7.0

Question 1

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

Answer 1

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

FortiGate directs the collector agent to use a remote LDAP server.

Question 2

FortiGuard categories can be overridden and defined in different categories. To create a web rating
override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

Answer 2

www.example.com

example.com

Question 3

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when
downloading an infected file for the first time?

Answer 3

The flow-based inspection is used, which resets the last packet to the user.

Question 4

Which three options are the remote log storage options you can configure on FortiGate? (Choose
three.)

Answer 4

FortiSIEM

FortiAnalyzer

FortiCloud

Question 5

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Answer 5

The NetSession Enum function is used to track user logouts.

Question 6

Refer to the exhibit.
An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

Answer 6

Interface name

IP header

Packet payload

Question 7

Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of
diagnose sys virtual-wan-link health-check.
Which interface will be selected as an outgoing interface?

Answer 7

port1

Question 8

An administrator does not want to report the logon events of service accounts to FortiGate. What
setting on the collector agent is required to achieve this?

Answer 8

Add user accounts to the Ignore User List.

Question 9

Refer to the exhibit

The global settings on a FortiGate device must be changed to align with company security policies.
What does the Administrator account need to access the FortiGate global settings?

Answer 9

Change Administrator profile

Question 10

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true
about the policy list view?

Answer 10

Interface Pair view will be disabled

Question 11

Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

Answer 11

port1 is a native VLAN

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs

Question 12

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two
IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements?
(Choose two)

Answer 12

Enable Dead Peer Detection

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel

Question 13

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
Which two statements are true? (Choose two.)

Answer 13

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate SN FGVM010000064692 has the higher HA priority.

Question 14

Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds. Based on the system performance output, which
two statements are correct? (Choose two.)

Answer 14

FortiGate has entered conserve mode.

Administrators cannot change the configuration.

Question 15

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting
in both sites has been configured as Static IP Address. For site A, the local quick mode selector is
192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

Answer 15

192.168.2.0/24

Question 16

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to
successfully connect to SSL VPN?

Answer 16

Change the SSL VPN port on the client.

Question 17

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

Answer 17

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Question 18

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are
configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the
internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to
ISP modem.
With this configuration, which statement is true?

Answer 18

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

Question 19

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security
fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

Answer 19

Change the csf setting on Local-FortiGate (root) to sec configuration-sync local.

Question 20

Refer to the exhibit.
Which contains a session list output. Based on the information shown in the exhibit, which statement
is true?

Answer 20

One-to-one NAT IP pool is used in the firewall policy.

Question 21

Which two statements are correct about SLA targets? (Choose two.)

Answer 21

SLA targets are optional

SLA targets are used only when referenced by an SD-WAN rule.

Question 22

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic
output?

Answer 22

The session is in SYN_SENT state

Question 23

Which statement is correct regarding the inspection of some of the services available by web
applications embedded in third-party websites?

Answer 23

FortiGate can inspect sub-application traffic regardless where it was originated.

Question 24

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Answer 24

Intrusion prevention system engine

Question 25

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides
(client and server) have terminated the session?

Answer 25

To allow for out-of-order packets that could arrive after the FIN/ACK packets

Question 26

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase
2 up?

Answer 26

On HQ-FortiGate, set Encryption to AES256.

Question 27

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome
was a decrease in the CPU usage?

Answer 27

The IPS engine was inspecting high volume of traffic.

Question 28

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two)

Answer 28

A session for the denied traffic is created

The number of logs generated by denied traffic is reduced

Question 29

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address
conflict?

Answer 29

get system arp

Question 30

Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose
two.)

Answer 30

This security fabric topology is a logical topology view.

There are 19 security recommendations for the security fabric.

Question 31

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP
address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN
tunnel to work?

Answer 31

Dialup User

Question 32

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead
tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the
tunnel.

Which DPD mode on FortiGate will meet the above requirement?

Answer 32

On Idle

Question 33

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

Answer 33

FortiGate buffers the whole file but transmits to the client simultaneously.

Optimized performance compared to proxy-based inspection.

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

Question 34

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the
strict RPF check?

Answer 34

Strict RPF checks the best route back to the source using the incoming interface.

Question 35

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in
adding the FTP.Login.Failed signature to the IPS sensor profile?

Answer 35

Traffic matching the signature will be silently dropped and logged.

Question 36

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Answer 36

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

The sensor will block all attacks aimed at Windows servers.

Question 37

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL
Inspection? (Choose two.)

Answer 37

The keyUsage extension must be set to keyCertSign.

The CA extension must be set to TRUE.

Question 38

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When
downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When
downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be
downloaded.

What is the reason for the failed virus detection by FortiGate?

Answer 38

SSL/SSH Inspection profile is incorrect

Question 39

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

Answer 39

SSH

HTTPS

Question 40

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

Answer 40

The port3 default route has the highest distance.

The port1 and port2 default routes are active in the routing table.

Question 41

Which statement about the policy ID number of a firewall policy is true?

Answer 41

It is required to modify a firewall policy using the CLI.

Question 42

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Answer 42

Operating mode

NGFW mode

Question 43

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Answer 43

The SSL inspection needs to be a deep content inspection.

Question 44

When configuring a firewall virtual wire pair policy, which following statement is true?

Answer 44

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

Question 45

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard
servers.
Which CLI command will cause FortiGate to use an unreliable protocol to communicate with
FortiGuard servers for live web filtering?

Answer 45

set fortiguard-anycast disable

Question 46

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA
cluster? (Choose two.)

Answer 46

NTP

DNS

Question 47

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the
timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

Answer 47

hard-timeout

Question 48

Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

Answer 48

The debug flow is of ICMP traffic.

A new traffic session is created.

Question 49

Which statement about video filtering on FortiGate is true?

Answer 49

It is available only on a proxy-based firewall policy.

Question 50

Which two inspection modes can you use to configure a firewall policy on a profile-based nextgeneration firewall (NGFW)? (Choose two.)

Answer 50

Proxy-based inspection

Flow-based inspection

Question 51

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate
management IP addresses?

Answer 51

Local traffic logs

Question 52

How does FortiGate act when using SSL VPN in web mode?

Answer 52

FortiGate acts as an HTTP reverse proxy.

Question 53

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

Answer 53

NGFW policy-based mode supports creating applications and web filtering categories directly in a
firewall policy

NGFW policy-based mode policies support only flow inspection

Question 54

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the
IP address 10.0.1.10?

Answer 54

10.200.1.1

Question 55

Which two statements about antivirus scanning mode are true? (Choose two.)

Answer 55

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to
the client

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before
sending it to the client

Question 56

Which two statements are true about the FGCP protocol? (Choose two.)

Answer 56

Elects the primary FortiGate device

Runs only over the heartbeat links

Question 57

Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

Answer 57

Social networking web filter category is configured with the action set to authenticate.

Question 58

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

Answer 58

Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not
valid.

The Enable probe packets setting is not enabled.

Question 59

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

Answer 59

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

FortiGate queries AD by using the LDAP to retrieve user group information.

Question 60

Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.

What is the cause of the problem and what is the solution for the problem?

Answer 60

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Question 61

Which two statements ate true about the Security Fabric rating? (Choose two.)

Answer 61

Many of the security issues can be fixed immediately by clicking Apply where available.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

Question 62

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Answer 62

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Question 63

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which
additional best practice can an administrator implement?

Answer 63

Configure host check.

Question 64

Which of statement is true about SSL VPN web mode?

Answer 64

It supports a limited number of protocols.

Question 65

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA? (Choose two.)

Answer 65

udp-echo

TWAMP

Question 66

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.
Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6
policy configuration? (Choose three.)

Answer 66

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both
IPv4 and IPv6

The IP version of the sources and destinations in a policy must match.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and
destinations

Question 67

An administrator is running the following sniffer command:

diagnose sniffer packet any “host 192.168.2.12” 5

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Answer 67

Interface name

Packet payload

IP header

Question 68

Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

Answer 68

Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny
policy.

Question 69

Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the
diagnose firewall auth list CLI command on FortiGate?

Answer 69

CLI diagnostics commands permission

Question 70

Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

Answer 70

diagnose wad session list

Question 71

Refer to the exhibit.

Which contains a Performance SLA configuration.
An administrator has configured a performance SLA on FortiGate. Which failed to generate any
traffic. Why is FortiGate not generating any traffic for the performance SLA?

Answer 71

You need to turn on the Enable probe packets switch.

Question 72

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Answer 72

Shut down/reboot a downstream FortiGate device.

Disable FortiAnalyzer logging for a downstream FortiGate device.

Question 73

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

Answer 73

Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

A phase 1 SA is bidirectional, while a phase 2 SA is directional.

Phase 2 SA expiration can be time-based, volume-based, or both.

Question 74

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

Answer 74

hard-timeout

new-session

Idle-timeout

Question 75

NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s
configuration does not change when you enable policy-based inspection?

Answer 75

Antivirus

Question 76

Which statements about the firmware upgrade process on an active-active HA cluster are true?
(Choose two.)

Answer 76

Uninterruptable upgrade is enabled by default.

Traffic load balancing is temporally disabled while upgrading the firmware.

Question 77

Which statement regarding the firewall policy authentication timeout is true?

Answer 77

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets
coming from the user’s source IP.

Question 78

Which of the following statements correctly describes FortiGates route lookup behavior when
searching for a suitable gateway? (Choose two)

Answer 78

Lookup is done on the first packet from the session originator

Lookup is done on the trust reply packet from the responder

Question 79

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces
added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP
addresses in different subnets

Answer 79

The two VLAN sub interfaces must have different VLAN IDs.

Question 80

Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the
Workstation to the Web server?

Answer 80

172.16.32.0/24 is directly connected, port1

Question 81

Which of the following statements about central NAT are true? (Choose two.)

Answer 81

IP tool references must be removed from existing firewall policies before enabling central NAT.

Central NAT can be enabled or disabled from the CLI only

Question 82

Which of the following conditions must be met in order for a web browser to trust a web server
certificate signed by a third-party CA?

Answer 82

The CA certificate that signed the web-server certificate must be installed on the browser.

Question 83

View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games).
Based on this configuration, which statement is true?

Answer 83

Addicting.Games is allowed based on the Application Overrides configuration.

Question 84

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires
authorization?

Answer 84

It authenticates the traffic using the authentication scheme SCHEME1.

Question 85

Which statement about the IP authentication header (AH) used by IPsec is true?

Answer 85

AH provides data integrity but no encryption.

Question 86

The exhibits show a network diagram and the explicit web proxy configuration.

In the command diagnose sniffer packet, what filter can you use to capture the traffic between the
client and the explicit web proxy?

Answer 86

‘host 192.168.0.2 and port 8080’

Question 87

How do you format the FortiGate flash disk?

Answer 87

Select the format boot device option from the BIOS menu.

Question 88

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is
used?

Answer 88

The Services field removes the requirement to create multiple VIPs for different services.

Question 89

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose
three.)

Answer 89

Server information disclosure attacks

Credit card data leaks

SQL injection attacks

Question 90

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides
(client and server) have terminated the session?

Answer 90

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Question 91

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

Answer 91

Browsers can be configured to retrieve this PAC file from the FortiGate.

Any web request fortinet.com is allowed to bypass the proxy.

Question 92

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Answer 92

It requires the use of dynamic routing protocols so that spokes can learn the routes to other
spokes

Tunnels are negotiated dynamically between spokes.

Question 93

View the exhibit.

Which of the following statements are correct? (Choose two.)

Answer 93

The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used
only if the TunnelB VPN is down.

This is a redundant IPsec setup

Question 94

To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?

Answer 94

Root FortiGate

Question 95

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the
certificate issued to?

Answer 95

A root CA

Question 96

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

Answer 96

It matched the default implicit firewall policy.

Question 97

Examine the following web filtering log.

Which statement about the log message is true?

Answer 97

The name of the applied web filter profile is default.

Question 98

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with
fixed port disabled? (Choose two.)

Answer 98

Source IP is translated to the outgoing interface IP.

Port address translation is not used.

Question 99

Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate
issued to?

Answer 99

A user

Question 100

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui
proxy-based inspection mode? (Choose two.)

Answer 100

Warning

Allow

Question 101

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

Answer 101

To detect intermediary NAT devices in the tunnel path.

To encapsulation ESP packets in UDP packets using port 4500.

Question 102

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which
statement about this IPsec VPN configuration is true?

Answer 102

A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

Question 103

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

Answer 103

It limits the scope of application control to scan application traffic based on application category
only

Question 104

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in
both sites has been configured as Static IP Address. For site A, the local quick mode selector is
192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator
configure the local quick mode selector for site B?

Answer 104

192.168.2.0/24

Question 105

Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question
below

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

Answer 105

IMAP.Login.brute.Force

Question 106

Which of the following statements about backing up logs from the CLI and downloading logs from
the GUI are true? (Choose two.)

Answer 106

Log downloads from the GUI are limited to the current filter view

Log backups from the CLI cannot be restored to another FortiGate.

Question 107

View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

Answer 107

Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

Question 108

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?

Answer 108

The internal IP address of the FortiGate device.

Question 109

An administrator observes that the port1 interface cannot be configured with an IP address. What
can be the reasons for that? (Choose three.)

Answer 109

The interface has been configured for one-arm sniffer.

The interface is a member of a virtual wire pair.

The operation mode is transparent

Question 110

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP
address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy
is configured with a VIP as the destination address.

Which IP address will be used to source NAT the Internet traffic coming from a workstation with the
IP address 10.0.1.10/24?

Answer 110

10.200.1.10

Question 111

Examine this FortiGate configuration:

config system global
set av-failopen pass
end

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions
that require inspection?

Answer 111

It is dropped.

Question 112

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

Answer 112

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Question 113

Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

Answer 113

FortiGate will use the port1 route as the primary candidate.

Question 114

Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor,
FortiGate is still not generating any IPS logs for the HTTPS traffic.

What is a possible reason for this?

Answer 114

The firewall policy is not using a full SSL inspection profile.

Question 115

Which of the following SD-WAN load –balancing method use interface weight value to distribute
traffic? (Choose two.)

Answer 115

Volume

Session

Question 116

Which certificate value can FortiGate use to determine the relationship between the issuer and the
certificate?

Answer 116

Subject Key Identifier value

Question 117

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Answer 117

By default, all interfaces are part of the same broadcast domain.

FortiGate forwards frames without changing the MAC address.

Question 118

What inspection mode does FortiGate use if it is configured as a policy-based next-generation
firewall (NGFW)?

Answer 118

Flow-based inspection

Question 119

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

Answer 119

For a stronger authentication, you can also enable extended authentication (XAuth) to request the
remote peer to provide a username and password

FortiGate supports pre-shared key and signature as authentication methods.

Question 120

Which scanning technique on FortiGate can be enabled only on the CLI?

Answer 120

Heuristics scan

Question 121

Which two policies must be configured to allow traffic on a policy-based next-generation firewall
(NGFW) FortiGate? (Choose two.)

Answer 121

Security policy

SSL inspection and authentication policy

Question 122

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have
set up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

Answer 122

Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%

Question 123

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The
administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

Answer 123

Execute a debug flow.

Question 124

Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings.
In this scenario, which statement is true?

Answer 124

Apple FaceTime belongs to the custom blocked filter.

Question 125

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

Answer 125

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the
IPsec tunnel.

Question 126

Which three security features require the intrusion prevention system (IPS) engine to function?
(Choose three.)

Answer 126

Web filter in flow-based inspection

Antivirus in flow-based inspection

Application control

Question 127

The HTTP inspection process in web filtering follows a specific order when multiple features are
enabled in the web filter profile.
What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Answer 127

Static URL filter, FortiGuard category filter, and advanced filters

Question 128

When a firewall policy is created, which attribute is added to the policy to support recording logs to a
FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with
these devices?

Answer 128

Universally Unique Identifier

Question 129

Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

Answer 129

The firewall policy does not apply deep content inspection.

Question 130

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

Answer 130

The session is a bidirectional UDP connection.

Question 131

Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication
scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy
policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24
with a form-based authentication scheme for the FortiGate local user database. Users will be
prompted for authentication.

How will FortiGate process the traffic when the HTTP request comes from a machine with the source
IP 10.0.1.10 to the destination http://www.fortinet.com? (Choose two.)

Answer 131

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be
allowed.

Question 132

What devices form the core of the security fabric?

Answer 132

Two FortiGate devices and one FortiAnalyzer device

Question 133

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic?
(Choose three.)

Answer 133

Source defined as Internet Services in the firewall policy.

Destination defined as Internet Services in the firewall policy

Services defined in the firewall policy.

Question 134

Which security feature does FortiGate provide to protect servers located in the internal networks
from attacks such as SQL injections?

Answer 134

Web application firewall

Question 135

Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remoteuser2. Remote-user2 is still able to access Webserver.

Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Answer 135

Enable match vip in the Deny policy.

Set the Destination address as Web_server in the Deny policy.

Question 136

Which three pieces of information does FortiGate use to identify the hostname of the SSL server
when SSL certificate inspection is enabled? (Choose three.)

Answer 136

The subject field in the server certificate

The server name indication (SNI) extension in the client hello message

The subject alternative name (SAN) field in the server certificate

Question 137

Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

Answer 137

One server was contacted to retrieve the contract information.

FortiGate is using default FortiGuard communication settings.

Question 138

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web
filtering and application control directly on the security policy.

Which two other security profiles can you apply to the security policy? (Choose two.)

Answer 138

Antivirus scanning

Intrusion prevention

Question 139

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Answer 139

FortiGuard web filter queries

DNS

Question 140

An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?

Answer 140

Disable the RPF check at the FortiGate interface level for the source check.

Question 141

Which two statements are true about collector agent standard access mode? (Choose two.)

Answer 141

Standard mode uses Windows convention-NetBios: Domain\Username.

Standard mode security profiles apply to user groups.

Question 142

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

Answer 142

Traffic is blocked because Action is set to DENY in the firewall policy.

This is a security log.

Question 143

Which three methods are used by the collector agent for AD polling? (Choose three.)

Answer 143

NetAPI

WMI

WinSecLog

Question 144

If Internet Service is already selected as Source in a firewall policy, which other configuration objects
can be added to the Source filed of a firewall policy?

Answer 144

Once Internet Service is selected, no other object can be added

Question 145

Consider the topology:
Application on a Windows machine <–{SSL VPN} –>FGT–> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a
Linux server over the SSL VPN through FortiGate and the idle session times out after about 90
minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server.
This issue does not happen when the application establishes a Telnet connection to the Linux server
directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running
through FortiGate? (Choose two.)

Answer 145

Create a new service object for TELNET and set the maximum session TTL.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic,
and set the new TELNET service object in the policy.

Question 146

Which Security rating scorecard helps identify configuration weakness and best practice violations in
your network?

Answer 146

Security Posture

Question 147

What is the primary FortiGate election process when the HA override setting is disabled?

Answer 147

Connected monitored ports > HA uptime > Priority > FortiGate Serial number

Question 148

Which three statements are true regarding session-based authentication? (Choose three.)

Answer 148

HTTP sessions are treated as a single user.

It can differentiate among multiple clients behind the same source IP address.

It requires more resources

Question 149

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

Answer 149

diagnose firewall proute list

Question 150

An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

Answer 150

Aggregate interface

Question 151

Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings
the IP address of Remote-FortiGate (10.200.3.1)?

Answer 151

10.200.1.99

Question 152

An administrator needs to configure VPN user access for multiple sites using the same soft
FortiToken. Each site has a FortiGate VPN gateway.

What must an administrator do to achieve this objective?

Answer 152

The administrator must use a FortiAuthenticator device.

Question 153

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 fails to come up. The administrator has also re-entered
the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration
changes will bring phase 1 up? (Choose two.)

Answer 153

On HQ-FortiGate, set IKE mode to Main (ID protection).

On Remote-FortiGate, set port2 as Interface.

Question 154

An organization’s employee needs to connect to the office through a high-latency internet
connection.

Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Answer 154

Change the login timeout.

Question 155

Which two statements are true about the RPF check? (Choose two.)

Answer 155

The RPF check is run on the first sent packet of any new session.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Question 156

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When
visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP
websites, the browser does not report errors.

What is the reason for the certificate warning errors?

Answer 156

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

Question 157

Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console
configuration.

How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Answer 157

Authentication is enforced at a policy level; all users will be prompted for authentication.

Question 158

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode?
(Choose two.)

Answer 158

FG-traffic

Root

Question 159

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the
physical layer nor the link layer? (Choose three.)

Answer 159

execute ping

execute traceroute

diagnose sniffer packet any

Question 160

Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

Answer 160

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

Question 161

In which two ways can RPF checking be disabled? (Choose two )

Answer 161

Enable asymmetric routing.

Disable strict-arc-check under system settings.

Question 162

An administrator has a requirement to keep an application session from timing out on port 80. What
two changes can the administrator make to resolve the issue without affecting any existing services
running through FortiGate? (Choose two.)

Answer 162

Create a new service object for HTTP service and set the session TTL to never

Set the TTL value to never under config system-ttl

Question 163

Which feature in the Security Fabric takes one or more actions based on event triggers?

Answer 163

Automation Stitches

Question 164

A team manager has decided that, while some members of the team need access to a particular
website, the majority of the team does not.

Which configuration option is the most effective way to support this request?

Answer 164

Implement web filter authentication for the specified website.

Question 165

Exhibit:

Refer to the exhibit to view the authentication rule configuration.

In this scenario, which statement is true?

Answer 165

Session-based authentication is enabled.

Question 166

Which two statements are true about collector agent advanced mode? (Choose two.)

Answer 166

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate

Advanced mode supports nested or inherited groups

Question 167

Which two statements are correct about a software switch on FortiGate? (Choose two.)

Answer 167

It can be configured only when FortiGate is operating in NAT mode

All interfaces in the software switch share the same IP address

Question 168

Refer to the exhibit, which contains a radius server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the
administrator selected the Include in every user group option.

What will be the impact of using Include in every user group option in a RADIUS configuration?

Answer 168

This option places the RADIUS server, and all users who can authenticate against that server, into
every FortiGate user group

Question 169

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is
enabled on all FortiGate devices?

Answer 169

Root VDOM

Question 170

In an explicit proxy setup, where is the authentication method and database configured?

Answer 170

Authentication scheme

Question 171

If Internet Service is already selected as Destination in a firewall policy, which other configuration
objects can be selected to the Destination field of a firewall policy?

Answer 171

IP address

Question 172

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

Answer 172

It limits the scanning of application traffic to the browser-based technology category only.