You have created a web filter profile named restrict_media-profile with a daily category usage quota.
When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down.
What could be the reason?
AThe inspection mode in the firewall policy is not matching with web filter profile feature set.
BThe web filter profile is already referenced in another firewall policy.
CThe naming convention used in the web filter profile is restricting it in the firewall policy.
DThe firewall policy is in no-inspection mode instead of deep-inspection.
Refer to the exhibit, which shows a firewall policy to enable active authentication.
When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
What is the most likely reason for this situation?
AThe Service DNS is required in the firewall policy.
BThe Remote-users group is not added to the Destination.
CThe Remote-users group must be set up correctly in the FSSO configuration.
DNo matching user account exists for this user.
What are two features of FortiGate FSSO agentless polling mode? (Choose two.)
AFortiGate does not support workstation check.
BFortiGate directs the collector agent to use a remote LDAP server.
CFortiGate uses the AD server as the collector agent.
DFortiGate uses the SMB protocol to read the event viewer logs from the DCs.
Which two components are part of the secure internet access (SIA) agent-based mode on FortiSASE? (Choose two.)
AFortiExtender
BVPN policies
CThe proxy auto-configuration (PAC) file
DFortiSASE Firewall-as-a-Service (FWaaS)
Refer to the exhibits.
You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.
You cannot access any of the Google applications, but you are able to access www.fortinet.com
Which two actions would you take to resolve the issue? (Choose two.)
AChange the Inspection mode to Flow-based.
BSet the action for Google in the Application and Filter Overrides section to Allow.
CAdd “Google”.com to the URL category in the security profile.
DSet SSL inspection to deep-content inspection.
EMove up Google in the Application and Filter Overrides section to set its priority to 1.
Question 6
High Availability
0
Question 7
Diagnostics and Troubleshooting
Question 8
Diagnostics and Troubleshooting
Question 9
IPsec VPN
Question 10
Antivirus
Question 11
Intrusion Prevention and Application Control
Question 12
Firewall Policies and NAT
Question 13
Web Filtering
Question 14
Routing
Question 15
System and Network Settings
Question 16
Firewall Policies and NAT
Question 17
Routing
Question 18
Intrusion Prevention and Application Control
Question 19
Logging and Monitoring
Question 20
SD-WAN Configuration and Monitoring
Question 21
IPsec VPN
Question 22
Certificate Operations
Question 23
Firewall Policies and NAT
Question 24
Intrusion Prevention and Application Control
Question 25
IPsec VPN
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Refer to the exhibits.
An administrator has observed the performance status outputs on an HA cluster for 55 seconds.
Which FortiGate is the primary?
AHQ-NGFW-2 with the parameter memory-failover-threshold setting
BHQ-NGFW-1 with the parameter override setting
CHQ-NGFW-2 with the parameter priority setting
DHQ-NGFW-1 with the parameter memory-failover-flip-timeout setting
Refer to the exhibit.
Which two statements about the FortiGuard connection are true? (Choose two.)
AThe weight increases as the number of failed packets rises.
BFortiGate is using the default port for FortiGuard communication.
CFortiGate identified the FortiGuard Server using DNS lookup.
DYou can configure unreliable protocols to communicate with FortiGuard Server.
Which two statements are correct when the FortiGate device enters conserve mode? (Choose two.)
AFortiGate refuses to accept configuration changes.
BFortiGate continues to run critical security actions, such as quarantine.
CFortiGate halts complete system operation and requires a reboot to regain available resources.
DFortiGate continues to transmit packets without IPS inspection when the fail -open global setting in IPS is enabled.
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)
AOn BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0
BOn BR1-FGT, set Seconds to 43200.
COn HQ-NGFW, set Encryption to AES256.
DOn HQ-NGFW, enable Diffie-Hellman Group 2.
Refer to the exhibit.
Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?
AThe Feature Set for the profile is Flow-based but it must be Proxy-based.
BFortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature.
CAntivirus scan is disabled under System-> Feature visibility.
DNone of the inspected protocols are active in this profile.
Refer to the exhibit.
An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times.
Why are there no logs generated under security logs for ABC.Com?
AThe ABC.Com is hitting the category Excessive-Bandwidth.
BThe ABC.Com is configured under application profile, which must be configured as a web filter profile.
CThe ABC.Com Type is set as Application instead of Filter.
DThe ABC.Com Action is set to Allow.
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port2) interface has the IP address 100.65.0.101/24. The LAN (port4) interface has the IP address 10.0.11.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on HQ-PC-1 (10.0.11.50) pings the IP address of BR-FGT (100.65.1.111)
A100.65.0.99
B100.65.0.101
C100.65.0.149
D100.65.0.49
Refer to the exhibits.
A web filter profile configuration and firewall policy configuration are shown. You are trying to access www.facebook.com , but you are redirected to a FortiGuard web filtering block page.
Based on the exhibits, what is the possible cause of the issue?
AThe web rating override configuration is incorrect.
BThe firewall policy inspection mode is incorrect.
CFor www.facebook.com, the URL filter action is incorrect.
DThe web filter profile feature set is configured incorrectly.
Refer to the exhibit, which shows a routing table.
An administrator wants to create a new static route so the traffic to the subnet 172.20.1.0/24 is routed through port2 only.
What are the two criteria that the administrator can use to achieve this objective? (Choose two.)
AThe new static route must have the priority set to 3.
BThe existing static route through port 3 must have the distance set to 11.
CThe new static route must have the distance set to 9.
DThe new static route must have the metric set to1.
Refer to the exhibit.
The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?
AIncrease the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
BEnsure that all NOC_Access users are assigned the super_admin role to guarantee access.
CMove NOC_Access to the top of the list to ensure all profile settings take effect.
DIncrease the admintimeout value under config system accprofile NOC_Access.
FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)
ABoth interfaces must have directly connected routes on the routing table.
BBoth interfaces must have IP addresses assigned.
CBoth interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
DBoth interfaces must have the interface role assigned.
Refer to the exhibit.
Based on the routing table shown in the exhibit, which two statements are true? (Choose two.)
AA packet with the source IP address 10.0.13.10 arriving on port2 is allowed if strict RPF is disabled.
BA packet with the source IP address 10.100.110.10 arriving on port3 is allowed if strict RPF is disabled.
CA packet with the source IP address 10.10.10.10 arriving on port2 is allowed if strict RPF is enabled.
DA packet with the source IP address 10.100.110.10 arriving on port2 is allowed if strict RPF is enabled.
Refer to the exhibit.
Based on this configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.)
AFortiGate drops new sessions requiring inspection.
BAdministrators must restart FortiGate to allow new sessions.
CFortiGate skips quarantine actions.
DAdministrators cannot change the configuration.
The FortiGate device HQ-NGFW-1 with the IP address 10.0.13.254 sends logs to the FortiAnalyzer device with the IP address 10.0.13.125. The administrator wants to verify that reliable logging is enabled on HQ-NGFW-1.
Which exhibit helps with the verification?
A
B
C
D
Which three statements about SD-WAN performance SLAs are true? (Choose three.)
AThey can be measured actively or passively.
BThey are applied in a SD-WAN rule lowest cost strategy.
CThey monitor the state of the FortiGate device.
DAll the SLA targets can be configured.
EThey rely on session loss and jitter.
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?
AOn Demand
BEnabled
COn Idle
DDisabled
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
AThe matching firewall policy is set to proxy inspection mode.
BThe option invalid SSL certificates is set to allow on the SSL/SSH inspection profile.
CThe certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
DThe browser does not trust the certificate used by FortiGate for SSL inspection.
A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View. The policies appear in a different order in each view.
Why is the policy order different in these two views?
AInterface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.
BBy Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs.
CThe firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.
DPolicies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator’s manual ordering.
Refer to the exhibits.
You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.
Which two factors can you observe from these configurations? (Choose two.)
AYouTube search is allowed based on the Google Application and Filter override settings.
BFacebook access is blocked based on the category filter settings.
CFacebook access is allowed but you cannot play Facebook videos based on Video/Audio category filter settings.
DYouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings.
An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled. However, the static route is not showing in the routing table.
Which two statements about this scenario are correct? (Choose two.)
AThe administrator must ensure phase 2 is successfully established.
BThe administrator must enable a dynamic routing protocol on the dialup interface.
CThe administrator must define the remote network correctly in the phase 2 selectors.
DThe administrator must use a policy route instead of a static route for add-route to work properly.
