Knowledge Check Questions Flashcards

1
Q

Which is more accurate description of a modern firewall?

a. A device that inspects network traffic at an entry point to the internet and within a simple, easily defined network perimeter
b. A multifunctional device that inspects network from the perimeter or internally, within a network that has many different entry points

A

b. A multifunctional device that inspects network from the perimeter or internally, within a network that has many different entry points

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which solution, specific to Fortinet, enhances performance and reduces latency for specific features and traffic?

a. Acceleration hardware, call SPUs
b. Increased RAM and CPU power

A

a. Acceleration hardware, call SPUs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which protocol does FortiGate use to download antivirus and IPS packages?

a. UDP
b. TCP

A

b. TCP

Larger packages to download = TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does FortiGate check content for spam or malicious websites?

a. Live queries to FortiGate over UDP or HTTPS
b. Local verification using a downloaded web filter database locally on the FortiGate

A

a. Live queries to FortiGate over UDP or HTTPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do you restrict logins to FortiGate from only specific IP addresses?

a. Change FortiGate management interface IP address
b. Configure trusted host

A

b. Configure trusted host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

As a best security practice when configuring administrative access to the FortiGate, which protocol should you disable?

a. Telnet
b. SSH

A

a. Telnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When configuring FortiGate as a DHCP server, to restrict access by MAC address, what does the Assign IP option do?

a. Assigns a specific IP address to a MAC address
b. Dynamically assigns an IP to a MAC address

A

b. Dynamically assigns an IP to a MAC address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When configuring FortiGate as a DNS server which resolution method uses the FortiGate DNS database to try to resolve queries?

a. Non-recursive
b. Recursive

A

a. Non-recursive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When restoring an encrypted system configuration file, in addition to needing the FortiGate model and firmware version from the time the configuration was produced, what must you also provide?

a. The password to decrypt the file
b. The private decryption key to decrypt the file

A

a. The password to decrypt the file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which document should you consult to increase the changes or success before upgrading or downgrading firmware?

a. Cookbook
b. Release Notes

A

b. Release Notes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Fortinet Security Fabric?

a. A device that can manage all your firewalls
b. A Fortinet solution that enables communication and visibility among devices of your network

A

b. A Fortinet solution that enables communication and visibility among devices of your network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which combination of devices must participate in the Security Fabric?

a. A FortiAnalyzer and two or more FortiGate devices
b. a FortiMail and two or more FortiGate devices

A

a. A FortiAnalyzer and two or more FortiGate devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the two mandatory settings of the Security Fabric configuration?

a. Fabric name and Security Fabric role
b. Fabric name and FortiManager IP address

A

a. Fabric name and Security Fabric role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

From where do you authorize a device to participate in the Security Fabric?

a. From the downstream FortiGate
b. From the root FortiGate

A

b. From the root FortiGate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why should an administrator extend the Security Fabric to other devices?

a. To provide a single pane of glass for management and reporting purposes
b. To eliminate the need to purchase licenses for FortiGate devices in the Security Fabric

A

a. To provide a single pane of glass for management and reporting purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of Security Fabric external connectors?

a. External connectors allow you to integrate multi-cloud support with the Security Fabric
b. External connectors allow you to connect the FortiGate command line interface (CLI)

A

a. External connectors allow you to integrate multi-cloud support with the Security Fabric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which one is a part of the Security Rating scorecard?

a. Firewall Policy
b. Optimization

A

b. Optimization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

From which view can an administrator deauthorize a device from the Security Fabric?

a. From the physical topology view
b. From the Fortiview

A

a. From the physical topology view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What criteria does FortiGate use to match traffic to a firewall policy?

a. Source and destination interfaces
b. Security profiles

A

a. Source and destination interfaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What must be selected in the Source field of a firewall policy?

a. At least one address object or ISDB
b. At least one source user and one source address object.

A

a. At least one address object or ISDB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

To configure a firewall policy, you must include a firewall policy name when configuring using the ….

a. CLI
b. GUI

A

b. GUI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the purpose of applying security profiles to a firewall policy?

a. To allow access to specific subnets
b. To protect your network from threats, and control access to specific applications and URLs.

A

b. To protect your network from threats, and control access to specific applications and URLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

If you configure a firewall policy with the any interface, you can view the firewall policy list only in which view?

a. The By Sequence View
b. The Interface Pair View

A

a. The By Sequence View

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following naming formats is correct when configuring a name for a firewall address object?

a. Good_Training
b. Good(Training)

A

a. Good_Training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the purpose of the policy lookup feature on the FortiGate?

a. To find a matching policy based on input criteria
b. To block traffic based on input criteria

A

a. To find a matching policy based on input criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is NAT used for?

a. Preserving IP addresses
b. Traffic shaping

A

a. Preserving IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What statement about NAT66 is true?

a. It is NAT between two IPv6 networks?
b. It is NAT between two IPv4 networks?

A

a. It is NAT between two IPv6 networks?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the default IP pool type?

a. One-to-one
b. Overload

A

b. Overload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is the default VIP type?

a. static-nat
b. load-balance

A

a. static-nat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which statement is true?

a. Central NAT is not enabled by default
b. Both central NAT and firewall policy NAT can be enabled together

A

a. Central NAT is not enabled by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What happens if there is no matching central SNAT policy or no central SNAT policy configured?

a. The egress interface IP will be used
b. NAT will not be applied to the firewall session

A

b. NAT will not be applied to the firewall session

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which method would you use for advanced application tracking and control?

a. session helper
b. Application Layer Gateway

A

b. Application Layer Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which profile is an example of application layer gateway?

a. WAF Profile
b. VOIP Profile

A

b. VOIP Profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

If session diagnostic output indicates that a TCP protocol state is in proto_state=01, which is true?

a. The session is established
b. The session is not established

A

a. The session is established

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

An administrator wants to check the total number of TCP session for an IP pool named INTERNAL. Which CLI command should the administrator use?

a. diagnose firewall ippool-all stats INTERNAL
b. diagnose firewall ippool-all list INTERNAL

A

a. diagnose firewall ippool-all stats INTERNAL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which firewall authentication method does FortiGate support?

a. Local password authentication
b. Biometric authentication

A

a. Local password authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which type of token can generate OTPs to provide two-factor authentication to users in your network?

a. FortiToken Mobile
b. USB FortiToken

A

a. FortiToken Mobile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

When FortiGate uses a RADIUS server for remote authentication, which statement about RADIUS is true?

a. FortiGate must query the remote RADIUS server using the distinguished name (dn)
b. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.

A

b. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which is a valid reply from a RADIUS server to an ACCESS-REQUEST packet from FortiGate?

a. ACCESS-PENDING
b. ACCESS-REJECT

A

b. ACCESS-REJECT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

A remote LDAP user is trying to authenticate with a username and password. How does FortiGate verify the login credentials?

a. FortiGate queries its own database for user credentials
b. FortiGate sends the user-entered credential to the remote server for verification

A

b. FortiGate sends the user-entered credential to the remote server for verification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which statement about guest user groups is true?

a. Guest user group accounts are temporary
b. Guest user group account passwords are temporary?

A

a. Guest user group accounts are temporary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Guest accounts are most commonly user for which purposes?

a. To provide temporary visitor access to corporate network resources
b. To provide temporary visitor access to wireless networks

A

b. To provide temporary visitor access to wireless networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Firewall policies dictate whether a user or device can or cannot authenticate on a network. Which statement about firewall authentication is true?

a. Firewall policies can be configured to authenticate certificate users
b. The order of the firewall policies always determines whether a user’s credentials are determined actively or passively.

A

a. Firewall policies can be configured to authenticate certificate users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which statement about active authentication is true?

a. Active authentication is always used before passive authentication
b. The firewall policy must allow HTTP, HTTPS, FTP and/or Telnet protocols in order for the user to be prompted for credentials

A

b. The firewall policy must allow HTTP, HTTPS, FTP and/or Telnet protocols in order for the user to be prompted for credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which statement about captive portal is true?

a. Captive portal must be hosted on a FortiGate device?
b. Captive portal can exempt specific devices from authenticating

A

b. Captive portal can exempt specific devices from authenticating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which statement best describes the authentication idle timeout feature on FortiGate?

a. The length of time FortiGate waits for the user to enter their authentication credentials
b. The length of time an authenticated user is allowed to remain authenticated without any packets being generated by the host device.

A

b. The length of time an authenticated user is allowed to remain authenticated without any packets being generated by the host device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which command would you use to identify the IP addresses of all authenticated users?

a. diagnose firewall auth clear
b. diagnose firewall auth list

A

b. diagnose firewall auth list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Which type of logs are application control, web filter, antivirus, and DLP?

a. Event
b. Security

A

b. Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

The log ____ contains fields that are common to all log types, such as originating date and time, log identifier, log category and VDOM

a. header
b. body

A

a. header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which storage type is preferred for logging?

a. Remote logging
b. Hard drive

A

a. Remote logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Which protocol does FortiGate use to send encrypted logs to FortiAnalyzer?

a. OFTPS
b. SSL

A

a. OFTPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

If you enable reliable logging, which transport protocol will FortiGate use?

a. UDP
b. TCP

A

b. TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

In your firewall policy, which setting must you enable to generate logs on traffic sent through that firewall policy?

a. Log Allowed Traffic
b. Event Logging

A

a. Log Allowed Traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

With email alerts, you can trigger alert emails based on _____ or log severity level.

a. event
b. threat weight

A

a. event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What happens when logs roll?

a. It lowers the space requirements needed to contain those logs.
b. They are uploaded to a TFP server?

A

a. It lowers the space requirements needed to contain those logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

When you download logs on the GUI, ___

a. all logs in the SQL database are downloaded
b. only your current view, including any filters set are downloaded

A

b. only your current view, including any filters set are downloaded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Which attribute or extension identifies the owner of a certificate?

a. The subject name in the certificate
b. The unique serial number in the certificate

A

a. The subject name in the certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

How does FortiGate determine if a certificate has been revoked?

a. It checked the CRL that resides on the FortiGate
b. It retrieves the CRL from a directory server

A

a. It checked the CRL that resides on the FortiGate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Which certificate extension and value is required in the FortiGate CA certificate in order to enable full SSL inspection?

a. CRL DP=ca_arl.arl
b. cA=True

A

b. cA=True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Which configuration requires FortiGate to act as a CA for full SSL inspection?

a. Multiple clients connecting to multiple servers
b. Protecting the SSL server

A

a. Multiple clients connecting to multiple servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Which is the default inspection mode on a firewall policy?

a. Proxy based
b. Flow based

A

b. Flow based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

How does NGFW policy-based mode differ from profile-based mode?

a. Policy-based flow inspection supports web profile overrides.
b. Policy-based flow inspection defines URL filters directly in the firewall policy

A

b. Policy-based flow inspection defines URL filters directly in the firewall policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Which statement about proxy-based web filtering is true?

a. It requires more resources than flow-based
b. It transparently analyzes the TCP flow of the traffic

A

a. It requires more resources than flow-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Which is a valid action for FortiGuard web category filtering?

a. Allow
b. Deny

A

a. Allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Which is a valid action for static URL filtering?

a. Exempt
b. Warning

A

a. Exempt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Which action can be used with the FortiGuard quota feature?

a. Monitor
b. Shape

A

a. Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which statement about web profile overrides is true?

a. It is used to change the website category
b. Configured users can activate this setting through an override link on the FortiGuard block page.

A

b. Configured users can activate this setting through an override link on the FortiGuard block page.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Which is required to configure YouTube video filtering?

a. YouTube API key
b. Username

A

a. YouTube API key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which action can be used with the video FortiGuard categories?

a. Authenticate
b. Monitor

A

b. Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Which statement about blocking the known botnet command and control domains is true?

a. DNS lookups are checked against the botnet command and control database
b. The botnet command and control domains can be enabled on the web filter profile

A

a. DNS lookups are checked against the botnet command and control database

71
Q

Which security profile inspects only the fully qualified domain name?

a. Web Filter
b. DNS Filter

A

b. DNS Filter

72
Q

You have configured your security profiles, but they are not performing web or DNS inspection. Why?

a. The certificate is not installed correctly
b. the profile is not associated with the correct firewall policy

A

b. the profile is not associated with the correct firewall policy

73
Q

Which statement about application control is true?

a. Application control uses the IPS engine to scan traffic for application patterns
b. Application control is unable to scan P2P architecture traffic

A

a. Application control uses the IPS engine to scan traffic for application patterns

74
Q

Which statement about the application control database is true?

a. The application control database is separate from the IPS database
b. The application control database must be manually updated

A

a. The application control database is separate from the IPS database

75
Q

Which statement about application control in an NGFW policy-based configuration is true?

a. Applications are applied directly to the security policies
b. The application control profile must be applied to firewall policies

A

a. Applications are applied directly to the security policies

76
Q

Which statement about the HTTP block page for application control is true?

a. It can be used only for web applications
b. It works for all types of applications

A

a. It can be used only for web applications

77
Q

Where do you enable logging of application control events?

a. Application control logs are enabled in the firewall policy configuration
b. Application control logs are enabled on the FortiView Applications page on FortiGate

A

a. Application control logs are enabled in the firewall policy configuration

78
Q

Which piece of information is not included in the application event log when using NGFW policy-based mode?

a. Application control profile name
b. Application name

A

a. Application control profile name

79
Q

Which protocol does FortiGate use with FortiGuard to receive updates for application control?

a. UDP
b. TCP

A

b. TCP

80
Q

Which SSL/SSH inspection method is recommended for use with application control scanning to improve application detection?

a. Certificate-based inspection profile
b. Deep-inspection profile

A

b. Deep-inspection profile

81
Q

If antivirus, grayware, and AI scans enabled, in what order are they performed?

a. AI scan, followed by grayware scan, followed by antivirus scan
b. Antivirus scan, followed by grayware scan, followed by AI scan

A

b. Antivirus scan, followed by grayware scan, followed by AI scan

82
Q

Which databases can be manually selected for use in antivirus scanning?

a. Extended and Extreme
b. Quick, Normal and Extreme

A

a. Extended and Extreme

83
Q

What three additional features of an antivirus profile are available in proxy-based inspection mode?

a. MAPI, SSH and CDR
b. Full and quick

A

a. MAPI, SSH and CDR

84
Q

What antivirus database is limited to specific FortiGate models>

a. Extended
b. Extreme

A

b. Extreme

85
Q

What is the default scanning behavior for files over 10MB?

a. Allow the file without scanning
b. Block all large files that exceed the buffer threshold

A

a. Allow the file without scanning

86
Q

Which type of inspection mode can be offloaded using NTurbo hardware acceleration?

a. Proxy-based
b. Flow-based

A

b. Flow-based

87
Q

What does the logging of oversized files option do?

a. Enables logging of all files that cannot be scanned because of oversize limit
b. Log all files that are over 5MB

A

a. Enables logging of all files that cannot be scanned because of oversize limit

88
Q

What command do you use to force FortiGate to check for new antivirus updates?

a. execute update antivirus
b. execute update-av

A

b. execute update-av

89
Q

Which IPS action allows traffic and logs the activity?

a. Allow
b. Monitor

A

b. Monitor

90
Q

Which IPS component is updated most frequently?

a. Protocol decoders
b. IPS signature database

A

b. IPS signature database

91
Q

Which behavior is a characteristic of a DoS attack?

a. Attempts to exploit a known application vulnerability
b. Attempts to overload a server with TCP SYN packets

A

b. Attempts to overload a server with TCP SYN packets

92
Q

Which DoS anomaly sensor can be used to detect and block the probing attempts of a port scanner?

a. tcp_syn_flood
b. tcp_port_scan

A

b. tcp_port_scan

93
Q

WAF protocol constraints protect against which type of attacks?

a. Buffer overflow
b. ICMP Sweep

A

a. Buffer overflow

94
Q

To use the WAF feature, which inspection mode should be used in the firewall policy?

a. Flow
b. Proxy

A

b. Proxy

95
Q

Which chipset uses NTurbo to accelerate IPS sessions?

a. CP9
b. SoC4

A

b. SoC4

96
Q

Which feature requires full SSL inspection to maximize its detection capability?

a. WAF
b. DoS

A

a. WAF

97
Q

Which FQDN does FortiGate use to obtain IPS updates?

a. update.fortiguard.net
b. service.fortiguard.com

A

a. update.fortiguard.net

98
Q

When IPS fail open is triggered, what is the expected behavior, if the IPS fail-open option is set to enabled?

a. New packets pass through without inspection
b. New packets dropped

A

a. New packets pass through without inspection

99
Q

What does a VPN do?

a. Extends a private network across a public network
b. Protects a network from external attacks

A

a. Extends a private network across a public network

100
Q

Which statement about SSL VPNs is true?

a. A SSL VPN can be established between workstation and a FortiGate device only.
b. A SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices

A

b. A SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices

101
Q

A web-mode SSL VPN user connects to a remote web server. What is the source IP address of the HTTP request the web server receives?

a. The remote user IP address
b. The FortiGate device internal IP address

A

b. The FortiGate device internal IP address

102
Q

Which statement about tunnel-mode SSL VPN is correct?

a. It supports split tunneling
b. It requires bookmarks

A

a. It supports split tunneling

103
Q

A web-mode SSL VPN user uses ____ to access internal network resources

a. bookmarks
b. FortiClient

A

a. bookmarks

104
Q

Which step is necessary to configure SSL VPN connections?

a. Create a firewall policy from the SSL VPN interface to the internal interface
b. Enable event logs for SSL VPN traffic: users, VPN and endpoints

A

a. Create a firewall policy from the SSL VPN interface to the internal interface

105
Q

Which action may allow internet access in tunnel mode, if the remote network does not allow internet access to SSL VPN users?

a. Enable split tunneling
b. Configure the DNS server to use the same DNS server as the client system DNS

A

a. Enable split tunneling

106
Q

What does the SSL VPN monitor feature allow you to do?

a. Monitor SSL VPN user actions, such as authentication
b. Force SSL VPN user disconnections

A

b. Force SSL VPN user disconnections

107
Q

Which statement about SSL VPN timers is correct?

a. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency
b. The login timeout is a non-customizable hard value

A

a. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency

108
Q

Which component issues and signs the client certificate?

a. FortiClient EMS
b. FortiClient

A

a. FortiClient EMS

109
Q

Which internet browser supports Fortinet ZTNA?

a. Firefox
b. Chrome

A

b. Chrome

110
Q

What does FortiClient EMS integration ensure?

a. Device identification
b. User identification

A

a. Device identification

111
Q

Which objects can you use to create static routes?

a. ISDB objects
b. Service objects

A

a. ISDB objects

112
Q

When the STOP POLICY ROUTING action is used in a policy route, which behavior is expected?

a. FortiGate skips over this policy route and tries to match another in the list
b. FortiGate routes the traffic based on the regular routing table

A

b. FortiGate routes the traffic based on the regular routing table

113
Q

The PRIORITY attribute applies to which type of routes?

a. Static
b. Dynamic

A

a. Static

114
Q

Which attribute does FortiGate use to determine the ‘best’ route for a packet, if it matches multiple dynamic routes that have the same DISTANCE?

a. Priority
b. Metric

A

b. Metric

115
Q

Which static route attribute does not appear on the GUI routing monitor?

a. Distance
b. Priority

A

b. Priority

116
Q

What is the default ECMP method on FortiGate?

a. Weighted
b. Source IP

A

b. Source IP

SSWU - Source IP (default), Source-Dest IP, Weighted, Usage (spillover)

117
Q

How does FortiGate load balance traffic when using the spillover method in ECMP routing?

a. Sessions are distributed based on interface threshold
b. Sessions are distributed based on route weight

A

a. Sessions are distributed based on interface threshold

SSWU - Source IP (default), Source-Dest IP, Weighted, Usage (spillover)

118
Q

What is the default RPF check method on FortiGate?

a. Loose
b. Strict

A

a. Loose

119
Q

Which route lookup scenario satisfies the RPF check for a packet?

a. Routing table has an active route for the destination IP of the packet
b. Route table has an active route for the source IP of the packet

A

b. Route table has an active route for the source IP of the packet

120
Q

What is the purpose of the link health monitor setting ‘update-static-route’?

a. It creates a new static route for the backup interface
b. It removes all static routes associated with the link health monitor’s interface

A

b. It removes all static routes associated with the link health monitor’s interface

121
Q

When using link health monitoring, which route attribute must you also configure to achieve route failover protection?

a. Distance
b. Metric

A

a. Distance

122
Q

What is the distance value for this route?

  1. 200.2.0/24 [110/2] via 10.200.2.254, [25/0]
    a. 110
    b. 2
A

a. 110

123
Q

Which CLI commands can you use to view standby and inactive routes?

a. get router info routing-table all
b. get router info routing-table database

A

b. get router info routing-table database

124
Q

Which CLI packet capture verbosity level prints interface names?

a. 3
b. 4

A

b. 4

125
Q

What do SSL VPN realms facilitate?

A

SSL VPN realms allow access to different SSL VPN portals by user groups.

126
Q

Which FortiGate interface allows administrators to create user-specific bookmarks?

a. CLI
b. GUI

A

a. CLI

127
Q

Why is it necessary to run a client integrity check (host-check)?

a. To check whether specific security software is running on SSL VPN user computers
b. To check whether a specific security certificate is running on a SSL VPN user web browsers

A

a. To check whether specific security software is running on SSL VPN user computers

128
Q

Which security action restricts SSL VPN connections from users located in a specific country or region?

a. Restricting hosts by MAC address
b. Restricting hosts by IP address

A

b. Restricting hosts by IP address

129
Q

Which traffic is always generated from the management VDOM?

a. Link Health Monitor
b. FortiGuard

A

b. FortiGuard

130
Q

Which statement about the management VDOM is true?

a. It is root by default and cannot be changed in multi-vdom mode?
b. it is root by default, but can be changed to any VOM in multi-vdom mode.

A

b. it is root by default, but can be changed to any VOM in multi-vdom mode.

131
Q

Which type of administrator can make changes to all VDOMs?

a. A custom VDOM administrator
b. An administrator with the super_admin profile

A

b. An administrator with the super_admin profile

132
Q

Which statement about VDOM administrator is true?

a. There can be only one administrator per VDOM
b. Each VDOM can have multiple administrators

A

b. Each VDOM can have multiple administrators

133
Q

Which configuration settings are global settings?

a. Firewall policies
b. FortiGuard settings?

A

b. FortiGuard settings?

134
Q

Which configuration settings are per-VDOM settings?

a. Host name
b. NGFW mode

A

b. NGFW mode

135
Q

What is a requirement for creating an inter-VDOM link between two VDOMs?

a. The NGFW mode of at least one VDOM must be profile based
b. At least one of the VDOMs must be operating in NAT mode

A

b. At least one of the VDOMs must be operating in NAT mode

136
Q

Which type of VDOM link requires that both sides of the link be assigned an IP address within the same subnet?

a. NAT-to-transparent
b. NAT-to-NAT

A

b. NAT-to-NAT

137
Q

Of these options, what is a possible reason why an administrator might not be able to gain access to a specific VDOM?

a. The administrator is using an IP address that is not specified as a trusted host
b. The administrator is using the super_admin profile

A

a. The administrator is using an IP address that is not specified as a trusted host

138
Q

Which troubleshooting tool is most suitable when trying to verify the firewall policy used by an inter-VDOM link?

a. Sniffer trace
b. Packet flow trace

A

b. Packet flow trace

139
Q

Which mode must the FortiGate VDOM be operating in, to route traffic between VLANs?

a. Transparent mode
b. NAT mode

A

b. NAT mode

140
Q

What is the default STP mode for FortiGate?

a. FortiGate passively forwards BPDUs
b. FortiGate has all STP functions disabled?

A

b. FortiGate has all STP functions disabled?

141
Q

Which statement about FortiGate operating in transparent mode is true?

a. It has a management IP address
b. Each interface has its own IP address

A

a. It has a management IP address

142
Q

How can an administrator configure FortiGate to have four interfaces in the same broadcast domain?

a. Create a firewall policy on each of the four interfaces?
b. Configure the operation mode as transparent and use the same forward domain ID

A

b. Configure the operation mode as transparent and use the same forward domain ID

143
Q

Which configuration setting must be enabled to allow VLAN-tagged traffic through a virtual wire pair?

a. Transparent bridging
b. Wildcard VLAN

A

b. Wildcard VLAN

144
Q

How is traffic handled in a virtual wire pair?

a. Incoming traffic to one interface is always forwarded out through the other interface.
b. Traffic is forwarded based on the destination MAC address.

A

a. Incoming traffic to one interface is always forwarded out through the other interface.

145
Q

In which operating mode is the software switch function supported?

a. Transparent mode
b. NAT mode

A

b. NAT mode

146
Q

Which interface can be a member of a software switch?

a. VLAN interface
b. Wireless interface

A

b. Wireless interface

147
Q

In FSSO, FortiGate allows network access based on

a. Active authentication with username and password
b. Passive user identification by user ID, IP address and group membership

A

b. Passive user identification by user ID, IP address and group membership

148
Q

Which working mode is used for monitoring user sign-on activities in Windows AD?

a. Polling mode (collector agent-based or agentless)
b. eDirectory agent mode

A

a. Polling mode (collector agent-based or agentless)

149
Q

Which is the recommended mode for FSSO deployments?

a. DC agent mode
b. Polling mode: Agentless

A

a. DC agent mode

150
Q

Which FSSO mode requires more FortiGate system resources (CPU and RAM)?

a. Polling mode: Collector agent-based
b. Polling mode: Agentless

A

b. Polling mode: Agentless

151
Q

What may cause an NTLM authentication to occur?

a. Traffic coming from an IP on the FSSO user list
b. Traffic coming from an IP not on the FSSO user list

A

b. Traffic coming from an IP not on the FSSO user list

152
Q

When performing NTLM authentication, what information does the web browser supply to the FortiGate?

a. The user’s credentials (username and password)
b. The user’s user ID, IP address and group membership

A

a. The user’s credentials (username and password)

153
Q

If you have collector agents using either the DC agent mode or the collector agent-based polling mode, which fabric connector should you select on the Fortigate?

a. Poll Active Directory Server
b. Fortinet Single Sign-On Agent

A

b. Fortinet Single Sign-On Agent

154
Q

Which naming conventions does the FSSO collector agent use to access the Windows AD in Standard access mode?

a. Windows convention - NetBios: Domain\groups
b. LDAP convention: CN=User, OU=Name, DC=Domain

A

a. Windows convention - NetBios: Domain\groups

155
Q

Which logging level shows the login events on the collector agent?

a. Information
b. Warning

A

a. Information

156
Q

The command ‘diagnose debug fsso-polling details’ displays information for which mode of FSSO?

a. Agentless polling
b. Collector agent-based polling

A

a. Agentless polling

157
Q

To form a HA cluster, ‘all’ FortiGate devices that will be included in the cluster must have which of the following?

a. The same FortiGate hostname
b. The same firmware

A

b. The same firmware

158
Q

What is the default criteria (override disabled) for selecting the HA primary device in a HA cluster?

a. Connected monitored ports > HA uptime > priority > serial number
b. Priority > HA uptime > connected monitored ports > serial number

A

a. Connected monitored ports > HA uptime > priority > serial number

159
Q

Which information is synchronized between two FortiGate devices that below to the same HA cluster?

a. Firewall policies and objects
b. FortiGate hostname

A

a. Firewall policies and objects

160
Q

Which one of the following session types can be synchronized in a HA cluster?

a. SSL VPN sessions
b. IPsec VPN sessions

A

b. IPsec VPN sessions

161
Q

An HA failover occurs when the link status of a monitored interface on the ___ goes down.

a. Primary FortiGate
b. Secondary FortiGate

A

a. Primary FortiGate

162
Q

You can configure virtual clustering between only ___ FortiGate devices with multiple VDOMs in an active-passive HA cluster.

a. Two
b. Four

A

a. Two

163
Q

The heartbeat interface IP address 169.254.0.1 is assigned to which FortiGate in a HA cluster?

a. The FortiGate with the highest serial number
b. The FortiGate with the highest priority

A

a. The FortiGate with the highest serial number

164
Q

Which statement about the firmware upgrade process on a HA cluster is true?

a. You need to upload the new firmware only to the primary FortiGate to upgrade a HA Cluster
b. The cluster members are not rebooted

A

a. You need to upload the new firmware only to the primary FortiGate to upgrade a HA Cluster

165
Q

Which CLI command can be used to diagnose a physical layer problem?

a. execute traceroute
b. get hardware nic

A

b. get hardware nic

166
Q

Which CLI command can be used to determine the MAC address of a FortiGate default gateway?

a. get system arp
b. get hardware nic

A

a. get system arp

167
Q

Which information is displayed in the output of a debug flow?

a. Incoming interface and matching firewall policy
b. Matching security profile and traffic log

A

a. Incoming interface and matching firewall policy

168
Q

When is a new TCP session allocated?

a. When a SYN packet is allowed
b. When a SYN/ACK packet is allowed

A

a. When a SYN packet is allowed

169
Q

Which action does FortiGate take during memory conserve mode?

a. Configuration changes are not allowed
b. Administrative access is denied

A

a. Configuration changes are not allowed

170
Q

Which threshold is used to determine when FortiGate enters conserve mode?

a. Green
b. Red

A

b. Red

171
Q

Which types of information are stored in the crash log?

a. Process crashes and conserve mode events
b. Traffic logs and security logs

A

a. Process crashes and conserve mode events

172
Q

Which protocol is used to upload new firmware from the console?

a. HTTP/HTTPS
b. TFTP

A

b. TFTP

173
Q

What IPsec protocol is not support by FortiGate?

a. IKEv2
b. AH

A

b. AH

174
Q

Which VPN topology is the most fault tolerant?

a. Full mesh
b. Hub-and-spoke

A

a. Full mesh