NSE 4 7.2 Flashcards

Question 1

Q

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Answer

A

On HQ-FortiGate, sent Encryption to AES256.

The Encryption and authentication algorithm needs to match

Question 2

Q

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

Answer

A

FortiSIEM
FortiCloud
FortiAnalyzer

Fortisandbox is not a logging solution.

Fortigate Security 7.0 pf 279

Question 3

Q

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Answer

A

Operating mode
NGFW Mode

C: “Operating mode is per-VDOM setting. You can combine transparent mode VDOM’s with NAT mode VDOMs on the same physical Fortigate”.

D: “Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM”.

A and B are incorrect: “The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.

Question 4

Q

Review the Intrusion Prevention System (IPS) profile signature settings.
Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

Answer

A

Traffic matching the signature will be silently dropped and logged.

“pass” is only default action.

The Pass action on the specific signature would only be chosen, if the Action (on the top) was set to Default. But instead its set to Block, se the action is will be to block and drop.

Question 5

Q

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

Answer

A

FortiGate uses the SMB protocol to retrieve the event viewer logs from the DCs.
FortGate queries AD by using LDAP to retrieve user group information.

Fortigate Infrastructure 7.0 Study Guide P.257-258, 272-273

Question 6

Q

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

Answer

A

Local traffic logs

FortiGate_Security 7.0 page 263
Fortigate Security 7.0 page 268

Question 7

Q

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Answer

A

Proxy-based inspection
Flow-based inspection

Profile based - Flow or proxy based.
Policy based - flow only.

Fortigate Security 7.0 pg 368

Question 8

Q

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

Answer

A

On idle

Fortigate Infrastructure 7.0 Study Guide P.214
Fortigate Infrastructure 7.0 Study Guide P.228

Question 9

Q

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Answer

A

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
The sensor will block all attacks aimed at Windows servers.

Question 10

Q

An admin has configured an SLA, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

Answer

A

Admin didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.
The Enable probe packets setting is not enabled.

Question 11

Q

Which two statements about the debug flow output are correct? (Choose two.)

Answer

A

The debug flow is of ICMP traffic.
A new traffic session is created.

The client is pinging the GW in the same subnet, son firewall policy is needed to allow such communication.

Proto 1 is icmp.

Obviously a new session was created. The ping is being sent to the gateway from a local device so no policy is needed. “gw-10.0.1.250 via root”

Fortigate Infrastructure 7.0 pg 358-360

Question 12

Q

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Answer

A

Intrusion prevention system engine

Question 13

Q

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
Which two statements are true? (Choose two.)

Answer

A

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Inter-VDOM links are required on the To-Internet VDOM to allow LAN users to access the Internet.

Question 14

Q

An administrator does not want to report the logon events of service accounts to FortiGate.
What setting on the collector agent is required to achieve this?

Answer

A

Add user accounts to the Ignore User list.

FortiGate_Infrastructure_7.0 page 278
FortiGate_Infrastructure_7.0 page 290

Question 15

Q

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

Answer

A

www.example.com
example.com

When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names— “no URLs or wildcard characters are allowed”.

Fortigate Security 7.0 pg 384

Question 16

Q

Which statement about the policy ID number of a firewall policy is true?

Answer

A

It is required to modify a firewall policy using the CLI.

Question 17

Q

How does FortiGate act when using SSL VPN in web mode?

Answer

A

FortiGate acts as an HTTP reverse proxy.

Fortigate security 7.0 Page 583

Question 18

Q

The exhibits show the SSL, auth policy, and security policy for FB

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

Answer

A

The SSL inspection needs to be a deep content inspection.

The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required.

Alle other Application Signatures Facebook and Facebook_Video. Play does not require SSL inspection. Hence that the users can play video content. If you look up the Application Signature for Facebook_like.Button it will say “Requires SSL Deep Inspection”.

Padlock = requires SSL Deep Inspection.

Question 19

Q

Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

Answer

A

FortiGate can inspect sub-application traffic regardless of where it was originated.

https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/300_System/303d_FortiGuard.htm

Question 20

Q

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

Answer

A

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
Server FortiGate requires a CA certificate to verify client FortiGate certificate.

Question 21

Q

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.
What is the reason for the failed virus detection by FortiGate?

Answer

A

SSL/SSH Inspection profile is incorrect.

Question 22

Q

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site
A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.

How must the administrator configure the local quick mode selector for site B?

Answer

A

192.16.2.0/24

Question 23

Q

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

Answer

A

Antivirus scanning
Intrusion prevention

Security policy: If the traffic is allowed as per the consolidated policy, FortiGate will then process it based on the security policy to analyze additional criteria, such as URL categories for web filtering and application control. Also, if enabled, the security policy further inspects traffic using security profiles such as IPS and AV.

Fortigate security 7.0 Page 451

Question 24

Q

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

Answer

A

The subject field in the server certificate
The server name indication (SNI) extension in the client hello message
The Subject Alternative Name (SAN) field in the server certificate

Fortigate firtsly uses SNI, if there is no SNI it uses Subject or Subject Alternatives.

FortiGate_Security_7.0 Study Guide .pdf page 326

Question 25

Q

An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

Answer

A

Interface name
IP header
Packet payload

Fortigate Infrastructure 7.0 pg 58

To remember the order, think of the famous Architect I.M. Pei.

IPEI
IP Header
Packet Payload
Ethernet Header
Interface Name

IP Header
IP Header and Packet Payload
IP Head, Packet Payload, and Ethernet Header
4-6 is the same - just add “Interface Name” to the end of each.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

Question 26

Q

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

Answer

A

FortiAnalyzer

All devices must be authorized on the root Fortigate, and then after this step all must be authorized on the FortiAnalyzer.

Question 27

Q

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Answer

A

The two VLAN sub-interfaces must have different VLAN IDs.

Reference: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31639

Question 28

Q

NGFW mode allows policy-based configuration for most inspection rules.

Which security profile’s configuration does not change when you enable policy-based inspection?

Answer

A

Antivirus

Antivirus and IPS is enhanced by the IPS Engine, so that is why B is the right answer.

Question 29

Q

Based on the configuration, what will happen to Apple FaceTime?

Answer

A

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

Facetime belongs to VoIP category which is monitored here and therefore should be allowed, however, because of the behavior of the facetime “Excessive-Bandwidth”, the custom filter Excessive-Bandwidth will block Facetime and the lookup won’t continue to the second filter.

Question 30

Q

Which two statements are true about collector agent standard access mode? (Choose two.)

Answer

A

Standard mode uses Windows convention-NetBios: Domain\Username
Standard mode security profiles apply to user groups

Standard Mode does not do OU, advanced mode does.
Standard Mode cannot do nested groups.

Fortigate Infra 7.0 Pg 280
Fortigate Infrastructure 7.0 Study Guide P.295

Question 31

Q

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

Answer

A

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

“Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic”.

When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and install new ones. If IPsec SA renegotiation takes too much time, then FortiGate may drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation.

Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, tunnel will not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled.

Question 32

Q

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Answer

A

FortiGuard web filter queries
DNS

“NTP, FortiGuard updated/queries, SNMP, DNS Filtering, Log settings and other mgmt related services”.

PKI is wrong because PKI stands for Public Key Infrastructure and is associated with VPNS
Traffic shaping is wrong because traffic shaping is configured on a ‘Traffic Shaping Policy’
FortiGuard web filter queries is correct because Fortigate will use Fortiguard for these queries
DNS is correct as the management VDOM (very similar to Palo Alto) can use DNS for DNS queries

Fortigate Infrastructure 7.0 Study Guide P.113

Fortigate Infrastructure 7.0 Book Pg. 122 says global settings for vdom’s are:
Hostname.
HA Settings.
Fortiguard Settings.
System time.
Administrative Accounts.

Question 33

Q

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

Answer

A

udp-echo
TWAMP

Fortigate Infrastructure 7.0 pg 81
In the GUI appears HTTP, DNS and Ping.

Question 34

Q

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

Answer

A

FG-traffic
Root

Root VDOM is created by default when VDOMs are enabled.

FortiGate Infrastructure 7.0 Study Guide page 123

Question 35

Q

Which three methods are used by the collector agent for AD polling? (Choose three.)

Answer

A

NetAPI
WMI
WinSecLog

Fortigate Infra SG 7.0 pg 255

Question 36

Q

If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?

Answer

A

The Services field removes the requirement of creating multiple VIPs for different services.

The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port.This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.

Question 37

Q

An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

Answer

A

Aggregate interface

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

Question 38

Q

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

Answer

A

Root VDOM

If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the Security Fabric in the root and FG-Traffic VDOMs. If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect to the upstream FortiGate through the downstream FortiGate interface on the root VDOM.

Question 39

Q

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Answer

A

Web application firewall

Some FortiGate features are meant to protect clients, not servers. For example, FortiGuard web filtering blocks requests based on the category of the server’s web pages. Antivirus prevents clients from accidentally downloading spyware and worms. Neither protects a server (which doesn’t send requests—it receives them) from malicious scripts or SQL injections. Protecting web servers requires a different approach because they are subject to other kinds of attacks. This is where WAF applies. The WAF feature is available only in proxy inspection mode.

Question 40

Q

Examine the exhibit, a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

Answer

A

10.200.1.1

We set up the scenario when we enable port forwarding in the vip leaves with the ip associated with the wan interface (10.200.1.1), if we disable port forwarding the outgoing ip is the one associated with the VIP (10.200.1.10).

The “set nat-source-vip enable” should be applied in the VIP Otherwise, the IP address of the physical interface will be used for NAT.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

Question 41

Q

Which two statements are true about collector agent advanced mode? (Choose two.)

Answer

A

Advanced mode supports nested or inherited groups
FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

FortiGate Infra 7.0 page 280

Question 42

Q

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

Answer

A

By default, split tunneling is enabled

There is a Trap here… C and D have something right but the trick is the question…

Under SSL VPN settings you can see that port is 443 (same of https admin port)

BUT the question is about a SSL VPN Setting FOR A VPN PORTAL… so if you go to SSL VPN Portals and hit “Create new” you will see Tunnel Mode and Split Tunnel enabled by default… so, the correct answer is C.

Question 43

Q

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

Answer

A

Log downloads from the GUI are limited to the current filter view.
Log backups from the CLI cannot be restored to another FortiGate.

The question is about Backing up logs from CLI and Downloading logs from the GUI, therefore, C is incorrect because the question doesn’t say anything about uploading logs from CLI, but says backing up from CLI…

Question 44

Q

Consider the topology:
Application on a Windows machine <–{SSL VPN} –>FGT–> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Answer

A

Create a new service object for TELNET and set the maximum session TTL.
Create new firewall policy and place it above the existing SSL VPN policy for the SSL VPN traffic , and set the new TELNET servie object in the policy.

The key here is performing the task without affecting any of the other services.

Not A - Changing the maximum TTL value for TELNET will affect every other policy that references the TELNET service
Not B - Changing the session TTL on the SSLVPN policy will impact other services referenced in the policy.

Question 45

Q

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Answer

A

Subject Key Identifier value

FortiGate can use the Subject Key Identifier and Authority Key Identifier values to determine the relationship between the issuer of the certificate (identified in the Issuer field) and the certificate.

Question 46

Q

Which two statements are true about the Security Fabric rating? (Choose two.)

Answer

A

Many of the security issues can be fixed immediately by clicking Apply where available
The Security Fabric rating must be on the root FortiGate device in the Security Fabric.

Fortigate Security 7.0 pg 96-97

Question 47

Q

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Answer

A

It limits the scope of the application control to the browser-based technology category only.

The keyword is “browser-based” which we can find only in the Answer A.

Question 48

Q

Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

Answer

A

Lookup is done on the trust packet from the session originator.
Lookup is done on the trust reply packet from the responder.

B is a bogus response, checking the last packet is a bit too late to establish a connection. Whoever provided these answers failed this exam. Should also be “First” instead of “Trust”.

Question 49

Q

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

Answer

A

The admin must use a FortiAuthenticator device.

B is correct due to the FortiToken, a different OTP cannot use FortiToken. So we have to choose the fortiAuthenticator.

FortiGate_Security_7.0 pages 212, 216.

Question 50

Q

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

Answer

A

Phase 2 SAs are used for encrypting and decrypting data exchanged through the tunnel.
A phase 1 SA is bidirectional, while a phase 2 SA is directional.
Phase 2 SDA expiration can be time-based, volume-based, or both.

Question 51

Q

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Answer

A

Uninterruptable upgrade is enabled by default.
Traffic load-balancing is temporarily disabled while upgrading the firmware.

Reference: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_operatingFirmUpgd.htm

Question 52

Q

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Answer

A

Shutdown/reboot a downstream FortiGate device.
Disable FortiAnalyzer logging for a downstream FortiGate device.

Question 53

Q

Examine the two static routes shown in the exhibit.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

Answer

A

FortiGate will use the port1 route as the primary candidate.

Question 54

Q

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Answer

A

Flow-based inspection

Fortigate_Security_7.0 Page 368

Question 55

Q

View the firewall policy and the antivirus profile exibhits

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Answer

A

The flow-based inspection is used, which resets the last packet to the user

Key to right answer is “unable to receive a block replacement message when downloading an infected file for the first time”.

“ONLY” If the virus is detected at the “START” of the connection, the IPS engine sends the block replacement message immediately
When a virus is detected on a TCP session (FIRST TIME), but where “SOME PACKETS” have been already forwarded to the receiver, FortiGate “resets the connection” and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a “SECOND ATTEMPT” to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.

Two possible scenarios can occur when a virus is detected:

When a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FG resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that IF A SECOND ATTEMPT TO TRANSMIT THE FILE IS MADE, THE IPS ENGINE WILL SEND A BLOCK REPLACEMENT MESSAGE to the client instead of scanning the file again.
If the virus is detected at the start of the connection, the IPS engine sends the block replacement message immediately.

Question 56

Q

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

Question 57

Q

Which statement about video filtering on FortiGate is true?

Answer

A

It is available only on a proxy-based firewall policy

Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

Question 58

Q

An administrator has configured a strict RPF check on FortiGate.

Which statement is true about the strict RPF check?

Answer

A

Strict RPF checks the best route back too the source using the incoming interface.

Loose RPF checks for any route and Strict RPF check for best route

Fortigate Security 7.0 pg 39-40.

Question 59

Q

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

Answer

A

The keyUsage extension must be set to keyCertSign
The CA extension must be set to true

B is incorrect as It’s not madatory to have a wildcard certificate.
A is incorrect because certificate can be signed by any CA private or public.

FortiGate Security 7.0 pp 328:

“In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.”

Question 60

Q

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

Answer

A

get system arp

D is correct. “If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table.”

FortiGate Infrastructure 7.0 pg 353, 368

Question 61

Q

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.
Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

Answer

A

set protocol udp
set fortiguard-anycast disable

Fortigate Security 7.0 pg 417, 422

Question 62

Q

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Answer

A

By default, all interfaces are part of the same broadcast domain.
FortiGate forwards frames without changing the MAC address.

Fortigate_Security_7.0 page 379

Question 63

Q

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

Answer

A

To detect intermediary NAT devices in the tunnel path.
To encapsulation ESP packets in UDP packets using port 4500.

When NAT-T is enabled on both ends, peers can detect any NAT device along the path. If NAT is found, then the following occurs:

Both phase 2 and remaining phase 1 packets change to UDP port 4500.
Both ends encapsulate ESP within UDP port 4500.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48755

Question 64

Q

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?

Answer

A

Logs are overwritten and the first warning is issued when the log disk usage reaches the threshold of 75%

Page 278 Fortigate Security 7.0
(New Version!!), only 75% of the disk is available to store logs, this is distributed in the existing vdoms.

Diagnose sys logdisk usage – CLI command to verify this.

Answer 64

A

A root CA

Answer 65

A

Configure host check

For context, Host Check uses the FortiClient to check that certain conditions on the remote PC are met, such as having AV installed, that there is a specific file located on the PC, that a certain process is running on the PC, or that specific registry entries exist on the PC. Host Check basically ensures that the PC with the VPN Client installed is setup according to your organizations standards.

Answer 66

A

Static URL filter, FortiGuard category filter, and advanced filters

FortiGate_Security_7.0_Study_Guide-Online.pdf page 414 shows the HTTP Inspection Order (Static URL Filter -> FortiGuard Category Filter -> Advanced Filters)

Answer 67

A

IPsec tunnels are negotiated dynamically between spokes.
It recommends the use of dynamic routing protocols, so that spokes can learn the routes to other spokes.

Answer 68

A

Volume
Session

Session is the name of a mode. Spillover is not the real name for SD-WAN that is in ECMP. Spillover is called Usage in SD-WAN.

Reference: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/SD-WAN/SD-WAN_load_balancing.htm

Answer 69

A

Web-filter in flow-based inspection.
Antivirus in flow-based inspection mode.
Application control

It asks what uses the IPS system. And that is:
Application control
Anti-virus (flow-based)
Web filter (flow-based)
Email filter (flow-based)
Data leak prevention (flow-based in one armed sniffer mode)

Fortigate 7.0 Security pg 520, 525

Answer 70

A

This is known as many-to-one NAT.
Source IP is translated to the outgoing interface IP.

Because the fixed port is disabled (default). If it is enable, then the answer would be C&D.

Answer 71

A

IMAP.Login.brute.Force

Anomalies can be zero-day or denial of service attack

Are Detected by behaivoral analysis:
Rate Based IPS Signatures.
DoS Policies.
Protocol Constraint Inspections.

DoS policy disabled in this scenario.

Answer 72

A

Warning
Allow

Exempt is not FortiGuard category action.

Answer 73

A

Hard-timeout
New-session
Idle-timeout

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Firewall/ta-p/189423?externalID=FD37221

Answer 74

A

Machine learning (AI) scan

For FortiOS 7.0 the answer is Machine learning (AI) scan instead of Heuristics. See FortiGate Security 7.0 page 476

Answer 75

A

It is dropped

Because it exceeded the Extreme memory threshold.

“However, if the memory usage exceeds the extreme threshold, new sessions are ALWAYS DROPPED, regardless of the FortiGate configuration.”

Note: “Extreme threshold is when the memory usage goes above 95%, and all NEW sessions are dropped.

Answer 76

A

HTTP Sessions are treated as a single user.
It can differentiate among multiple clients behind the same source IP address.
It requires more resources.

For 1: Each session-based authenticated user is counted as a single user using their authentication membership (RADIUS, LDAP, FSSO, local database etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user.

Answer 77

A

Apple FaceTime belongs to the custom blocked filter.

FaceTime categorized (filtered) under “Excessive-Bandwidth” and custom filter override set to block this. Also we know that users can’t use FaceTime.

Answer 78

A

Shutdown/reboot a dowwnstream FortiGate device.
Disable FortiAnalyzer logging for a doownstream FortiGate device.

Answer 79

A

AH provides data integrity but no encryption

“IPsec is a suite of protocols that is used for authenticating and encrypting traffic between two peers. The three most used protocols in the suite are the following:

Internet Key Exchange (IKE), which does the handshake, tunnel maintenance, and disconnection.
Encapsulation Security Payload (ESP), which ensures data integrity and encryption.
Authentication Header (AH), which offers only data integrity - not encryption.”

Answer 80

A

Administrators cannot change the configuration
FortiGate has entered conserve mode

Fortigate Infrastructure 7.0 pg 367-368

Fortigate Infra 7.0 page 383: Not accept config changes, does not run quarantine action - forwarding files to SandBox.

Answer 81

A

hard-timeout

Fortigate Security 7.0 pg 254

Answer 82

A

Enable Dead Peer detection.
Configure a lower distance oon the static route for the primary tunnel, add a high distance on the static route for the secondary tunnel.

1 because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer.

For 2, remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel will be chosen to route packets towards their destination.

Answer 83

A

To allow for out-of-order packets that could arrive after the FIN/ACK packets

TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Answer 84

A

10.200.1.99

Ping is ICMP protocol - protocol number = 1

=> SNAT policy ID 1 is policy that used.

=> Translated address is “SNAT-Remote1” that 10.200.1.99

Answer 85

A

The port3 default route has the lowest metric.
The port1 and port2 default routes are active in the routing table.

*> mean active routes

first square bracked mean administrative distance

second bracket square mean priority (valid only on static routes)

metric applies only in multiroutes with same administrative distance.

Answer 86

A

Social networking web filter catesgory is configured with the action set to authenticate

1 is correct. We have two logs, first with action deny and second with passthrough.

A incorrect - second log shows: action=”passthrough”.

B incorrect - Firewall action can be allow or deny.

D incorrect - CLI don’t show policy name, only ID.

Remember … action=”passthrough” mean that authentication has occurred/

At first attempt from the same IP source connection is blocked, but a warning message is displayed. At the second attempt with the same IP source connection passtrough, so considering the first block and the second pass, the user must authenticate to be granted with access.

Answer 87

A

Change Administrator profile

Fortigate security 7.0 pg 24

Prof_admin is only vdom admin not global.

Answer 88

A

The debug flow is of ICMP traffic
A new traffic session is created

Proto 1 is icmp.

Obviously a new session was created. The ping is being sent to the gateway from a local device so no policy is needed. “gw-10.0.1.250 via root”

Fortigate Infrastructure 7.0 pg 358-360

Answer 89

A

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Answer 90

A

One-to-one NAT IP pool is used in the firewall policy

In one-to-one, PAT is not required.

Answer 91

A

Runs only over the heartbeat links
Elects the primary FortiGate device

Answer 92

A

The session is in SYN_SENT state

In the first line “Session info: proto=6 proto_state=02”

Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2)

FortiGate_Security_7.0 page 191.

0=None
1=Established
2=Syn_Sent

Reference:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988#:~:text=the%20Reply%20direction-,State,-Value

Answer 93

A

A session for denied traffic is created
The number of logs generated by denied traffic is reduced

ses-denied-traffic

Enable/disable including denied session in the session table.

https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/20620/config-system-settings

block-session-timer
Duration in seconds for blocked sessions .
integer
Minimum value: 1 Maximum value: 300
30

https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/1620/config-system-global

Answer 94

A

The IPS engine was inspecting high volume traffic

“Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running (answer B) , but it is not inspecting traffic. —-> If the CPU use decreases after that <—- , it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.”

So D is correct to answer the question “decrease in CPU usage”

Fortigate Security 7.0 pg 567

Answer 95

A

The first reply packet for student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer 96

A

One FortiGate device and on FortiManager device

FortiGate_Security_7.0 page 67.

Answer 97

A

Adicting.Games will be allowed, based on the Application Overrides configuration.

Answer 98

A

The RPF check is run on the first sent packet of any new session.
RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks

RPF protect against IP spoofing attacks. The source IP address is checked against the routing table for a return path. RPF is only carried out on: The first packet in the session, not on reply.

Answer 99

A

Enable match-vip in the Deny policy.
Set the Destination address as Web_server in the Deny policy.

By default does not match vip in deny policy for destination all. So 2 options we have:

Enable match vip in the Deny policy.
Add destination as webserver in deny policy.

Answer 100

A

It can be configured only when FortiGate is operating in NAT mode.
All interfaces in the software switch share the same IP address.

A is correct: “Only supported in NAT mode”

C is correct: “The interfaces share the same IP adress and belong to the same broadcast domain.

B is incorrect: “Acts Like a traditional Layer 2 switch” the software switch ONLY acts as a layer 2 switch, it doesn’t do Layer 3 routing, the FortiGate (the firewall part) does that.

D is incorrect: “Can group multiple physical and wireless interfaces into a single virtual switch Interface”

Fortigate Infrastructure 7.0 pg 178

Can group physical and wireless.
Only works on NAT mode.
Acts like traditional layer 3 switch.
Interfaces share same ip and broadcast domain.

Fortigate Infrastructure 7.0 Study Guide P.186

Answer 101

A

It supports a limited number of protocols

Web mode requires only a web browser, but supports a limited number of protocols.

FortiGate_Security_7.0_Study_Guide page 582

Answer 102

A

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide username and password.
FortiGate supports pre-shared key and signature as authentication methods.

1 = Fortigate_Infrastructure_7.0 page 218

2 = Fortigate_Infrastructure_7.0 page 215

Answer 103

A

A diagnose wad session list

Answer 104

A

User or User Group

1 is correct and tested (user added and user group are added to policy but ip address or network failed to add) Version 7.0.5

We have just confirmed this on a Production Fortigate FW and you can add user/User group but you cannot add Address group with ISDB object. It will simply show a red highlighted error which is read as “Addresses/groups cannot be mixed with Internet Services”

if src: you can add user, if dst: you cannot add any other object.

You can’t mix ISDB objects with regular address objects. User objects are not restricted in any way.

Fortigate Security 7.0 pg 117

Answer 105

A

This option places the RADIUS server, and all users who can authenticate against that server, into evey FortiGate user group.

FortiGate_Security_7.0 page 223

“The INCLUDE IN EVERY USER GROUP option adds the Radius server and all user that can authenticate against it, to every user group created on the FortiGate”

Answer 106

A

Session-based authentication is enabled

Fortigate Infrastructure 7.0 pg 264

NTLM authentication = session-based

Answer 107

A

Enable asymmetric routing.
Disabled the RPF check at the FortiGate interface level for source check.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD51279

Answer 108

A

Change the login-timeout

Based on FortiGate_Security_7.0 page 607 which says … ‘The first command allows you to set up the login timeout, replacing the previous hard timeout value (30 seconds)- The command is set login-timeout <10-80>

FortiGate_Security_7.0 page 621

Answer 109

A

Server information disclosure attacks.
Credit card data leaks.
SQL injection attacks.

Reference: https://help.fortinet.com/fweb/570/Content/FortiWeb/fortiweb-admin/web_protection.htm

Answer 110

A

Connected monitored ports > HA uptime > Priority > FortiGate serial number

PUPS - Ports/Uptime/Priority/Serial

FortiGate_Infrastructure_7.0 page 304

Answer 111

A

It is an idle timeout. The FortiGate considers a user to be idle if it does not see any packets coming from the user’s source IP.

If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.

If the user tries to access resources now, FortiGate will prompt the user to authenticate again.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

Answer 112

A

Warning
Allow

Answer 113

A

It matched the default implicit firewall policy

implicit firewall rule == (policy id 0)

traffic is denied by implicit firewall rule.

Answer 114

A

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Answer 115

A

Local traffic logs

Fortigate Security 7.0 pg 268

Answer 116

A

SLA targets are optional
SLA targets are used only when referenced by an SD-WAN rule.

Fortigate Infrastructure 7.0 Study Guide P.81

Answer 117

A

FortiGate SN FGVM010000065036 HA uptime has been reset.
FortiGate SN FGVM010000064692 has the higher HA priority.

Override is disable by default - OK
“If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary” The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.

Answer 118

A

Execute a debug flow

Because sniffer shows the ingressing and egressing packets, but we cannot see dropped packets by fortigate in a sniffer. Debugging can show the packets are not entering for any reasons caused by fortigate. So, if a packed is reached to fortigate and dropped , debug will show us.

Answer 119

A

To allow for out-of-order packets that could arrive after the FIN/ACK packets

TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Answer 120

A

NTP
DNS

Fortigate Hostname is not synchronized between cluster member.

Answer 121

A

Change the csf setting on the Local-FortiGate (root) to set fabric-object-unification default.

Answer 122

A

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.

C is correct Fortigate Security 7.0 page 458

D is correct also Fortigate Security 7.0 page 458

Fortigate Security 7.0 page 445

Answer 123

A

One server was contacted to retrieve the contract information.
FortiGate is using default FortiGuard communication settings.

Anycast is Enabled by default

Answer 124

A

Disable the RPF check at the FortiGate interface level for the reply check

“B” is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to disable RFP. 1 Enable asymetric routing, which disables RPF checking system wide (but not at interface level is through the CLI command config system settings) 2 Disable RPF checkking at the interface level (the only way at the interface level in the CLI command). A incorrect. If you enable asymetric routing, RPF not will be bypass because is disable. B Correct. You have to disable the RPF check an the interface level, for the source. C Is incorrect is for the source D is incorrect: Asymetric routing is not enable at interface level.

RPF checking can be disabled in tho ways. If you enable asymmetric routing, it will disable RPF checking system wide. However this reduces the security of you network greatly. Features such us ANTIVIRUS, and IPS become non-effective. So, if you need to disable RPF checking, you can do so at the interface level using the command:

config system interface
edit <interface>
set src-check [enable | disable]
end</interface>

Answer 125

A

IP header
Ethernet header
Packet payload

It really depends on the Verbosity Level. This specific question for Verbosity level 3 is ABC.

Verbose levels in detail:
1: print header of packets.
2: print header and data from IP of packets.
3: print header and data from Ethernet of packets.
4: print header of packets with interface name.
5: print header and data from IP of packets with interface name.
6: print header and data from Ethernet of packets with interface name.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

Answer 126

A

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.
If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTS request will be allowed.

3 exibits are missing. They are:

proxy custom address named “Browser CAT1” for local subnet and defined user agent “Chrome and IE”
proxy custom address named “Browser CAT2” for local subnet and defined user agent “Firefox”
proxy policy with 2 lines:
- Browser CAT2 & Local subnet & User B –> deny
- Browser CAT1 & Local subnet & User all –> accept

Beed on above exibits only users from Chrome and IE are allowed.

Answer 127

A

It Authenticates the traffic using the authentication scheme SCHEME1.

“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”.

Answer 128

A

Security policy
SSL inspection and authentication policy

“NGFW policy based mode, you must configure a few policies to allow traffic:

SSL inspection & Authentication, Security policy”.

Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured.

Fortigate_Security_7.0 (New Version) page 369. If you are using Policy Based Mode, SSL Inspection & Authentication (consolidated) and Security Policy are required to allow traffic.

Answer 129

A

NetAPI
WMI
WinSecLog

Fortigate Infra SG 7.0 pg 255

Answer 130

A

Source defined as Internet Services in the firewall policy.
Destination defined as the Internet Services in the firewall policy.
Services defined in the firewall policy.

Fortigate 7.0 Security pg 110

Answer 131

A

Security posture

Description of the three major scorecards is seen in Security fabric > Security rating>Security posture.

Security Posture
Identify configuration weaknesses and best practice violations in your deployment.
Fabric Coverage
Identify in your overall network, where Security Fabric can enhance visibility and control.
Optimization
Optimize your fabric deployment.

Reference: https://www.fortinet.com/content/dam/fortinet/assets/support/fortinet-recommended-security-best-practices.pdf

Answer 132

A

A change in the virtual IP address happens whaen a FortiGate device joins or leaves the cluster.
Virtual IP addresses are used to distinguish between clister members.

FortiGate_Infrastructure_7.0 page 326

Answer 133

A

The internal IP address of the FortiGate device

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. The portal, bookmarks are used as links to internal network resources.

Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP address.

Answer 134

A

Select the format boot device option from the BIOS menu.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582

Answer 135

A

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/144614/allow-multiple-virtual-wire-pairs-in-a-virtual-wire-pair-policy

Answer 136

A

A session for denied traffic is created.
The number of logs generated by denied traffic is reduce.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

Answer 137

A

The NetSessionEnum finction is used to track user logouts.

Infrastructure 7.0 page 270
Infrastructure 7.0 page 255

Answer 138

A

Interface Pair view will be disabled.

Answer 139

A

port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or different VDOMs.
port1 is native VLAN.

Answer 140

A

IPS engine

Answer 141

A

On idle

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

Answer 142

A

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.
Optimized performance compared to proxy-based inspection.
FortiGate buffers the whole file but transmits to the client simultaneously.

Reference: https://forum.fortinet.com/tm.aspx?m=192309

Answer 143

A

Implement web filter authentication for the specified website.

Answer 144

A

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
FortiGate directs the collector agent to use remote LDAP server.

The correct statements about FortiGate FSSO agentless polling mode are:

B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. D. FortiGate directs the collector agent to use a remote LDAP server.

These two statements accurately describe the behavior of FortiGate FSSO agentless polling mode. The SMB protocol is used to read the event viewer logs from the domain controllers (DCs), and the FortiGate device directs the collector agent to use a remote LDAP server.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

Answer 145

A

FortiSIEM
FortiAnalyzer
FortiCloud

Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-andreporting-overview

Answer 146

A

For non-load balanced connections, packets forwarded by the clister to the server contain the virtual MAC address of port2 as source.
For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

1: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode

2: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session

Answer 147

A

Browsers can be configured to retrieve this PAC file from the FortiGate.
Any web request fortinet.com is allowed to bypass the proxy.

Answer 148

A

The incoming interface. Outgoing interface. Schedule, and Serivec fields can be shared with both IPv4 and IPv6.
The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.
The IP version of the sources and destinations in a policy must match.

Answer 149

A

SSL VPN idle-timeout

Answer 150

A

Implement web filter authentication for the specified website.

Answer 151

A

Addicting.Games is allowed based on the Application Overrides configuration.

Answer 152

A

execute ping
execute traceroute
diagnose sniffer packet any

Answer 153

A

Disable the RPF check at the FortiGate interface level for the source check.
Enable asymmetric routing.

Answer 154

A

Create a new firewall policy with the new HTTP service and place it above the existing policy.
Create a new service object for HTTP service and set session TTL to never.

Answer 155

A

Traffic belongs to the root VDOM
This is a security log

“vd=root” which means vdom is root.
“type=utm” which means security log event.

VDOM=root D.
Security=UTM

Answer 156

A

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
Tunnels are negotiated dynamincally between spokes.

Answer 157

A

SLA targets are used only when referenced by an SD-WAN rule.
SLA targets are optional.

Fortigate Infrastructure 7.0 Study Guide P.81

Answer 158

A

The two VLAN sub-interfaces must have different VLAN IDs.

Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID.

Answer 159

A

Reduces the amount of logs generated by denied traffic.
Creates session for traffic being denied.

1: because by keeping the denied sessions in the session table reduces the number of session denied events in the logs.
2: because you are keeping denied sessions in the session table.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

Answer 160

A

Proxy-based inspection
Flow-based inspection

Fortigate Security 7.0 pg 368

Profile based - Flow or proxy based.

Policy based - flow only

Answer 161

A

There are 19 security recommendations for the security fabric.
This security fabric topology is a logical topology view.

References:
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/761085/results https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/736125/security-fabric-topology

Answer 162

A

Automation stitches

Each automation stitch pairs an event trigger and one or more actions, it allows you to monitor your network and take appropiate action when SecFabric detects a threat.

Answer 163

A

Dialup user

Dialup user is used when the remote peer’s IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

Answer 164

A

The CA certificate that signed the wqeb-server certificate must be installed on the browser.

Answer 165

A

Authentication scheme

Answer 166

A

Web application firewall

Some FortiGate features are meant to protect clients, not servers. For example, FortiGuard web filtering blocks requests based on the category of the server’s web pages. Antivirus prevents clients from accidentally downloading spyware and worms. Neither protects a server (which doesn’t send requests—it receives them) from malicious scripts or SQL injections. Protecting web servers requires a different approach because they are subject to other kinds of attacks. This is where WAF applies. The WAF feature is available only in proxy inspection mode.

Answer 167

A

Subject key identifier value

Answer 168

A

The firewall policy is not using a full SSL inspection profile.

A ips sensor need a firewall policy to work… and need a policy with full inspection to inspect encripted traffic.

Answer 169

A

diagnose firewall proute list

Reference: https://www.fortinetguru.com/2019/09/troubleshooting-sd-wan-fortios-6-2/

Answer 170

A

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
Create a new service object for HTTP service and set the session TTL to never.

But there is no such possibility to configure session TTL to never. Range is from 300 to 2764800.

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-Session-TTL-Value-to-Never/ta-p/198289?externalID=FD48961

Answer 171

A

To detect intermediary NAT devices in the tunnel path.
To encapsulation ESP packets in UDP packets using port 4500.

When NAT-T is enabled on both ends, peers can detect any NAT device along the path. If NAT is found, then the following occurs: - Both phase 2 and remaining phase 1 packets change to UDP port 4500. - Both ends encapsulate ESP within UDP port 4500.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48755

Answer 172

A

FortiGate will use port1 route as the primary candidate.

If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.

Answer 173

A

Change Administrator profile.

Study Guide – Introduction and Initial Configuration – Basic Administration – Administrator Profiles. When assigning permissions to an admin profile, you can specify rw, ro, or none to each area. By default, there is a special profile super_admin, which is used by the account named admin. It cannot be changed. It provides full access to everytihing, making the admin account similar to a root superuser account. The prof_admin is another default profile. It also provides full access, but unlike super_admin, it only applies to its virtual domain and not the global settings of FG. Also, its permissions can be changed.

Reference:

“If you want to grant access to all VDOMs and global settings, select super_admin as the access profile when configuring the administrator account. Similar to the account named admin, this account can configure all VDOMs.”

Fortigate Infrastructure Study Guide v7.0, Page 117

Answer 174

A

Enable Dead Peer Detection
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network.

When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.

There are three DPD modes. On demand is the default mode.

Study Guide – IPsec VPN – Redundant VPNs.

Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.

Add at least one phase 2 definition for each phase 1.

Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.

Configure FW policies for each IPsec interface.

Answer 175

A

One-to-one NAT IP pool is used in the firewall policy.

“one-to-one” is correct, See FortiGate Security 7.0 Study Guide P.164

“In one-to-one NAT, PAT is not required. Same source port is shown for both the ingress and egress address called also a single mapping of an internal to a external address”

Answer 176

A

The sensor will block all attacks aimed at Windows servers.
The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

Check on Fortigate Security Study Guide Page 532 ==> In the event of a false-positve outbreak, you can add the tiggered signature as an individual signature and set the action to monitor. This allows you to monitor the signature events using IPS log, while inbestigating the false-positive issue

Answer 177

A

Warning
Allowed

Fortigate_Security_7.0 page 379

Answer 178

A

Policy with ID 5.

It’s coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http and https traffic (80, 443).

Answer 179

A

The two VLAN sub0interfaces must have different VLAN IDs.
The only two VLAN sub-interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

The question states that the VLANs are on a single interface. One interface can not be in two VDOMs. You can though have the same VLAN ID as long as it is in a different subnet. We have tested this and it is true. We can assume its the same as giving an interface a secondary IP address.

We also tested it by creating two subinterfaces with the same VLAN ID, each under different physical interfaces all in one VDOM. Firerewall accepted it without no problem. But of course it couldn’t accept the same scenario if two subinterfaces with the same VLAN ID attempted to add under the same physical interface. So answer C is definitely correct and B doesn’t seem to be correct.

Answer 180

A

Strict RPF checks the best route back to the source using the incoming interface.

Answer 181

A

The number of logs generated by denied traffic is reduced.
A session for denied traffic is created.

The timer config is by seconds not minutes.

ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478

Answer 182

A

Change the csf setting on both devices to set downstream-access enable.

Because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.)

The root device has downstream access disabled, so it needs to be enabled to sync the object.
downstream-access - Enable/disable downstream device access to this device’s configuration and data.
disable - Disable downstream device access to this device’s configuration and data.

Reference: https://docs.fortinet.com/document/fortigate/7.2.0/cli-reference/147620/config-system-csf

Answer 183

A

Fortigate has entered conserve mode.
Administrators cannot change the configuration.

What actions does FortiGate take to preserve memory while in conserve mode?
* FortiGate does not accept configuration changes, because they might increase memory usage.
* FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.
* You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full.

Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the configuration.

FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization.

Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may require additional resources that are not available.

It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access FortiGate through other means besides the console port.

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

Answer 184

A

192.168.2.0/24

Quick mode selectors need to be mirrored on both side, so the remote network on site A is the local network on site B.

For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B.

To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A.

Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.

Answer 185

A

The server FortiGate requires CA certificate to verify the client FortiGate certificate.
The client FortiGate requires SSL VPN tunnel interface type to connect to SSL VPN.

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.

The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.

Reference: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/508779/fortigate-as-ssl-vpn-client

Answer 186

A

Reliable loggins required to encrypt the transmission of logs.

Reliable logging changes the log transport delivery from UDP to TCP. Then, only if you are using Reliable logging, you can do encryption.

NSE 4 training 7.2 training material: Fortigate Security: 05.Logging and Monitoring: Page 22, Reliable logging and OFTPs

NSE4 - Security Training 7.2 - Study Guide, page 191.

“If using reliable logging, you can encrypt communications using SSL-secured OFTP. “

Answer 187

A

10.200.1.100

From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100

Destination NAT, from WAN to LAN, will use the VIP

The question says SNAT, so the only correct answer here (looking at the IP Pool) is D.

Answer 188

A

In the VIP configuration, enable arp-reply.

In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.

The external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.

Answer 189

A

FGCP elects the primary FortiGate device.
FGCP runs only over the heartbeat links.

The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA) clusters of FortiGate devices. It performs several functions, including the following:

FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate device will be the primary device, responsible for handling traffic and making decisions about what to allow or block. FGCP uses a variety of factors, such as the device’s priority, to determine which device should be the primary.

FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA cluster using the heartbeat links. These are dedicated links that are used to exchange status and control information between the devices. FGCP does not run over other types of links, such as data links.

Answer 190

A

Configure a lower distance on the static route for the primary tunnel, and a high distance on the static route for the secondary tunnel.
Enable Dead Peer Detection.

Lower distance = higher priority.

Dead peer detection does heartbeat testing of VPN tunnels.

Answer 191

A

FortiGate uses fewer resources.
FortiGate adds less latency to traffic.

Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than proxy-based inspection, and it offers several benefits over this approach.

Two benefits of flow-based inspection compared to proxy-based inspection are:

FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to improve the performance of the firewall device and reduce the impact on overall system performance.

FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for real-time applications or other types of traffic that require low latency.

Fewer resources since it does not need to keep much in memory.
Samples traffic while it goes by, and only does makes allow or deny decision with the last package. So client does not have to wait on FortiGate to scan the bulk of the packtets.

Answer 192

A

www.example.com
example.com

To create a web rating override for the home page of the example.com domain, the administrator must use one of the following syntaxes:

www.example.com: This syntax specifies the fully qualified domain name (FQDN) of the website, including the www subdomain. This syntax will apply the web rating override to all pages on the website, including the home page.

example.com: This syntax specifies the root domain of the website, without the www subdomain. This syntax will also apply the web rating override to all pages on the website, including the home page.

Answer 193

A

On the Static URL Filter configuration, set Action to Exempt.

Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com.

To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration change:

On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking sites will still be blocked.

Note: Tested this in a lab environment and to make this work as stated in the question the Exempt action is the only way to go, and also *.twimg.com will has to be added to the URL Filter with an Exempt action for this situation to really work!

Answer 194

A

A Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
FortiGate buffers the while file but transmits to the client at the same time.
Flow-based inspection optimizes performance compared to proxy-based inspection.

1: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection.

2: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. some operations can be offloaded to SPUs to improve performance (not C).

3: If performance is your top priority, then flow inspection mode is more appropriate.

Answer 195

A

Services defined in the firewall policy
Destinat defined as Internet Services in the firewall policy.
Source defined as Internet Service in the firewall policy.

Policy ID does not define a matching criteria, it’s just for editing purposes, and there is no priority in the policies, only their order will affect the matching process.

Answer 196

A

ZTNA provides a security posture check.
ZTNA provides role-based access.

ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of “never trust, always verify,” which means that all access to network resources is subject to strict verification and authentication.

Two functions of ZTNA are:

ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources. This can include checks on the device’s software and hardware configurations, security settings, and the presence of malware.

ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access and minimize the risk of data breaches.

Answer 197

A

Dialup user

Answer 198

A

SSL VPN idle-timeout

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Answer 199

A

Application control can identify child and parent applications and perform different actions on them.

Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.

The FortiGuard application control signature database is organized in a hierarchical structure. This gives you the ability to inspect the traffic with more granularity. You can block Facebook applications while allowing users to collaborate using Facebook chat.

Answer 200

A

The website is exempted from SSL inspection.
The selected SSL inspection profile has certificate inspection enabled.

Deep inspection need to be enabled.

We’re not talking about certificate trust warnings. The file was not decrypted, thus the antivur engine could not recognize the payload as a virus

Answer 201

A

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC addres of port2 as source.
For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

1: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode

2: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session

Answer 202

A

The keyUsage extension must be set to keyCertSign.
The CA extension must be set to TRUE.

Full SSL inspection - Certificate requirements:

FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.

Answer 203

A

HA settings
FortiGuard settings

HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications.

FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in FDS as an FDN override server.

Answer 204

A

Volume based

Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled.

What is load balancing method?

Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an incoming server request or traffic in the midst or among servers that is from the server pool.

Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled as that is its role.

Answer 205

A

IPS
Application Control

Answer 206

A

The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
Six packets are usually exchanged during main mode, while three packers are exchanged during aggressive mode.

Answer 207

A

10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

Answer 208

A

It refreshes all users learned through agentless polling.

Answer 209

A

A static route in VDOM2 for the destination subnet 10.0.1.0/24.
A static route in VDOM1 for the destination subnet 10.0.2.0/24.

Answer 210

A

Full SSL inspection is disabled.

Answer 211

A

A DoS policy, and log all UDP and TCP scan attempts.
An IPS sensor to monitor all signatures applicable to the server.

Answer 212

A

SSH
Trusted host
HTTPS

Answer 213

A

You must configure SNAT for each firewall policy.

Answer 214

A

The SYN packet from the client always arrives at the primary device first.

Answer 215

A

Multiple interfaces can be selected as incoming and outgoing interfaces.
A zone can be chosen as the outgoing interface.

Answer 216

A

A FortiGate allowed the traffic to pass.
The traffic matches webfilter profile on firewall policy ID 2.

Answer 217

A

The user was authenticated using passive authentication.

Answer 218

A

The mapped IP address object of the VIP object.

when central NAT is enabled => put the mapped IP address of the VIP object.
when central NAT is disabled => put the VIP object.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38995

Answer 219

A

Block
Exempt
Allow

Answer 220

A

FortiAnalyzer IP address
Fabric name

Answer 221

A

It uses flow-based scanning techniques, regardless of the inspection mode used.
It can be selected in either flow-based or proxy-based firewall.

Answer 222

A

WAN is used effectively.
Application steering is available.

Answer 223

A

FortiGate can act as an LDAP client to configure group filters.
It supports monitoring of nested groups.

Answer 224

A

ssl.Corporation

Answer 225

A

A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.

Answer 226

A

It captures the login events and forwards them to the collector agent.

There is no requirement to record this information as it is a FSSO role to auth logon events. If it were to log logoff events if would just be a waste of resources.

Reference: https://docs.fortinet.com/document/fortimanager/6.0.0/managing-fortios-and-fsso/869241/dc-agent-mode-and-polling-mode#:~:text=DC%20agent%20mode%20is%20the,it%20to%20the%20FortiGate%20unit.

Answer 227

A

Fixed port range
Port block allocation

Answer 228

A

Enable full SSL inspection.
Configure a static URL filter entry for the URL and select block as the action.

Answer 229

A

FortiToken
Email
SMS text message

Answer 230

A

Loose RPF check will allow the traffic.
Strict RPF check will deny the traffic.

Answer 231

A

The client must wait for the antivirus scan to finish scanning before it receives the file.
If a virus is detected, a block replacement message is displayed immediately.

Answer 232

A

The extreme database is available only on certain FortiGate models.
The extended database is available on all FortiGate models.

Answer 233

A

FortiGate SN FGVM010000065036 HA uptime has been reset.
FortiGate SN FGVM010000064692 has the higher priority.

Override is disable by default - OK
“If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime

of the other FortiGate devices, it becomes the primary” The QUESTION NO: here is : HA Uptime of

FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study

Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

Answer 234

A

The IPS engine was inspecting high volume of traffic.

If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be.

Option 5 enables IPS bypass mode.

In this mode, the IPS engine is still running, but it is not inspecting traffic.

If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.

If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.

Brainscape's Knowledge GenomeTM

NSE 4 7.2 Flashcards

Brainscape's Knowledge Genome^TM