the message: Packet needs to be fragmented but DF set?
AThe user must adjust the TCP maximum segment size (MSS) to 1000 for the ping to succeed
BThe ip.flags.mf option must be enabled on FortiGate. The user must adjust the ping MTU to 1000 to succeed.
CThe user must account for the size of the Ethernet header when configuring the MTU value.
DFortiGate honors the do not fragment bit and the packets are dropped. The user must adjust the ping MTU to 972 to succeed.
You need an internal segmentation firewall (ISFW) FortiGate for a campus with an ultralow latency interface.
Which FortiGate should you select?
Preview
