FCP FORTICLIENT EMS EXAM 1 Flashcards
What is included in the FortiClient EMS installation package?
A. Microsoft SQL
B. Oracle SQL
C. Mysql
D. Postgresql
Correct answer: A
The FortiClient EMS installation package use Microsoft SQL as the database system.
MS SQL stands for Microsoft SQL Server and is Microsoft’s database management system. Like many other database management systems, MS SQL is also a relational database which uses SQL as the language for querying and the dialect that is used is called T-SQL.
Which of the following overrides site categories action in FortiClient web-filter?
A. Web exclusion list
B. FortiSandbox custom URL categories
C. URL list
D. Block malicious website on AV
The FortiClient web-filter overrides site categories action using the following option:
A. Web exclusion list
The web exclusion list allows you to specify certain websites or URLs that should be exempted from the filtering actions based on site categories. This means that even if a website falls into a category that would typically be blocked or restricted, if it is listed in the web exclusion list, it will be allowed.
The other options (B, C, and D) do not directly override site categories action in FortiClient web-filter but serve other purposes in web filtering or security.
An administrator installs the EMS server, what are the minimum system requirements recommended for FortiClient EMS? (Choose two.)
A. Microsoft Windows Server 2003
B. 8 GB RAM
C. 4 GB RAM
D. Microsoft Windows Server 2008 R2
The recommended minimum system requirements for FortiClient EMS (Endpoint Management Server) can vary depending on the specific version and your deployment needs, but as of my last knowledge update in September 2021, the following are typically recommended:
B. 8 GB RAM - FortiClient EMS can be resource-intensive, and having at least 8 GB of RAM is recommended to ensure smooth performance, especially in larger deployments.
D. Microsoft Windows Server 2008 R2 - FortiClient EMS is often installed on Windows Server operating systems. Microsoft Windows Server 2008 R2 is a commonly supported version for running EMS, but you should check the specific system requirements for the version of EMS you are using as they may vary.
Please note that software requirements and recommendations can change over time with software updates and new versions, so it’s always a good practice to refer to the official Fortinet documentation or release notes for the most up-to-date system requirements for the version of FortiClient EMS you intend to install.
|Debug| Deployment Service profile assignment changed. flushing the existing queue
| Info | Console Builtin/admin assigned Gateway List: Corporate Fortigate to All Groups
___________________________________________________________________
Which two statements about the FortiClient EMS console logs are true? (Choose two.)
A. The FortiClient EMS administrator assigned the endpoint profile to All Groups.
B. The FortiClient EMS administrator assigned the gateway list to All Groups.
C. The FortiClient EMS administrator created an endpoint profile.
D. The FortiClient EMS administrator deployed a new FortiClient installation to All Groups.
Info | Console Builtin/admin create Profile: Fortinet-Exam from UI
| Debug | Update Service checkForMissingOrCorruptAssignableInstallers: 0 installer(s) need update
B. The FortiClient EMS administrator assigned the gateway list to All Groups.
C. The FortiClient EMS administrator created an endpoint profile.
What is the function of the custom scan option on FortiClient?
A. It allows users to select a specific file folder to scan for threats.
B. It scans executable files, DLLs, and drivers that are currently running, for threats.
C. It performs a manual scan on all removable drives.
D. It performs a full system scan including all files, executable files, DLLs, and drivers, for threats.
The custom scan option in FortiClient allows users to:
A. It allows users to select a specific file folder to scan for threats.
With the custom scan option, users can specify a particular folder or directory on their system to scan for threats, rather than scanning the entire system or specific types of files like executable files, DLLs, or drivers. This provides flexibility for users to focus on specific areas or files they want to scan for potential threats.
Which FortiClient feature is required, along with antivirus real-time protection, to block access to malicious websites?
A. Web filtering
B. Application firewall
C. Antiexploit
D. Sandbox integration
To block access to malicious websites along with antivirus real-time protection, you would typically need:
A. Web filtering
Web filtering is the FortiClient feature that allows you to block access to websites based on predefined categories and can include the ability to block malicious websites. It complements antivirus real-time protection by preventing users from accessing potentially harmful websites, even if the antivirus engine might not have detected a specific threat yet.
Which component or device signs the client certificate with the UID and serial number?
A. FortiClient EMS
B. FortiAnalyzer
C. FortiClient
D. FortiGate
Correct answer: A
FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient.
Which FortiGate CLI command shows all the ZTNA IP and MAC addresses learned from FortiClient EMS?
A. diagnose endpoint wad-comm find-by ip-vdom
B. diagnose firewall dynamic list
C. diagnose endpoint record list
D. diagnose wad dev query-by uid
The FortiGate CLI command show the ZTNA IP and MAC addresses learned from FortiClient EMS is indeed:
B. diagnose firewall dynamic list
Then that is the correct command to use in your specific FortiGate environment.
What is the maximum number of files that a FortiClient antivirus is allowed to submit to FortiGuard for analysis in a day?
A. No limit
B. Five
C. Two
D. Four
Correct answer: B
You can send up to five files a day to FortiGuard for analysis.
Reference:
https://docs.fortinet.com/document/forticlient/6.0.5/administration-guide/38387/submitting-files-to-fortiguard-for-analysis
Which ZTNA component is responsible for enabling the access proxy?
A. ZTNA tags
B. ZTNA rules
C. ZTNA server
D. ZTNA firewall policy
The component responsible for enabling the access proxy in Zero Trust Network Access (ZTNA) is typically:
C. ZTNA server
The ZTNA server plays a central role in facilitating secure access to resources. It manages user and device authentication and authorization, as well as the enforcement of policies that control access to specific resources. This may include routing traffic through an access proxy to provide secure access to applications and services while ensuring compliance with ZTNA rules and policies.
While ZTNA rules and policies are important in configuring and defining access control, it’s the ZTNA server that often manages the access proxy functionality.
Which component or device shares device status information through ZTNA telemetry?
A. FortiClient
B. FortiGate
C. FortiGate Access Proxy
D. FortiClient EMS
Correct answer: A
FortiClient communicates directly with FortiClient EMS to continuously share device status information through ZTNA telemetry.
The component or device that typically shares device status information through ZTNA (Zero Trust Network Access) telemetry is:
A. FortiClient
FortiClient is the endpoint security software used on client devices, and it can provide device status information and telemetry data to the ZTNA system. This information is then used by the ZTNA server, often running on a FortiGate device, to make access control decisions and enforce security policies based on the status of the connected client devices.
Which statement about FortiClient comprehensive endpoint protection is true?
A. It helps to safeguard systems from email spam.
B. It helps to safeguard systems from advanced security threats, such as malware.
C. It helps to safeguard systems from data loss.
D. It helps to safeguard systems from DDoS.
FortiClient has enhanced capabilities for the detection of malware. The protection includes antivirus protection, anti-ransomware, cloud-based malware protection, anti-exploit and removable media access.
B. It helps to safeguard systems from advanced security threats, such as malware.
FortiClient comprehensive endpoint protection is designed to protect endpoints (computers, smartphones, tablets, etc.) from a wide range of security threats, including malware, ransomware, and other advanced security threats. While it provides protection against various types of threats, it may not necessarily address other issues such as email spam, data loss, or Distributed Denial of Service (DDoS) attacks, which typically require different security solutions or measures.
Which two third-party tools can an administrator use to deploy FortiClient? (Choose two.)
A. Microsoft Active Directory GPO
B. Microsoft SCCM
C. QR code generator
D. Microsoft Windows Installer
The administrator can use the following two third-party tools to deploy FortiClient:
A. Microsoft Active Directory GPO (Group Policy Object)
B. Microsoft SCCM (System Center Configuration Manager)
These tools are commonly used for software deployment and management in Windows environments and can be used to deploy FortiClient to endpoints efficiently.
Reference:
https://docs.fortinet.com/document/forticlient/7.2.0/ems-administration-guide/374506/initially-deploying-forticlient-software-to-endpoints
In a FortiSandbox integration, what does the remediation option do?
A. Deny access to a file when it sees no results
B. Wait for FortiSandbox results before allowing files
C. Alert and notify only
D. Exclude specified files
Under ‘Remediation Options’ section, there are only two options (Quarantine infected files, Alert & Notify only).
If the remediation option in your FortiSandbox integration is configured to:
C. Alert and notify only
Then it means that instead of blocking or delaying files, the system will only generate alerts and notifications when potentially malicious files are detected by FortiSandbox. This option provides information about potential threats but doesn’t take immediate remediation actions such as blocking access to the files.
An administrator is required to maintain a software vulnerability on the endpoints, without showing the feature on the FortiClient dashboard.
What must the administrator do to achieve this requirement?
A. Click the hide icon on the vulnerability scan tab
B. Use the default endpoint profile
C. Disable select the vulnerability scan feature in the deployment package
D. Select the vulnerability scan feature in the deployment package, but disable the feature on the endpoint profile
Correct answer: A
To hide a feature you can click on the hide (eye) icon on the top of the profile.
In EMS tabs Endpont profiles>Manage profiles> Profile>Vulterability Scan>click on eye icon.
If you want to maintain a software vulnerability scan on the endpoints without showing the feature on the FortiClient dashboard, you should indeed:
A. Click the hide icon on the vulnerability scan tab
By clicking the hide icon on the vulnerability scan tab, you can hide the visibility of this feature on the FortiClient dashboard while still maintaining the functionality. Thank you for providing the correct option for achieving this requirement.
You can use the eye icon to show or hide features in the end user’s view on Forticlient. When you select hide, the feature still runs in the background, but the endpoint user cannot see it. This is very useful when you are inspecting traffic without the user’s knowledge.
An administrator deploys a FortiClient installation through the Microsoft AD group policy. After the installation is complete, all the custom configuration is missing.
What could have caused this problem?
A. The FortiClient MST file is missing from the distribution package.
B. The FortiClient package is not assigned to the group.
C. The FortiClient .exe file is included in the distribution package.
D. FortiClient does not have permission to access the distribution package.
The most likely cause of the problem where custom configurations are missing after deploying FortiClient through the Microsoft AD group policy is:
A. The FortiClient MST file is missing from the distribution package.
The MST (Microsoft Transform) file is used to customize the installation and configuration of FortiClient. If it’s missing or not correctly configured in the distribution package, the custom settings may not be applied during installation. Ensure that the MST file is correctly included and configured in the package to address this issue.
Reference:
A transform file (.mst) is file that passes customized configuration settings to the MSI installer package.
(both files must be available, MSI and MST)
An administrator installs FortiClient on Windows Server.
What is the default behavior of real-time protection control?
A. Real-time protection must update AV signature database.
B. Real-time protection is disabled.
C. Real-time protection sends malicious files to FortiSandbox when the file is not detected locally.
D. Real-time protection must update the signature database from FortiSandbox.
The default behavior of real-time protection control in FortiClient when it’s installed on a Windows Server is typically:
B. Real-time protection is disabled.
By default, real-time protection is often turned off when FortiClient is installed on a server. This is because servers are usually managed differently than endpoint devices like workstations or laptops, and real-time scanning can sometimes conflict with server processes or performance requirements. Administrators can choose to enable real-time protection if needed, but it’s often disabled by default to avoid potential compatibility issues.
Refer to the exhibit, which shows the output of the ZTNA traffic log on FortiGate.
What can you conclude from the log message?
A. The remote user connection does not match the explicit proxy policy.
B. The remote user connection does not match the ZTNA server configuration.
C. The remote user connection does not match the ZTNA firewall policy.
D. The remote user connection does not match the ZTNA rule configuration.
Action | __________________________________________________________
Action Deny: policy violation
Security Action (-) Blocked
Policy ID ZTNA-WAN(4)
Policy UID 23f88b34-4e0b-51ec-0e83-dab1019c2d5c
Policy Type Firewall
_____________________________________________________________________
Correct answer: C
Empty Client Certificate = “Denied: empty client certificate”
Failed Client Certificate = “Denied: client certificate authentication failed”
API gateway that does not match any virtual host = “Denied: failed to match an API-gateway”
API gateway but the real server cannot be reached = “Denied: failed to match an API-gateway”
A ZTNA rule (proxy policy ) cannot be matched = “Denied: failed to match a proxy-policy”
HTTPS SNI virtual host does not match the HTTP host header = “Denied: failed to match an API-gateway”
=======================
Wrong Access Proxy
Right Access Proxy, down/missing Real Server
Right Access Proxy, wrong URI
======================
ZTNA Server = defines the access proxy VIP and the real servers that clients will connect to
ZTNA Rule (Proxy Policy) = enforce access control
Firewall Policy (Full ZTNA) = The firewall policy matches and redirects client requests to the access proxy VIP.
API gateway cannot be matched:
When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host.
Its meen that is no firewall policy to the server that client want to access
What action does FortiClient anti-exploit detection take when it detects exploits?
A. Deletes the compromised application process
B. Blocks memory allocation to the compromised application process
C. Terminates the compromised application process
D. Patches the compromised application process
The anti-exploit detection protects vulnerable endpoints from unknown exploit attacks. FortiClient monitors the behavior of popular applications, such as web browsers (Internet Explorer, Chrome, Firefox, Opera), Java/Flash plug-ins, Microsoft Office applications, and PDF readers, to detect exploits that use zero-day or unpatched vulnerabilities to infect the endpoint. Once detected, FortiClient terminates the compromised application process.
When FortiClient anti-exploit detection detects exploits, it typically takes the following action:
C. Terminates the compromised application process
FortiClient’s anti-exploit feature is designed to detect and prevent the exploitation of vulnerabilities in software applications. When it identifies an exploit attempt, it often terminates the compromised application process to prevent further exploitation and protect the system from potential harm. This action helps to mitigate the impact of the exploit on the endpoint.
Refer to the exhibit.
____________________________________________________________________
|URL: *.facebook.com |
|Action: Allow \/ |
| Type: Wildcard \/ |
| OK | |CANCEL| ------------------------------------------------------------------------------------------------ Based on the settings shown in the exhibit, which action will FortiClient take when users try to access www facebook.com?
A. FortiClient will prompt a warning message to warn the user before they can access the Facebook website.
B. FortiClient will block access to Facebook and its subdomains.
C. FortiClient will monitor only the user’s web access to the Facebook website.
D. FortiClient will allow access to Facebook.
Type: Wildcard \/
Correct answer: D
Based on the information provided, option D (FortiClient will allow access to Facebook) is the most likely outcome.
Here’s a revised explanation:
Web Filter Exclusion: The exhibit clearly shows a web filter exclusion for “facebook.com” with the “Wildcard” type. This allows access to Facebook and all its subdomains.
Action for Exclusion: The action for this exclusion is explicitly set to “Allow.” This takes precedence over any potential warnings or restrictions.
While it’s possible that FortiClient might have additional configurations for displaying warnings, the web filter exclusion with the “Allow” action is the most prominent factor influencing access to Facebook.
Which component or device shares ZTNA tag information through Security Fabric integration?
A. FortiClient
B. FortiClient EMS
C. FortiGate
D. FortiGate Access Proxy
Correct answer: B
Based on the Study_Guide from training.fortinet.com, FortiClient EMS shares the tag information with FortiGate through Security Fabric integration.
FortiClient communicates directly with FortiClient EMS to continuously share device status information via ZTNA telemetry.
Which two VPN types can a FortiClient endpoint user initiate from the Windows command prompt? (Choose two.)
A. PPTP
B. L2TP
C. SSL VPN
D. IPSec
Correct asnwer: CD
FortiClient supports initiating the following VPN types from the Windows command prompt:
C. SSL VPN
D. IPSec
FortiClient allows users to establish SSL VPN and IPSec VPN connections from the command prompt using specific commands and parameters. PPTP and L2TP are not typically initiated from the command prompt using FortiClient.
Refer to the exhibit.
___________________________________________________________________
\ FC / Error X
———————————————————————————————
Fail to process the file
| OK |
___________________________________________________________________
An administrator has restored the modified XML configuration file to FortiClient and sees the error shown in the exhibit.
Based on the XML settings, what must the administrator do to resolve the issue with the XML configuration file?
A. The administrator must use a password to decrypt the file.
B. The administrator must resolve the XML syntax error.
C. The administrator must save the file as FortiClient-config.conf.
D. The administrator must change the file format.
Correct answer: B
B. The administrator must resolve the XML syntax error.
The administrator is seeing an XML syntax error in the XML configuration file, then the correct action to resolve the issue is:
B. The administrator must resolve the XML syntax error.
XML files must adhere to a strict syntax, and any errors in the structure of the XML file can cause issues when it’s being processed. The administrator should carefully review the XML configuration file, identify and correct any syntax errors, and ensure that the XML file conforms to the expected structure for FortiClient configuration. Once the XML syntax error is resolved, the configuration file should work as intended.
Refer to the exhibit.
- Settings
|X| Scan files as they are downloaded or copied to my system
| | Dynamic threat detection using threat intelligence data
| | Block malicius websites
| | Block Known attack communication channels - Scheduled Scan
- Exclusions
Add/remove files or folders to exclude from scanning (Add) (Remove)
______________________________________________________________
C:\Desktop\Resources\
————————————————————————————–
Based on the settings shown in the exhibit, which statement about FortiClient behaviour is true?
A. FortiClient blocks and deletes infected files after scanning them.
B. FortiClient copies infected files to the Resources folder without scanning them.
C. FortiClient quarantines infected files and reviews later, after scanning them.
D. FortiClient scans infected files when the user copies files to the Resources folder.
Correct answer: C
The FortiClient does not delete the file, it quarantines the file for its inspection, then after X days it is deleted.
Resources Folder is excluded in the Full Scan so B and D are false. If Full Scan detects infected file moves to the quarantine so A is false too.
B. is false, it’s not FortiClient that copies the file, the OS does it.
Warn the User If a Process Attempts to Access Infected Files
Quarantine Infected Files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
Deny Access to Infected Files
Ignore Infected Files
Refer to the exhibit.
(x) Error Deployment Service Failed to install Forticlient on fortilab.net\WIN-EHVKBEA3571. Error Code= 30 (Failed to connect to the remote task service)
Based on the logs shown in the exhibit, why did FortiClient EMS fail to install FortiClient on the endpoint?
A. The FortiClient antivirus service is not running.
B. The Windows installer service is not running.
C. The task scheduler service is not running.
D. The remote registry service is not running.
Correct answer: D
The deployment service error message may be caused by any of the following. Try eliminating them all, one at a time.
- Wrong username or password in the EMS profile.
- Endpoint is unreachable over the network.
- Task Scheduler service is not running.
- Remote Registry service is not running.
- Windows firewall is blocking connection.
Reference:
https://community.fortinet.com/t5/FortiClient/Technical-Note-FortiClient-fails-to-install-from-FortiClient-EMS/ta-p/193680
Refer to the exhibit.
Based on the FortiClient logs shown in the exhibit, which software application is blocked by the application firewall?
A. Twitter (X)
B. Facebook
C. Firefox
D. Internet Explorer
Correct answer: A
These are Application Firewall Logs. Therefore Application Signatures match. In this Case the Application is Twitter (via HTTP)
Threat=Twitter If firefox were we would see in the exported log threat=HTTP.BROWSER_Firefox.
Twitter was Blocked
see line 5 in the exibit
When site categories are disabled in FortiClient webfilter and antivirus (malicious websites), which feature can be used to protect the endpoint from malicious web access?
A. Web exclusion list
B. FortiSandbox URL list
C. Real-time protection list
D. Block malicious websites on antivirus
Correct answer: A
You can enable or disable Site Categories in the Web Filter settings page. When site categories are disabled, the exclusion list protects FortiClient.”
The question is about WebFilter AND Antivirus check P201, “Enable webfiltering on forticlient … affects the block access to malicious websites setting in antivirus protection” it seems like a priority on webfilter.
You can configure a exclusion list to block a specific website in the Web Filter when you have disabled Site Categories.
Refer to the exhibits, which show a network topology diagram of ZTNA proxy access and the ZTNA rule configuration.
An administrator runs the diagnose endpoint record list CLI command on FortiGate to check Remote-Client endpoint information, however Remote-Client is not showing up in the endpoint record list.
What is the cause of this issue?
A. Remote-Client failed the client certificate authentication.
B. Remote-Client provided an empty client certificate to connect to the ZTNA access proxy.
C. Remote-Client has not initiated a connection to the ZTNA access proxy.
D. Remote-Client provided an invalid certificate to connect to the ZTNA access proxy.
A. Remote-Client failed the client certificate authentication.
“You can use CLI Command […] to verify the presence of matching endpoint record […] If any of the Information is missing or incomplete, client certificate authentication might fail because FortiClient cannot locate corresponding endpoint entry.” There is probably a typo there and it should read: “because FortiGate cannot locate corresponding endpoint entry.”
–> see Admin guide for “endpoint record list” and CLI command in that context.
Reference:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/25915/establish-device-identity-and-trust-context-with-forticlient-ems
Refer to the exhibit, which shows the endpoint summary information on FortiClient EMS.
Location : off-fabric
Policy: Default
What two conclusions can you make based on the Remote-Client status shown above? (Choose two.)
A. The endpoint is classified as at risk.
B. The endpoint has been assigned the Default endpoint policy.
C. The endpoint is configured to support FortiSandbox.
D. The endpoint is currently off-net.
Correct answer: BD
B. The endpoint has been assigned the Default endpoint policy.
D. The endpoint is currently off-net.
It doesn’t say that the client it offline, only off-net (off-fabric).
In study guide, the word ‘off-net’ is used same as ‘off-fabric’ or ‘remote client’.
Refer to the exhibit, which shows the Zero Trust Tagging Rule Set configuration.
Rules Default Logic +Add Rule
Type Value
- Windows (2)
Antivirus Software |1| AV Software is installed and running
OS Version |2| Windows server 2012 R2
|3| Windows 10
Rule logic
(1 and 3) or 2
Which two statements about the rule set are true? (Choose two.)
A. The endpoint must satisfy that only Windows 10 is running.
B. The endpoint must satisfy that only AV software is installed and running.
C. The endpoint must satisfy that antivirus is installed and running and Windows 10 is running.
D. The endpoint must satisfy that only Windows Server 2012 R2 is running.
Correct answer: CD
C. “The endpoint must satisfy that antivirus is installed and running Windows 10 is running”.
D. “The endpoint must satisfy that only Windows Server 2012 R2 is running”.
Because “(1 and 3)” equals C and “or 2” equals D
