Nse4 - FGT-6.0 V9.02
Nse4 - FGT-6.0 V9.02
Nse4 - FGT-6.0 V9.02
& ANSWER
HIGHER QUALITY, BETTER SERVICE
Exam : NSE4_FGT-6.0
Version : V9.02
1 / 45
The safer , easier way to help you pass any IT exams.
1.You are configuring the root FortiGate to implement the security fabric. You are configuring port10 to
communicate with a downstream FortiGate. View the default Edit Interface in the exhibit below:
When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are
required to be configured? (Choose two.)
A. Device detection enabled.
B. Administrative Access: FortiTelemetry.
C. IP/Network Mask.
D. Role: Security Fabric.
Answer: BC
2.When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?
A. remote user’s public IP address
B. The public IP address of the FortiGate device.
C. The remote user’s virtual IP address.
D. The internal IP address of the FotiGate device.
Answer: D
2 / 45
The safer , easier way to help you pass any IT exams.
4.Examine the exhibit, which shows the output of a web filtering real time debug.
3 / 45
The safer , easier way to help you pass any IT exams.
6.Which of the following statements about backing up logs from the CLI and downloading logs from the
GUI are true? (Choose two.)
A. Log downloads from the GUI are limited to the current log filter view
B. Log backups from the CLI cannot be restored to another FortiGate.
C. Log backups from the CLI can be configured to upload to FTP at a scheduled time
D. Log downloads from the GUI are stored as LZ4 compressed files.
Answer: AB
7.Examine the network diagram shown in the exhibit, then answer the following question:
Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation
to the Web server?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
4 / 45
The safer , easier way to help you pass any IT exams.
8.A team manager has decided that while some members of the team need access to particular website,
the majority of the team does not.
Which configuration option is the most effective option to support this request?
A. Implement a web filter category override for the specified website.
B. Implement web filter authentication for the specified website
C. Implement web filter quotas for the specified website.
D. Implement DNS filter for the specified website.
Answer: B
How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires
authorization?
A. It always authorizes the traffic without requiring authentication.
B. It drops the traffic.
C. It authenticates the traffic using the authentication scheme SCHEME2.
D. It authenticates the traffic using the authentication scheme SCHEME1.
Answer: D
11.Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)
A. Include the group of guest users in a policy.
5 / 45
The safer , easier way to help you pass any IT exams.
12.Which statements about antivirus scanning mode are true? (Choose two.)
A. In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to the
client.
B. In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol
option profiles.
C. In proxy-based inspection mode, if a virus is detected, a replacement message may not be displayed
immediately.
D. In quick scan mode, you can configure antivirus profiles to use any of the available signature data
bases.
Answer: AB
13.In a high availability (HA) cluster operating in active-active mode, which of the following correctly
describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary
FortiGate?
A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
B. Client > secondary FortiGate> web server.
C. Client >secondary FortiGate> primary FortiGate> web server.
D. Client> primary FortiGate> secondary FortiGate> web server.
Answer: D
14.An administrator is configuring an IPsec between site A and site B. The Remotes Gateway setting in
both sites has been configured as Static IP Address. For site A, the local quick mode selector is
192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.
How must the administrator configure the local quick mode selector for site B?
A. 192.168.3.0.24
B. 192.168.2.0.24
C. 192.168.1.0.24
D. 192.168.0.0.8
Answer: B
15.Which of the following are purposes of NAT traversal in IPsec? (Choose two.)
A. To delete intermediary NAT devices in the tunnel path.
B. To dynamically change phase 1 negotiation mode aggressive mode.
C. To encapsulation ESP packets in UDP packets using port 4500.
D. To force a new DH exchange with each phase 2 rekey.
Answer: AC
16.Which of the following statements correctly describes FortiGates route lookup behavior when
searching for a suitable gateway? (Choose two)
6 / 45
The safer , easier way to help you pass any IT exams.
17.Examine the two static routes shown in the exhibit, then answer title following question.
Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?
A. FortiGate will load balance all traffic across both routes.
B. FortiGate will use the port1 route as the primary candidate.
C. FortiGate will route twice as much traffic to the port2 route
D. FortiGate will only actuate the portl route m tlie routing table
Answer: B
18.Which of the following statements about central NAT are true? (Choose two.)
A. IP tool references must be removed from existing firewall policies before enabling central NAT.
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall policy.
Answer: A, B
7 / 45
The safer , easier way to help you pass any IT exams.
8 / 45
The safer , easier way to help you pass any IT exams.
9 / 45
The safer , easier way to help you pass any IT exams.
Why is FortiGate not blocking the test file over FTP download?
A. Deep-inspection must be enabled for FortiGate to fully scan FTP traffic.
B. FortiGate needs to be operating in flow-based inspection mode in order to scan FTP traffic.
C. The FortiSandbox signature database is required to successfully scan FTP traffic.
D. The proxy options profile needs to scan FTP traffic on a non-standard port.
Answer: D
20.View the following exhibit, which shows the firewall policies and the object uses in the firewall policies.
10 / 45
The safer , easier way to help you pass any IT exams.
The administrator is using the Policy Lookup feature and has entered the search create shown in the
following exhibit.
Which of the following will be highlighted based oil the input criteria?
A. Policy with ID 1.
B. Policies with ID 2 and 3.
C. Policy with ID 5.
D. Policy with ID 4
Answer: C
11 / 45
The safer , easier way to help you pass any IT exams.
21.An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices
Winch configuration steps must be performed on both devices to support this scenario? (Choose three.)
A. Define the phase 1 parameters, without enabling IPsec interface mode
B. Define the phase 2 parameters.
C. Set the phase 2 encapsulation method to transport mode
D. Define at least one firewall policy, with the action set to IPsec.
E. Define a route to the remote network over the IPsec tunnel.
Answer: ABD
22.Which of the following statements about NTLM authentication are correct? (Choose two.)
A. It is useful when users log in to DCs that are not monitored by a collector agent.
B. It takes over as the primary authentication method when configured alongside FSSO.
C. Multi-domain environments require DC agents on every domain controller.
D. NTLM-enabled web browsers are required.
Answer: A,D
23.View the certificate shown to the exhibit, and then answer the following question:
24.Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides
(client and server) have terminated the session?
A. To remove the NAT operation.
B. To generate logs
C. To finish any inspection operations.
D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.
12 / 45
The safer , easier way to help you pass any IT exams.
Answer: D
25.A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces
added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAND ID, only if they have IP
addresses in different subnets.
A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different
subnets.
B. The two VLAN sub interfaces must have different VLAN IDs.
C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same
subnet.
Answer: B
26.You mc tasked to design a new IPsec deployment with the following criteria:
- There are two HQ sues that all satellite offices must connect to
- The satellite offices do not need to communicate directly with other satellite offices
- No dynamic routing will be used
- The design should minimize the number of tannels being configured.
Winch topology should be used to satisfy all of the requirements?
A. Partial mesh
B. Hub-and-spoke
C. Fully meshed
D. Redundant
Answer: A
27.Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?
A. By default, FortiGate uses WINS servers to resolve names.
B. By default, the SSL VPN portal requires the installation of a client’s certificate.
C. By default, split tunneling is enabled.
D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.
Answer: C
28.Which of the following conditions roust be met in order for a web browser to trust a web server
certificate signed by a third-party CA?
A. The web-server certificate DM be installed on the browser
B. The public key of the web server certificate must be installed on die browser
C. The CA certificate that signed the web-server certificate inutile installed on the browser
D. The private key of the CA certificate that signed the browser certificate must be installed on the
browser.
Answer: C
13 / 45
The safer , easier way to help you pass any IT exams.
30.An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)
A. The interface has been configured for one-arm sniffer.
B. The interface is a member of a virtual wire pair.
C. The operation mode is transparent.
D. The interface is a member of a zone.
E. Captive portal is enabled in the interface.
Answer: A,B,C
31.What information is flushed when the chunk-size value is changed in the config dlp settings?
A. The database for DLP document fingerprinting
B. The supported file types in the DLP filters
C. The archived files and messages
D. The file name patterns in the DLP filters
Answer: A
33.Examine the exhibit, which shows the partial output of an IKE real-time debug.
14 / 45
The safer , easier way to help you pass any IT exams.
34.Examine the network diagram shown in the exhibit, and then answer the following question:
A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1
and port3 links are used at the same time for all traffic destined for 172.20.2.0/24.
Which of the following static routes will satisfy this requirement on FGT1? (Choose two.)
A. 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]
B. 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]
C. 172.20.2.0/24 (1/150) via 10.10.3.2, port3 [10/0]
D. 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]
Answer: CD
35.On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose
two.)
A. hourly
B. real tune
C. on-demand
15 / 45
The safer , easier way to help you pass any IT exams.
D. store-and-upload
Answer: BD
Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that
require inspection?
A. It is allowed, but with no inspection
B. It is allowed and inspected as long as the inspection is flow based
C. It is dropped.
D. It is allowed and inspected, as long as the only inspection required is antivirus.
Answer: C
37.When using WPAD DNS method, winch FQDN format do browsers use to query the DNS server?
A)
B)
C)
16 / 45
The safer , easier way to help you pass any IT exams.
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
38.Examine the IPS sensor configuration and forward traffic logs shown in the exhibit; then, answer the
question below.
An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine whether
17 / 45
The safer , easier way to help you pass any IT exams.
the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not
generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
A. The IPS filter is missing the Protocol: HTTPS option.
B. The HTTPS signatures have not been added to the sensor.
C. A DoS policy should be used, instead of an IPS sensor.
D. A DoS policy should be used, instead of an IPS sensor.
E. The firewall policy is not using a full SSL inspection profile.
Answer: E
39.What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose
three.)
A. Traffic to botnet servers
B. Traffic to inappropriate web sites
C. Server information disclosure attacks
D. Credit card data leaks
E. SQL injection attacks
Answer: CDE
18 / 45
The safer , easier way to help you pass any IT exams.
42.Which statements about the firmware upgrade process on an active-active HA cluster are true?
(Choose two.)
A. The firmware image must be manually uploaded to each FortiGate.
B. Only secondary FortiGate devices are rebooted.
C. Uninterruptable upgrade is enabled by default.
D. Traffic load balancing is temporally disabled while upgrading the firmware.
Answer: CD
43.Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
B. ADVPN is only supported with IKEv2.
C. Tunnels are negotiated dynamically between spokes.
D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2
proposals are defined in advance.
Answer: A,C
44.An administrator needs to create an SSL-VPN connection for accessing an internal server using the
bookmark Port Forward.
What step is required for this configuration?
A. Configure an SSL VPN realm for clients to use the port forward bookmark.
B. Configure the client application to forward IP traffic through FortiClient.
C. Configure the virtual IP address to be assigned t the SSL VPN users.
D. Configure the client application to forward IP traffic to a Java applet proxy.
Answer: D
46.Which statements are true regarding firewall policy NAT using the outgoing interface IP address with
fixed port disabled? (Choose two.)
A. This is known as many-to-one NAT.
B. Source IP is translated to the outgoing interface IP.
C. Connections are tracked using source port and source MAC address.
D. Port address translation is not used.
Answer: AB
47.If the Issuer and Subject values are the same in a digital certificate, which type of entity was the
certificate issued to?
19 / 45
The safer , easier way to help you pass any IT exams.
A. A CRL
B. A person
C. A subordinate CA
D. A root CA
Answer: D
48.What is the limitation of using a URL list and application control on the same firewall policy, in NCFW
policy-based mode?
A. It limits the scope of application control to the browser-based technology category only.
B. It limits the scope of application control to scan application traffic based on application category only.
C. It limits the scope of application control to scan application traffic using parent signatures only
D. It limits the scope of application control to scan application traffic on DNS protocol only.
Answer: A
49.The FSSO Collector Agent set to advanced access mode for the Windows Active Directory uses which
of the following?
A. LDAP convention
B. NTLM convention
C. Windows convention - NetBios: Domain\Usemame
D. RSSO convention
Answer: A
51.Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic?
(Choose two.)
A. Source IP
B. Spillover
C. Volume
D. Session
Answer: CD
20 / 45
The safer , easier way to help you pass any IT exams.
54.Examine the exhibit, which contains a virtual IP and firewall policy configuration.
21 / 45
The safer , easier way to help you pass any IT exams.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP
address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP
address 10.0.1.10/24?
A. 10.200.1.10
B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
C. 10.200.1.1
D. 10.0.1.254
Answer: A
55.What FortiGate components are tested during the hardware test? (Choose three.)
A. Administrative access
22 / 45
The safer , easier way to help you pass any IT exams.
B. HA heartbeat
C. CPU
D. Hard disk
E. Network interfaces
Answer: CDE
57.Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui
proxy-based inspection mode? (Choose two.)
A. Warning
B. Exempt
C. Allow
D. Learn
Answer: AC
58.Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question
below.
When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?
A. SMTP.Login.Brute.Force
B. IMAP.Login.brute.Force
C. ip_src_session
D. Location: server Protocol: SMTP
Answer: C
23 / 45
The safer , easier way to help you pass any IT exams.
Which security profile’s configuration does not change when you enable policy-based impaction?
A. Antivirus
B. Web proxy
C. Web filtering
D. Application control
Answer: A
60.Which of the following FortiGate configuration tasks will create a route in the policy route table?
(Choose two.)
A. Static route created with a Named Address object
B. Static route created with an Internet Services object
C. SD-WAN route created for individual member interfaces
D. SD-WAN rule created to route traffic based on link latency
Answer: BD
61.Which statement about the IP authentication header (AH) used by IPsec is true?
A. AH does not provide any data integrity or encryption.
B. AH does not support perfect forward secrecy.
C. AH provides data integrity but no encryption.
D. AH provides strong data integrity but weak encryption.
Answer: C
62.If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when
central NAT is used?
A. The Services field removes the requirement of creating multiple VIPs for different services.
B. The Services field is used when several VIPs need to be bundled into VIP groups.
C. The Services field does not allow source NAT and destination NAT to be combined in the same policy.
D. The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a
single computer.
Answer: A
24 / 45
The safer , easier way to help you pass any IT exams.
What filter can be used u, the command diagnose sniffer packet to capture the traffic between the client
and the explicit web pray?
A. ‘host 10.0.0.50 and port 80’
B. ‘host 192.168.0.1 and port 80’
C. ‘host 192.168.0.2 and port 8080’
D. ‘host 10.0.50.1 and port 8080’
Answer: C or D
25 / 45
The safer , easier way to help you pass any IT exams.
VDOM1 is operating is transparent mode VDOM2 is operating in NAT Route mode. There is an
inter-VDOM link between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is connected
to port2. A web server with the IP address 10.200.1.2/24 is connected to port1.
What is required in the FortiGate configuration to route and allow connections from the client workstation
to the web server? (Choose two.)
A. A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination.
B. A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination.
C. One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the destination
interface.
D. One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the destination
interface.
Answer: CD
26 / 45
The safer , easier way to help you pass any IT exams.
66.What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two.)
A. Services defined in the firewall policy.
B. Incoming and outgoing interfaces
C. Highest to lowest priority defined in the firewall policy.
D. Lowest to highest policy ID number.
Answer: AB
27 / 45
The safer , easier way to help you pass any IT exams.
68.Which of the following static routes are not maintained in the routing table? (Choose two.)
A. Named Address routes
B. Dynamic routes
C. ISDB routes
D. Policy routes
Answer: CD
69.Which Statements about virtual domains (VDOMs) arc true? (Choose two.)
A. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.
B. Each VDOM can be configured with different system hostnames.
C. Different VLAN sub-interfaces of the same physical interface can be assigned to different VDOMs.
D. Each VDOM has its own routing table.
Answer: C, D
70.An administrator wants to configure a FortiGate as a DNS server FortiGate must use us DNS database
first, and then relay all irresolvable queries to an external DNS server.
Which of the following DNS method must you UM?
A. Recursive
B. Non-recursive
C. Forward to primary and secondary DNS
D. Forward to system DNS
Answer: A
71.What files are sent to FortiSandbox for inspection in flow-based inspection mode?
A. All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.
B. All suspicious files that are above the defined oversize limit value in the protocol options.
C. All suspicious files that match patterns defined in the antivirus profile.
D. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.
Answer: D
73.A company needs to provide SSL VPN access to two user groups. The company also needs to display
different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?
A. Different SSL VPN realms for each group.
B. Two separate SSL VPNs in different interfaces mapping the same ssl.root.
C. Two firewall policies with different captive portals.
D. Different virtual SSL VPN IP addresses for each group.
28 / 45
The safer , easier way to help you pass any IT exams.
Answer: A
74.An administrator is investigating a report of users having intermittent issues with browsing the web.
The
administrator ran diagnostics and received the output shown in the exhibit.
76.An administrator needs to strengthen the security for SSL VPN access.
Which of the following statements are best practices to do so? (Choose three.)
A. Configure split tunneling for content inspection.
B. Configure host restrictions by IP or MAC address.
C. Configure two-factor authentication using security certificates.
D. Configure SSL offloading to a content processor (FortiASIC).
E. Configure a client integrity check (host-check).
29 / 45
The safer , easier way to help you pass any IT exams.
Answer: BCE
78.Which of the following route attributes must be equal for static routes to be eligible for equal cost
multipath (ECMP) routing? (Choose two.)
A. Priority
B. Metric
C. Distance
D. Cost
Answer: AC
30 / 45
The safer , easier way to help you pass any IT exams.
31 / 45
The safer , easier way to help you pass any IT exams.
81.An administrator wants to block HTTP uploads. Examine the exhibit, which contains the proxy address
created for that purpose.
83.When using SD-WAN, how do you configure the next-hop gateway address for a member interface so
that FortiGate can forward Internet traffic?
A. It must be configured in a static route using the sdwan virtual interface.
B. It must be provided in the SD-WAN member interface configuration.
C. It must be configured in a policy-route using the sdwan virtual interface.
D. It must be learned automatically through a dynamic routing protocol.
32 / 45
The safer , easier way to help you pass any IT exams.
Answer: B
84.Which of the following services can be inspected by the DLP profile? (Choose three.)
A. NFS
B. FTP
C. IMAP
D. CIFS
E. HTTP-POST
Answer: BCE
85.Which of the following statements describe WMI polling mode for the FSSO collector agent? (Choose
two.)
A. The NetSessionEnum function is used to track user logoffs.
B. WMI polling can increase bandwidth usage in large networks.
C. The collector agent uses a Windows API to query DCs for user logins.
D. The collector agent do not need to search any security event logs.
Answer: CD
86.Which statements about DNS filter profiles are true? (Choose two.)
A. They can inspect HTTP traffic.
B. They can redirect blocked requests to a specific portal.
C. They can block DNS requests to known botnet command and control servers.
D. They must be applied in firewall policies with SSL inspection enabled.
Answer: BC
33 / 45
The safer , easier way to help you pass any IT exams.
A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5
interface.
However, the DHCP client cannot get a dynamic IP address from the DHCP server.
What is the cause of the problem?
A. Both interfaces must belong to the same forward domain.
B. The role of the VLAN10 interface must be set to server.
C. Both interfaces must have the same VLAN ID.
D. Both interfaces must be in different VDOMs.
Answer: A
89.Which of the following statements about virtual domains (VDOMs) are true? (Choose two.)
A. The root VDOM is the management VDOM by default.
B. A FortiGate device has 64 VDOMs, created by default.
C. Each VDOM maintains its own system time.
D. Each VDOM maintains its own routing table.
Answer: AD
91.Which one of the following processes is involved in updating IPS from FortiGuard?
A. FortiGate IPS update requests are sent using UDP port 443.
B. Protocol decoder update requests are sent to service.fortiguard.net.
C. IPS signature update requests are sent to update.fortiguard.net.
34 / 45
The safer , easier way to help you pass any IT exams.
92.How does FortiGate select the central SNAT policy that is applied to a TCP session?
A. It selects the SNAT policy specified in the configuration of the outgoing interface.
B. It selects the first matching central SNAT policy, reviewing from top to bottom.
C. It selects the central SNAT policy with the lowest priority.
D. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.
Answer: B
93.Which of the following conditions are required for establishing an IPSec VPN between two FortiGate
devices? (Choose two.)
A. If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer.
B. If the VPN is configured as route-based, there must be at least one firewall policy with the action set to
IPSec.
C. If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address
or Dynamic DNS in the other peer.
D. If the VPN is configured as a policy-based in one peer, it must also be configured as policy-based in
the other peer.
Answer: AC
94.Which of the following statements about converse mode are true? (Choose two.)
A. FortiGate stops sending files to FortiSandbox for inspection.
B. FortiGate stops doing RPF checks over incoming packets.
C. Administrators cannot change the configuration.
D. Administrators can access the FortiGate only through the console port.
Answer: AC
35 / 45
The safer , easier way to help you pass any IT exams.
96.Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then
answer the following question:
36 / 45
The safer , easier way to help you pass any IT exams.
Since the change, the new static route is not showing up in the routing table. Given the information
provided, which of the following describes the cause of this problem?
A. The new route’s destination subnet overlaps an existing route.
B. The new route’s Distance value should be higher than 10.
C. The Gateway IP address is not in the same subnet as port1.
D. The Priority is 0, which means that this route will remain inactive.
Answer: C
97.Which configuration objects can be selected for the Source field of a firewall policy? (Choose two.)
A. Firewall service
B. User or user group
C. IP Pool
D. FQDN address
Answer: BD
Which users and user groups are allowed access to the network through captive portal?
A. Users and groups defined in the firewall policy.
B. Only individual users – not groups – defined in the captive portal configuration
C. Groups defined in the captive portal configuration
D. All users
Answer: A
37 / 45
The safer , easier way to help you pass any IT exams.
100.During the digital verification process, comparing the original and fresh hash results satisfies which
security requirement?
A. Authentication.
B. Data integrity.
C. Non-repudiation.
D. Signature verification.
Answer: D
101.An administration wants to throttle the total volume of SMTP sessions to their email server.
Which of the
following DoS sensors can be used to achieve this?
A. tcp_port_scan
B. ip_dst_session
C. udp_flood
D. ip_src_session
Answer: B
102.Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple dialup
tunnels?
A. In aggressive mode, the remote peers are able to provide their peer IDs in the first message.
B. FortiGate is able to handle NATed connections only in aggressive mode.
C. FortiClient only supports aggressive mode.
D. Main mode does not support XAuth for user authentication.
Answer: A
The client cannot connect to the HTTP web server. The administrator ran the FortiGate built-in sniffer and
got the following output:
38 / 45
The safer , easier way to help you pass any IT exams.
104.Which of the following statements about policy-based IPsec tunnels are true? (Choose two.)
A. They can be configured in both NAT/Route and transparent operation modes.
B. They support L2TP-over-IPsec.
C. They require two firewall policies: one for each directions of traffic flow.
D. They support GRE-over-IPsec.
Answer: AB
105.An employee connects to the https://example.com on the Internet using a web browser. The web
server’s certificate was signed by a private internal CA. The FortiGate that is inspecting this traffic is
configured for full SSL inspection.
This exhibit shows the configuration settings for the SSL/SSH inspection profile that is applied to the
policy that is invoked in this instance. All other settings are set to defaults. No certificates have been
imported into FortiGate. View the exhibit and answer the question that follows.
39 / 45
The safer , easier way to help you pass any IT exams.
106.Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
What are the expected actions if traffic matches this IPS sensor? (Choose two.)
A. The sensor will gather a packet log for all matched traffic.
B. The sensor will not block attackers matching the A32S.Botnet signature.
C. The sensor will block all attacks for Windows servers.
D. The sensor will reset all connections that match these signatures.
Answer: AC
108.Which statements about HA for FortiGate devices are true? (Choose two.)
A. Sessions handled by proxy-based security profiles cannot be synchronized.
B. Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs.
C. HA management interface settings are synchronized between cluster members.
D. Heartbeat interfaces are not required on the primary device.
Answer: AB
109.An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy Options is not
listed under Security Profiles on the GUI.
What can cause this issue?
A. FortiGate needs to be switched to NGFW mode.
B. Proxy options section is hidden by default and needs to be enabled from the Feature Visibility menu.
40 / 45
The safer , easier way to help you pass any IT exams.
110.An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?
A. A phase 2 configuration is not required.
B. This VPN cannot be used as part of a hub-and-spoke topology.
C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
D. The IPsec firewall policies must be placed at the top of the list.
Answer: C
111.What settings must you configure to ensure FortiGate generates logs for web filter activity on a
firewall policy called Full Access? (Choose two.)
A. Enable Event Logging.
B. Enable a web filter security profile on the Full Access firewall policy.
C. Enable Log Allowed Traffic on the Full Access firewall policy.
D. Enable disk logging.
Answer: BC
112.An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is
configured with a web filter and an SSL inspection profile configured for deep inspection.
Which of the
following are possible actions to eliminate the certificate error generated by deep inspection? (Choose
two.)
A. Implement firewall authentication for all users that need access to fortinet.com.
B. Manually install the FortiGate deep inspection certificate as a trusted CA.
C. Configure fortinet.com access to bypass the IPS engine.
D. Configure an SSL-inspection exemption for fortinet.com.
Answer: AD
113.How does FortiGate verify the login credentials of a remote LDAP user?
A. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm
stored on the LDAP server.
B. FortiGate sends the user-entered credentials to the LDAP server for authentication.
C. FortiGate queries the LDAP server for credentials.
D. FortiGate queries its own database for credentials.
Answer: B
114.Which action can be applied to each filter in the application control profile?
A. Block, monitor, warning, and quarantine
B. Allow, monitor, block and learn
C. Allow, block, authenticate, and warning
D. Allow, monitor, block, and quarantine
41 / 45
The safer , easier way to help you pass any IT exams.
Answer: D
Based on the configuration shown in the exhibit, what statements about application control behavior are
true? (Choose two.)
A. Access to all unknown applications will be allowed.
B. Access to browser-based Social.Media applications will be blocked.
C. Access to mobile social media applications will be blocked.
D. Access to all applications in Social.Media category will be blocked.
Answer: AB
116.HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection.
What solutions
could resolve this problem? (Choose two.)
A. Enable Allow Invalid SSL Certificates for the relevant security profile.
B. Change web browsers to one that does not support HPKP.
C. Exempt those web sites that use HPKP from full SSL inspection.
D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers.
Answer: BC
42 / 45
The safer , easier way to help you pass any IT exams.
118.Which of the following statements are true when using WPAD with the DHCP discovery method?
(Choose
two.)
A. If the DHCP method fails, browsers will try the DNS method.
B. The browser needs to be preconfigured with the DHCP server’s IP address.
C. The browser sends a DHCPONFORM request to the DHCP server.
D. The DHCP server provides the PAC file for download.
Answer: AC
119.Examine the routing database shown in the exhibit, and then answer the following question:
120.If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate
take?
A. It notifies the administrator by sending an email.
B. It provides a DLP block replacement page with a link to download the file.
C. It blocks all future traffic for that IP address for a configured interval.
D. It archives the data for that IP address.
Answer: C
43 / 45
The safer , easier way to help you pass any IT exams.
A. IP header
B. Ethernet header
C. Packet payload
D. Application header
E. Interface name
Answer: ABC
122.Which of the following statements about the FSSO collector agent timers is true?
A. The workstation verify interval is used to periodically check of a workstation is still a domain member.
B. The IP address change verify interval monitors the server IP address where the collector agent is
installed, and the updates the collector agent configuration if it changes.
C. The user group cache expiry is used to age out the monitored groups.
D. The dead entry timeout interval is used to age out entries with an unverified status.
Answer: D
124.Which of the following features is supported by web filter in flow-based inspection mode with NGFW
mode set to profile-based?
A. FortiGuard Quotas
B. Static URL
C. Search engines
D. Rating option
Answer: B
125.By default, when logging to disk, when does FortiGate delete logs?
A. 30 days
B. 1 year
C. Never
D. 7 days
Answer: D
44 / 45
The safer , easier way to help you pass any IT exams.
Which of the following statements about the session diagnostic output is true?
A. The session is in ESTABLISHED state.
B. The session is in LISTEN state.
C. The session is in TIME_WAIT state.
D. The session is in CLOSE_WAIT state.
Answer: A
127.When override is enabled, which of the following shows the process and selection criteria that are
used to
elect the primary FortiGate in an HA cluster?
A. Connected monitored ports > HA uptime > priority > serial number
B. Priority > Connected monitored ports > HA uptime > serial number
C. Connected monitored ports > priority > HA uptime > serial number
D. HA uptime > priority > Connected monitored ports > serial number
Answer: C
45 / 45