SHM counter: 285
SHM allocated: 6823936
SHM total: 623452160
concervemode: 0
shm last entered: n/a
system last entered: n/a
SHM FS total: 639725568
SHM FS free: 632614912
SHM FS avail: 632614912
SHM FS alloc: 7110656
Which of the following statements are true regarding the above outputs? (Choose two.)
AThe unit is running a 32-bit FortiOS
BThe unit is in kernel conserve mode
CThe Cached value is always the Active value plus the Inactive value
DKernel indirectly accesses the low memory (LowTotal) through memory paging
Examine the following partial output from a sniffer command; then answer the question below.
diagnose sniff packet any icmp 4
interfaces=[any]
filters=[icmp]
2.101199 wan2 in 192.168.1.110 -> 4.2.2.2: icmp: echo request
2.1011400 wan1 out 172.17.87.16 -> 4.2.2.2: icmp: echo request
.....
2.123500 wan2 out 4.2.2.2 -> 192.168.1.110: icmp: echo reply
244 packets received by filter
5 packets dropped by kernel
What is the meaning of the packets dropped counter at the end of the sniffer?
ANumber of packets that didn’t match the sniffer filter.
BNumber of total packets dropped by the FortiGate.
CNumber of packets that matched the sniffer filter and were dropped by the FortiGate.
DNumber of packets that matched the sniffer filter but could not be captured by the sniffer.
Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)
.
B. The FortiGuard license for the primary unit is updated.
C. One of the monitored interfaces in the primary unit is disconnected.
D. A secondary unit is removed from the HA cluster.
A FortiGate's port1 is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)
ABoth session have the local flag on.
BThe destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
COne session has the proxy flag on, the other one does not.
DOne of the sessions has the IP address of port2 as the source IP address.
Question 8
Security profiles
0
Question 9
Security profiles
Question 10
Security profiles
Question 11
Security profiles
Question 12
Routing
Question 13
System configuration
Question 14
System configuration
Question 15
Routing
Question 16
Security profiles
Question 17
Routing
Question 18
Routing
Question 19
Routing
Question 20
Security profiles
Question 21
VPN
Question 22
System configuration
Question 23
Security profiles
Question 24
VPN
Question 25
VPN
Question 26
Security profiles
Question 27
System configuration
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Examine the output from the 'diagnose debug authd fsso list' command; then answer the question below.
diagnose debug authd fsso list
----FSSO logons----
IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB
The IP address 192.168.3.1 is NOT the one used by the workstation INTERNAL2. TRAINING. LAB.
What should the administrator check?
AThe IP address recorded in the logon event for the user STUDENT.
BThe DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.
CThe source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.
DThe reserve DNS lookup for the IP address 192.168.3.1.
Examine the partial output from two web filter debug commands; then answer the question below:
Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?
AFinance and banking
BGeneral organization.
CBusiness.
DInformation technology.
Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?
ADiagnose debug application radius -1.
BDiagnose debug application fnbamd -1.
CDiagnose authd console ""log enable.
DDiagnose radius console ""log enable.
Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)
ASIP session helper runs in the kernel; SIP ALG runs as a user space process.
BSIP ALG supports SIP HA failover; SIP helper does not.
CSIP ALG supports SIP over IPv6; SIP helper does not.
DSIP ALG can create expected sessions for media traffic; SIP helper does not.
ESIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.
Examine the following partial outputs from two routing debug commands; then answer the question below:
Why the default route using port2 is not displayed in the output of the second command?
AIt has a lower priority than the default route using port1.
BIt has a higher priority than the default route using port1.
CIt has a higher distance than the default route using port1.
DIt is disabled in the FortiGate configuration.
View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below.
Which statements are correct regarding the output shown? (Choose two.)
AThere are 0 ephemeral sessions.
BAll the sessions in the session table are TCP sessions.
CNo sessions have been deleted because of memory pages exhaustion.
DThere are 166 TCP sessions waiting to complete the three-way handshake.
Which of the following statements are correct regarding application layer test commands? (Choose two.)
AThey are used to filter real-time debugs.
BThey display real-time application debugs.
CSome of them display statistics and configuration information about a feature or process.
DSome of them can be used to restart an application.
View these partial outputs from two routing debug commands:
Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?
ABoth port1 and port2
Bport3
Cport1
Dport2
When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI)?
AFortiGate uses the Issued To: field in the server's certificate.
BFortiGate switches to the full SSL inspection method to decrypt the data.
CFortiGate blocks the request without any further inspection.
DFortiGate uses the requested URL from the user's web browser.
View the exhibit, which contains the output of a diagnose command, and then answer the question below.
Which statements are true regarding the output in the exhibit? (Choose two.)
AFortiGate will probe 121.111.236.179 every fifteen minutes for a response.
BServers with the D flag are considered to be down.
CServers with a negative TZ value are experiencing a service outage.
DFortiGate used 209.222.147.3 as the initial server to validate its contract.
Which of the following conditions must be met for a static route to be active in the routing table? (Choose three.)
AThe next-hop IP address is up.
BThere is no other route, to the same destination, with a higher distance.
CThe link health monitor (if configured) is up.
DThe next-hop IP address belongs to one of the outgoing interface subnets.
EThe outgoing interface is up.
What conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)
AIP addresses are in the same subnet.
BHello and dead intervals match.
COSPF IP MTUs match.
DOSPF peer IDs match.
EOSPF costs match.
In which of the following states is a given session categorized as ephemeral? (Choose two.)
AA TCP session waiting to complete the three-way handshake.
BA TCP session waiting for FIN ACK.
CA UDP session with packets sent and received.
DA UDP session with only one packet received.
View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.
The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?
AChange phase 1 encryption to AESCBC and authentication to SHA128.
BChange phase 1 encryption to 3DES and authentication to CBC.
CChange phase 1 encryption to AES128 and authentication to SHA512.
DChange phase 1 encryption to 3DES and authentication to SHA256.
What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)
AReduce the session time to live.
BIncrease the TCP session timers.
CIncrease the FortiGuard cache time to live.
DReduce the maximum file size to inspect.
The CLI command set intelligent-mode <enable | disable> controls the IPS engine's adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?
ADetermines the optimal number of IPS engines required based on system load.
BDownloads signatures on demand from FDS based on scanning requirements.
CDetermines when it is secure enough to stop scanning session traffic.
DChoose a matching algorithm based on available memory and the type of inspection being performed.
View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.
The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:
However, the IKE real time debug does not show any output. Why?
AThe debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.
BThe log-filter setting was set incorrectly. The VPN's traffic does not match this filter.
CThe debug shows only error messages. If there is no output, then the tunnel is operating normally.
DThe debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.
View the exhibit, which contains a session entry, and then answer the question below.
Which statement is correct regarding this session?
AIt is an ICMP session from 10.1.10.10 to 10.200.1.1.
BIt is an ICMP session from 10.1.10.10 to 10.200.5.1.
CIt is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
DIt is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.
A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the
Windows AD network. The output of the "˜diagnose debug authd fsso list' command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)
AThe user student must not be listed in the CA's ignore user list.
BThe user student must belong to one or more of the monitored user groups.
CThe student workstation's IP subnet must be listed in the CA's trusted list.
DAt least one of the student's user groups must be allowed by a FortiGate firewall policy.
Examine the following traffic log; then answer the question below. date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kernel status=failure msg="NAT port is exhausted."
What does the log mean?
AThere is not enough available memory in the system to create a new entry in the NAT port table.
BThe limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
CFortiGate does not have any available NAT port for a new connection.
DThe limit for the maximum number of entries in the NAT port table has been reached.
