NSE4 Flashcards

1
Q
Which user group types does FortiGate support for firewall authentication? (Choose three.)
A. RSSO
B. Firewall
C. LDAP
D. NTLM
E. FSSO
A

A. RSSO
B. Firewall
E. FSSO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following settings can be configured per VDOM? (Choose three)
A. Operating mode (NAT/route or transparent)
B. Static routes
C. Hostname
D. System time
E. Firewall Policies

A

A. Operating mode (NAT/route or transparent)
B. Static routes
E. Firewall Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which best describes the mechanism of a TCP SYN flood?
A. The attackers keeps open many connections with slow data transmission so that other clients cannot start new connections.

B. The attackers sends a packets designed to sync with the FortiGate

C. The attacker sends a specially crafted malformed packet, intended to crash the target by exploiting its parser.

D. The attacker starts many connections, but never acknowledges to fully form them.

A

D. The attacker starts many connections, but never acknowledges to fully form them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
What attributes are always included in a log header? (Choose three.)
A. policyid
B. level
C. user
D. time
E. subtype
F. duration
A

B. level
D. time
E. subtype

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When does a FortiGate load-share traffic between two static routes to the same destination subnet?
A. When they have the same cost and distance.
B. When they have the same distance and the same weight.
C. When they have the same distance and different priority.
D. When they have the same distance and same priority.

A

D. When they have the same distance and same priority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which statement is in advantage of using a hub and spoke IPsec VPN configuration instead of a fully-meshed set of IPsec tunnels?
A. Using a hub and spoke topology provides full redundancy.
B. Using a hub and spoke topology requires fewer tunnels.
C. Using a hub and spoke topology uses stronger encryption protocols.
D. Using a hub and spoke topology requires more routes

A

B. Using a hub and spoke topology requires fewer tunnels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
A. The IPsec firewall policies must be placed at the top of the list.
B. This VPN cannot be used as a part of a hub and spoke topology.
C. Routes are automatically created based on the quick mode selectors.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.

A

D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following email spam filtering features is NOT supported on a FortiGate unit?
A. Multipurpose Internet Mail Extensions (MIME) Header Check
B. HELO DNS Lookup
C. Greylisting
D. Banned Word

A

C. Greylisting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
Which IPSec mode includes the peer id information in the first packet?
A. Main mode.
B. Quick mode.
C. Aggressive mode.
D. IKEv2 mode.
A

C. Aggressive mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
What actions are possible with Application Control? (Choose three.)
A. Warn
B. Allow
C. Block
D. Traffic Shaping
E. Quarantine
A

B. Allow
C. Block
D. Traffic Shaping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
Which is not a FortiGate feature?
A. Database auditing
B. Intrusion prevention
C. Web filtering
D. Application control
A

A. Database auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
In FortiOS session table output, what is the correct proto_state number for an established, non-proxied TCP connection?
A. 00
B. 11
C. 01
D. 05
A

C. 01

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A FortiGate devices is configured with four VDOMs: ‘root’ and ‘vdom1’ are in NAT/route mode; ‘vdom2’ and ‘vdom2’ are in transparent mode. The management VDOM is ‘root’.
Which of the following statements are true? (Choose two.)
A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.
C. An inter-VDOM link between ‘vdom2’ and vdom3’ can created.
D. Inter-VDOM link links must be manually configured for FortiGuard traffic.

A

A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype=”Webfilter_Profile” profile=”default” status=”passthrough” msg=”URL belongs to a category with warnings enabled”
A. The traffic was blocked.
B. The user failed authentication.
C. The category action was set to warning.
D. The website was allowed

A

C. The category action was set to warning.

D. The website was allowed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following statements are true about PKI users created in a FortiGate device?
(Choose two.)
A. Can be used for token-based authentication
B. Can be used for two-factor authentication
C. Are used for certificate-based authentication
D. Cannot be members of user groups

A

A. Can be used for token-based authentication

B. Can be used for two-factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which is a more accurate description of a modern firewall?

A. A device that inspects network traffic at an entry point to the internet and within a simple, easily defined network perimeter
B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points

A

B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which solution, specific to Fortinet, enhances performance and reduces latency for specific features and traffic?

A. Acceleration hardware, called SPUs (Security Processing Units)

B. Increased RAM and CPU power

A

A. Acceleration hardware, called SPUs (Security Processing Units)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which protocol does FortiGate use to download antivirus and IPS packages?

A. UDP

B. TCP

A

B. TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How does FortiGate check content for spam or malicious websites?

A. Live queries to FortiGuard over UDP or HTTPS

B. Local verification using downloaded web filter database locally on FortiGate

A

A. Live queries to FortiGuard over UDP or HTTPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How do you restrict logins to FortiGate from only specific IP addresses?

A. Change FortiGate management interface IP addresses

B. Configure trusted host

A

B. Configure trusted host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

As a best security practice when configuring administrative access to FortiGate, which protocol should you disable?

A. Telnet

B. SSH

A

A. Telnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When configuring FortiGate as a DHCP server, to restrict access by MAC address, what does the Assign IP option do?

A. Assigns a specific IP address to a MAC address

B. Dynamically assigns an IP to a MAC address

A

B. Dynamically assigns an IP to a MAC address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When configuring FortiGate as a DNS server, which resolution method only uses the FortiGate DNS database to try to resolve queries?

A. Non-recursive

B. Recursive

A

A. Non-recursive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which traffic is always generated from the management VDOM?

A. Link Health Monitor

B. FortiGuard

A

B. FortiGuard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which statement about the management VDOM is true?

A. It is root by default and cannot be changed in multi-vdom mode.

B. It is root by default, but can be changed to any VDOM in multi-vdom mode.

A

B. It is root by default, but can be changed to any VDOM in multi-vdom mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When restoring an encrypted system configuration file, in addition to needing the FortiGate model and firmware version from the time the configuration file was produced, what must you also provied?

A. The password to decrypt the file

B. The private decryption key to decrypt the file

A

A. The password to decrypt the file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which document should you consult to increase the chances of success before upgrading or downgrading firmware?

A. Cookbook

B. Release Notes

A

B. Release Notes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the Fortinet Security Fabric?

A. A Fortinet solution that enables communication and visibility among devices of your network

B. A device that can manage all your firewalls

A

A. A Fortinet solution that enables communication and visibility among devices of your network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which combination of devices must participate in the Security Fabric

A. A FortiAnalyzer and two or more FortiGate devices

B. A device that can manage all your firewalls

A

A. A FortiAnalyzer and two or more FortiGate devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the two mandatory settings of the Security Fabric configuration?

A. Fabric name and Security Fabric role

B. Fabric name and FortiManager IP address

A

A. Fabric name and Security Fabric role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

From where do you authorize a device to participate in the Security Fabric?

A. From the downstream FortiGate

B. From the root FortiGate

A

B. From the root FortiGate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Why should an administrator extend the Security Fabric to other devices?

A. To provide a single pane of glass for management and reporting purposes

B. To eliminate the need to purschase the licenses for FortiGate devices in the Security Fabric

A

A. To provide a single pane of glass for management and reporting purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the purpose of Security Fabric external connectors?

A. External connectors allow you to integrate multi-cloud support with the Security Fabric

B. External connectors allow you to connect the FortiGate command line interface (CLI)

A

A. External connectors allow you to integrate multi-cloud support with the Security Fabric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which one is a part of the Security Rating scorecard?

A. Firewall Policy

B. Optimization

A

B. Optimization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

From which view can an administrator deauthorize a device from the Security Fabric?

A. From the physical topology view

B. From the Fortiview

A

A. From the physical topology view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What criteria does FortiGate use to match traffic to a firewall policy?

A. Secure and destination interfaces

B. Security profiles

A

A. Secure and destination interfaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What must be selected in the Source field of a firewall policy?

A. At least one address object or ISDB

B. At least one source user and one source address object

A

A. At least one address object or ISDB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

To configure a firewall policy, you must include a firewall policy name when configuring using the ____.

A. CLI

B. GUI

A

B. GUI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the purpose of applying security profiles to a firewall policy?

A. To allow access to specific subnets

B. To protect your network from threats, and control access to specific applications and URLs

A

B. To protect your network from threats, and control access to specific applications and URLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

If you configure a firewall policy with any interface, you can view the firewall policy list only in which view?____.

A. The By Sequence View

B. The Interface Pair View

A

A. The By Sequence View

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following naming formats is correct when configuring a name for a firewall address object?

A. Good_Training

B. Good(Training)

A

A. Good_Training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is the purpose of the policy lookup feature on FortiGate?

A. To find a matching policy based on input criteria

B. To block traffic based on input criteria

A

A. To find a matching policy based on input criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is NAT used for?

A. Preserving IP addresses

B. Traffic shaping

A

A. Preserving IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which statement about NAT66 is true?

A. It is NAT between two IPv6 networks.

B. It is NAT between two IPv4 networks.

A

A. It is NAT between two IPv6 networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the default IP pool type?

A. One-to-one

B. Overload

A

B. Overload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which of the following is the default VIP type?

A. static-nat

B. load-balance

A

A. static-nat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which statement is true?

A. Central NAT is not enabled by default

B. Both central NAT and firewall policy NAT can be enabled together

A

A. Central NAT is not enabled by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What happens if there is no matching central SNAT policy or no central SNAT policy configured?

A. The egress interface IP will be used.

B. NAT will not be applied to the firewall session.

A

B. NAT will not be applied to the firewall session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which method would you use for advanced application tracking and control?

A. Session helper

B. Application layer gateway

A

B. Application layer gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which profile is an example of application layer gateway?

A. WAF (Web Application Firewall) profile

B. VOIP (Voice over IP) profile

A

B. VOIP (Voice over IP) profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

If session diagnostic output indicates that a TCP protocol state is proto_state=01, which is true?

A. The session is established

B. The session is not established

A

A. The session is established

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

An administrator wants to check the total number of TCP sessions for an IP pool named INTERNAL. Which CLI command should the administrator use?

A. diagnose firewall ippool-all stats INTERNAL

B. diagnose firewall ippool-all list INTERNAL

A

A. diagnose firewall ippool-all stats INTERNAL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which firewall authentication method does FortiGate support?

A. Local password authentication

B. Biometric authentication

A

A. Local password authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Which type of token can generate OTPs to provide two-factor authentication to users in your network?

A. FortiToken Mobile

B. USB FortiToken

A

A. FortiToken Mobile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

When FortiGate uses a RADIUS server for remote authentication, which statement about RADIUS is true?

A. FortiGate must query the remote RADIUS server using the distinguished name (dn).

B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.

A

B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is a valid reply from RADIUS server to an ACCESS_REQUEST packet from FortiGate?

A. ACCESS-PENDING

B. ACCESS-REJECT

A

B. ACCESS-REJECT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

A remote LDAP user is trying to authenticate with a username and password. How does FortiGate verify the login credentials?

A. FortiGate queries its own database for user credentials.

B. FortiGate sends the user-entered credentials to the remote server verification.

A

B. FortiGate sends the user-entered credentials to the remote server verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Which statement about guest user groups is true?

A. Guest user group accounts are temporary.

B. Guest user group accounts passwords are temporary.

A

A. Guest user group accounts are temporary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Guests accounts are most commonly used for which purposes?

A. To provide temporary visitor access to corporate network resources

B. To provide temporary visitor access to wireless networks

A

B. To provide temporary visitor access to wireless networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Firewall policies dictate whether a user or device can or cannot authenticate on a network. Which statement about firewall authentication is true?

A. Firewall policies can be configured to authenticate certificate users.

B. The order of the firewall polices always determines whether user’s credentials are determined actively or passively.

A

A. Firewall policies can be configured to authenticate certificate users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Which statement about active authentication is true?

A. Active authentication is always used before passive authentication.

B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.

A

B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Which statement about captive portal is true?

A. Captive portal must be hosted on a FortiGate device.

B. Captive portal can exempt specific devices from authenticating.

A

B. Captive portal can exempt specific devices from authenticating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Which statement best describes the authentication idle timeout feature on FortiGate?

A. The length of time FortiGate waits for the user to enter their authentication credentials

B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device

A

B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Which command would you use to identify the IP addresses of all authenticated users?

A. diagnose firewall auth clear

B. diagnose firewall auth list

A

B. diagnose firewall auth list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Which type of logs are application control, web filter, antivirus, and DLP?

A. Event

B. Security

A

B. Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

The log _______ contains fields that are common to all log types, such as originating date and time, log identifier, log category, and VDOM.

A. header

B. body

A

A. header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which storage type is preferred for logging?

A. Remote Logging

B. Hard drive

A

A. Remote Logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Which protocol does FortiGate use to send encrypted logs to FortiAnalyzer?

A. OFTPS

B. SSL

A

A. OFTPS

69
Q

If you enable reliable logging, which transport protocol will FortiGate use?

A. UDP

B. TCP

A

B. TCP

70
Q

In your firewall policy, which setting must you enable to generate logs on traffic sent through that firewall policy?

A. Log Allowed Traffic

B. Event Logging

A

A. Log Allowed Traffic

71
Q

With email alerts, you can trigger alert emails based on ____ or log severity level.

A. event

B. threat weight

A

A. event

72
Q

What happens when logs roll?

A. It lowers the space requirements needed to contain those logs.

B. They are uploaded to an FTP server.

A

A. It lowers the space requirements needed to contain those logs.

73
Q

When you download logs on the GUI, ____

A. all logs in the SQL database are downloaded.

B. only your current view, including any filters set, are downloaded.

A

B. only your current view, including any filters set, are downloaded.

74
Q

Which attribute or extension identifies the owner or a certificate?`

A. The subject name in the certificate

B. The unique serial number in the certificate

A

A. The subject name in the certificate

75
Q

How does FortiGate determine if a certificate has been revoked?

A. It checks the CRL that resides on the FortiGate

B. It retrieves the CRL from a directory server

A

A. It checks the CRL that resides on the FortiGate

76
Q

Which certificate extension and value is required in the FortiGate CA certificate in order to enable full SSL inspection?

A. CRL DP=ca_arl.arl

B. cA=True

A

B. cA=True

77
Q

Which configuration requires FortiGate to act as a CA for full SSL inspection?

A. Multiple clients connecting to multiple servers

B. Protecting the SSL server

A

A. Multiple clients connecting to multiple servers

78
Q

Which CSR enrollment method is supported by FortiGate?

A. Enrollment over Secure Transport (EST)

B. Simple Certificate Enrollment Protocol (SCEP)

A

B. Simple Certificate Enrollment Protocol (SCEP)

79
Q

After a CSR has been enrolled and imported into FortiGate, the status of the certificate should change to:

A. Valid

B. Pending

A

A. Valid

80
Q

Which is the default inspection mode on a firewall policy?

A. Proxy based

B. Flow based

A

B. Flow based

81
Q

How does NGFW policy-based mode differ from profile-based mode?

A. Policy-based flow inspection supports web profile overrides.

B. Policy-based flow inspection defines URL filters directly in the firewall policy.

A

B. Policy-based flow inspection defines URL filters directly in the firewall policy.

82
Q

Which statement about proxy-based web filtering is true?

A. It requires more resources than flow-based

B. It transparently analyzes the TCP flow of the traffic

A

A. It requires more resources than flow-based

83
Q

Which is a valid action for FortiGuard web category filtering?

A. Allow

B. Deny

A

A. Allow

84
Q

Which is a valid action for static URL filtering?

A. Exempt

B. Warning

A

A. Exempt

85
Q

Which action can be used with the FortiGuard quota feature?

A. Monitor

B. Shape

A

A. Monitor

86
Q

Which statement about web profile overrides is true?

A. It is used to change the website category.

B. Configured users can activate this setting through an override link on the FortiGurd block page.

A

B. Configured users can activate this setting through an override link on the FortiGurd block page.

87
Q

Which is required to configure YouTube video filtering?

A. YouTube API key

B. username

A

A. YouTube API key

88
Q

Which action can be used with the video FortiGuard categories?

A. Authenticate

B. Monitor

A

B. Monitor

89
Q

Which statement about blocking the known bothnet command and control domains is true?

A. DNS lookups are checked against the botnet command and control database.

B. The botnet command and control domains can be enabled on the web filter profile.

A

A. DNS lookups are checked against the botnet command and control database.

90
Q

Which security profile inspects only the fully qualified domain name?

A. Web Filter

B. DNS Filter

A

B. DNS Filter

91
Q

You have configured your security profiles, but they are not performing web or DNS inspection. Why?

A. The certificate is not installed correctly

B. The profiles is not associated with the correct firewall policy.

A

B. The profiles is not associated with the correct firewall policy.

92
Q

Which statement about application control is true?

A. Application control uses the IPS engine to scan traffic for application patterns.

B. Application control is unable to scan P2P architecture traffic.

A

A. Application control uses the IPS engine to scan traffic for application patterns.

93
Q

Which statement about the application control database is true?

A. The application control database is separate from the IPS database.

B.A. The application control database must be updated manually.

A

A. The application control database is separate from the IPS database.

94
Q

Which statement about application control in a NGFW policy-based configuration is true?

A. Applications are applied directly to the security policies.

B. The application control profiles must be applied to firewall polices.

A

A. Applications are applied directly to the security policies.

95
Q

Which statement about the HTTP block page for application control is true?

A. It can be used only for web applications.

B. It works for all types of applications.

A

A. It can be used only for web applications.

96
Q

Where do you enable logging of application control events?

A. Application control logs are enabled in the firewall policy configuration.

B. Application control logs are enabled on the FortiView Applications page of FortiGate.

A

A. Application control logs are enabled in the firewall policy configuration.

97
Q

Which piece of information is not included in the application event log when using NGFW policy-based mode?

A. Application control profile name

B. Application name

A

A. Application control profile name

98
Q

Which protocol does FortiGate use with FortiGuard to recive updates for application control?

A. UDP

B. TCP

A

B. TCP

99
Q

Which SSL/SSH inspection method is recommended for use with application control scanning to improve application detection?

A. Certificate-based inspection profile

B. Deep-inspection profile

A

B. Deep-inspection profile

100
Q

If antivirus, grayware, and AI scans are enabled, in what order are they performed?

A. AI scan. followed by grayware scan, followed by antivirus scan

B. Antivirus scan, followed by grayware scan, followed by AI scan

A

B. Antivirus scan, followed by grayware scan, followed by AI scan

101
Q

Which database can be manually selected for use in antivirus scanning?

A. Extended and Extreme

B. Quick, Normal, and Extreme

A

A. Extended and Extreme

102
Q

What three additional features of an antivirus profile are available in proxy-based inspection mode?

A. MAPI, SSH and CDR

B. Full and quick

A

A. MAPI, SSH and CDR

103
Q

What antivirus database is limited to specific FortiGate models?

A. Extended

B. Extreme

A

B. Extreme

104
Q

What is the default scanning behavior for files over 10 MB?

A. Allow the file without scanning

B. Block all large files that exceed the buffer threshold

A

A. Allow the file without scanning

105
Q

Which type of inspection mode can be offloaded using NTurbo hardware acceleration?

A. Proxy-based

B. Flow-based

A

B. Flow-based

106
Q

What does the logging of oversized files option do?

A. Enables logging of all files that cannot be scanned because of oversize limit

B. Logs all files that are over 5 MB

A

A. Enables logging of all files that cannot be scanned because of oversize limit

107
Q

What command do you use to force FortiGate to check for a new antivirus updates?

A. execute update antivirus

B. execute update-av

A

B. execute update-av

108
Q

Which IPS action allows traffic and logs the activity?

A. Allow

B. Monitor

A

B. Monitor

109
Q

Which IPS component is updated most frequently?

A. Protocol decoders?

B. IPS signature database

A

B. IPS signature database

110
Q

Which behavior is a characteristic of a DoS attack?

A. Attempts to exploit a known application vulnerability

B. Attempts to overload a server with TCP SYN packets

A

B. Attempts to overload a server with TCP SYN packets

111
Q

Which DoS anomaly sensor can be used to detect and block the probing attempts of a port scanner?

A. tcp_syn_flood

B. tcp_port_scan

A

B. tcp_port_scan

112
Q

WAF protocol constraints protect against which type of attacks?

A. Buffer overload

B. ICMP sweep

A

A. Buffer overload

113
Q

To use WAF feature, which inspection mode should be used in the firewall policy?

A. Flow

B. Proxy

A

B. Proxy

114
Q

Which chipset uses NTurbo to accelerate IPS sessions?

A. CP9

B. SoC4

A

B. SoC4

115
Q

Which feature requires full SSL inspection to maximize its detection capability?

A. WAF

B. DoS

A

A. WAF

116
Q

Which FQDN does FortiGate use to obtain IPS updates?

A. update.fortiguard.net

B. service.fortiguard.com

A

A. update.fortiguard.net

117
Q

When IPS fail open is triggered, what is the expected behavior, if the IPS fail-open option is set to enabled?

A. New packets pass through without inspection

B. New packets dropped

A

A. New packets pass through without inspection

118
Q

What does a VPN do?

A. Extends a private network across a public network

B. Protects a network from external attacks

A

A. Extends a private network across a public network

119
Q

Which statement about SSL VPNs is true?

A. An SSL VPN can be established between workstation and a FortiGate device only.

B. An SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices.

A

B. An SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices.

120
Q

A web-mode SSL VPN user connects to a remote web server. What is the source IP address of the HTTP request the web server recives?

A. The remote user IP address

B. The FortiGate device internal IP address

A

B. The FortiGate device internal IP address

121
Q

Which statement about tunnel-mode SSL VPN is correct?

A. It supports split tunneling.

B. It requires bookmarks.

A

A. It supports split tunneling.

122
Q

A web-mode SSL VPN user uses ____ to access internal network resources.

A. bookmarks

B. FortiClient

A

A. bookmarks

123
Q

Which step is necessary to configure SSL VPN connections?

A. Create a firewall policy from the SSL VPN interface to the internal interface.

B. Enable event logs for SSL VPN traffic: users, VPN, and endpoints.

A

A. Create a firewall policy from the SSL VPN interface to the internal interface.

124
Q

Which action may allow internet access in tunnel mode, if the remote network does not allow internet access to SSL VPN users?

A. Enable split tunneling

B. Configure the DNS server to use the same DNS server as the client DNS

A

A. Enable split tunneling

125
Q

What does the SSL VPN monitor feature allow you to do?

A. Monitor SSL VPN user actions, such as authentication

B. Force SSL VPN user disconnects

A

B. Force SSL VPN user disconnects

126
Q

Which statement about SSL VPN timers is correct?

A. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency.

B. The login timeout is a non-customizable hard value.

A

A. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency.

127
Q

Which components issues and signs the client certificate?

A. FortiClient EMS

B. FortiClient

A

A. FortiClient EMS

128
Q

Which internet browser supports Fortinet ZTNA?

A. Firefox

B. Chrome

A

B. Chrome

129
Q

What does FortiClient EMS integration ensure?

A. Device identification

B. User identification

A

A. Device identification

130
Q

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

A. VLAN interface

B. Software Switch interface

C. Aggregate interface

D. Redundant interface

A

C. Aggregate interface

131
Q

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

A. get router info routing-table all

B. get internet service route list

C. get router info routing-table database

D. diagnose firewall proute list

A

D. diagnose firewall proute list

132
Q

Which three statements are true regarding session-based authentication? (Choose three.)

A. HTTP sessions are treated as a single user.

B. IP sessions from the same source IP address are treated as a single user.

C. It can differentiate among multiple clients behind the same source IP address.

D. It requires more resources.

E. It is not recommended if multiple users are behind the source NAT

A

A. HTTP sessions are treated as a single user.

C. It can differentiate among multiple clients behind the same source IP address.

D. It requires more resources.

133
Q

What is the primary FortiGate election process when the HA override setting is disabled?

A. Connected monitored ports > System uptime > Priority > FortiGate Serial number

B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number

D.Connected monitored ports > Priority > System uptime > FortiGate Serial number

A

B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

134
Q

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

A. Fabric Coverage

B. Automated Response

C. Security Posture

D. Optimization

A

C. Security Posture

135
Q

Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?

Select one:
A. It captures the login events and forwards them to the collector agent.
B. It captures the user IP address and workstation name and forwards them to FortiGate.
C. It captures the login and logoff events and forwards them to the collector agent.
D. It captures the login events and forwards them to FortiGate.

A

A. It captures the login events and forwards them to the collector agent.

136
Q

FortiGate has been configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?
Select one:
A. No matching user account exists for this user.
B. The user is using a guest account profile.
C. The user is using a super admin account.
D. The user was authenticated using passive authentication.

A

D. The user was authenticated using passive authentication.

137
Q

Which two statements about FortiGate antivirus databases are true? (Choose two.)
Select one or more:
A. The quick scan database is part of the normal database.
B. The extended database is available only if AI scanning is enabled.
C. The extended database is available on all FortiGate models.
D. The extreme database is available only on certain FortiGate models.

A

C. The extended database is available on all FortiGate models.
D. The extreme database is available only on certain FortiGate models.

138
Q

Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)
Select one or more:
A. Web Filter
B. AntiVirus
C. Application Control 
D. IPS
A

C. Application Control

D. IPS

139
Q

View the exhibit.
A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.
Exhib_route
Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two.)
Select one or more:

A. Strict RPF check will deny the traffic.
B. Loose RPF check will deny the traffic.
C. Strict RPF check will allow the traffic.
D. Loose RPF check will allow the traffic.

A

C. Strict RPF check will allow the traffic.

D. Loose RPF check will allow the traffic.

140
Q

What two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)
Select one or more:

A. Fabric name
B. FortiAnalyzer IP address
C. FortiManager IP address
D. Pre-authorize downstream FortiGate devices

A

A. Fabric name

B. FortiAnalyzer IP address

141
Q

Examine this FortiGate configuration:
config system global
set av-failopen pass
end
config ips global
set fail-open disable
end
Examine the output of the following debug command:
# diagnose hardware sysinfo conserve
memory conserve mode: on
total RAM: 3040 MB
memory used: 2706 MB 89% of total RAM
memory freeable: 334 MB 11% of total RAM
memory used + freeable threshold extreme: 2887 MB 95% of total RAM
memory used threshold red: 2675 MB 88% of total RAM
memory used threshold green: 2492 MB 82% of total RAM
Based on the diagnostic outputs above, how is FortiGate handling new packets that require IPS inspection?

Select one:
A. They are allowed and inspected as long as no additional proxy-based inspection is required.
B. They are allowed, but with no inspection.
C. They are allowed and inspected.
D. They are dropped.

A

D. They are dropped.

142
Q

Examine the following log message attributes:
subtype=”webfilter” hostname=www.youtube.com profile=”default” action=”passthrough” msg=”URL belongs to a category with warnings enabled”

Which two statements about the log are correct? (Choose two.)

Select one or more:
A. The user failed authentication.
B. The user was prompted to decide whether to proceed or go back.
C. The category action was set to warning.
D. The website was allowed on the first attempt.

A

B. The user was prompted to decide whether to proceed or go back.
C. The category action was set to warning.

143
Q
Which two configuration settings are global settings? (Choose two.)
Select one or more:
A. FortiGuard settings 
B. User & Device settings
C. Firewall policies
D. HA settings
A

A. FortiGuard settings

D. HA settings

144
Q

An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the internet. The web server is connected to port1. The internet is connected to port2. Both interfaces belong to the VDOM named Corporation.

What interface must be used as the source for the firewall policy that will allow this traffic?
Select one:
A. ssl.Corporation 
B. ssl.root
C. port2
D. port1
A

A. ssl.Corporation

145
Q

Which statement about firewall policy NAT is true?
Select one:
A. DNAT is not supported.
B. SNAT can automatically apply to multiple firewall policies, based on SNAT policies.
C. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
D. You must configure SNAT for each firewall policy.

A

D. You must configure SNAT for each firewall policy.

146
Q

Which two statements about advanced AD access mode for the FSSO collector agent are true? (Choose two.)
Select one or more:
A. It supports monitoring of nested groups.
B. FortiGate can act as an LDAP client to configure the group filters.
C. It uses the Windows convention for naming; that is, Domain\Username.
D. It is only supported if DC agents are deployed.

A

A. It supports monitoring of nested groups.

B. FortiGate can act as an LDAP client to configure the group filters.

147
Q

What is eXtended Authentication (XAuth)?
Select one:
A. It is an IPsec extension that authenticates remote VPN peers using a preshared key.
B. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
C. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.

A

C. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).

148
Q
Which three methods can be used to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)
Select one or more:
A. SMS text message 
B. Email 
C. Voicemail message
D. Instant message app
E. FortiToken
A

A. SMS text message
B. Email
E. FortiToken

149
Q

What does the command diagnose debug fsso-polling refresh-user
do?
Select one:
A. It enables agentless polling mode real-time debug.
B. It refreshes user group information from any servers connected to FortiGate using a collector agent.
C. It displays status information and some statistics related to the polls done by FortiGate on each DC.
D. It refreshes all users learned through agentless polling.

A

D. It refreshes all users learned through agentless polling.

150
Q

An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.

Which two items must they configure on their FortiGate to accomplish this? (Choose two.)
Select one or more:
A. An application control profile and set all application signatures to monitor
B. An IPS sensor to monitor all signatures applicable to the server
C. A DoS policy, and log all UDP and TCP scan attempts
D. A web application firewall profile to check protocol constraints

A

B. An IPS sensor to monitor all signatures applicable to the server
C. A DoS policy, and log all UDP and TCP scan attempts

151
Q

Examine the exhibit, which shows a FortiGate with two VDOMs: VDOM1 and VDOM2.

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.

Which two static routes are required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link? (Choose two.)
Select one or more:
A. A static route in VDOM1 for the destination subnet of 10.0.2.0/24
B. A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link
C. A static route in VDOM2 for the destination subnet 10.0.1.0/24
D. A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link

A

C. A static route in VDOM2 for the destination subnet 10.0.1.0/24

152
Q

Examine this partial output from the diagnose sys session list
CLI command:

diagnose sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

What does this output state?
Select one:
A. proto_state=05 is the ICMP state.
B. proto_state=05 means there is only one-way traffic.
C. proto_state=05 is the UDP state.
D. proto_state=05 is the TCP state.
A

D. proto_state=05 is the TCP state.

153
Q

Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)
Select one or more:
A. Only the any interface can be chosen as an incoming interface.
B. Multiple interfaces can be selected as incoming and outgoing interfaces.
C. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
D. A zone can be chosen as the outgoing interface.

A

B. Multiple interfaces can be selected as incoming and outgoing interfaces.
D. A zone can be chosen as the outgoing interface.

154
Q

Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)
Select one or more:
A. Aggressive mode supports XAuth, while main mode does not.
B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
D. Main mode cannot be used for dialup VPNs, while aggressive mode can.

A

B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.

155
Q

Which two statements about the application control profile mode are true? (Choose two.)
Select one or more:
A. It uses flow-based scanning techniques, regardless of the inspection mode used.
B. It cannot be used in conjunction with IPS scanning.
C. It can be selected in either flow-based or proxy-based firewall policy.
D. It can scan only unsecure protocols.

A

A. It uses flow-based scanning techniques, regardless of the inspection mode used.
C. It can be selected in either flow-based or proxy-based firewall policy.

156
Q

Which two statements about the SD-WAN feature on FortiGate are true? (Choose two.)
Select one or more:
A. An SD-WAN static route does not require a next-hop gateway IP address.
B. Each member interface requires its own firewall policy to allow traffic.
C. SD-WAN provides route failover protection, but cannot load balance traffic.
D. FortiGate supports only one SD-WAN interface per VDOM.

A

A. An SD-WAN static route does not require a next-hop gateway IP address.
D. FortiGate supports only one SD-WAN interface per VDOM.

157
Q

View the exhibit.

Which two behaviors result from this full (deep) SSL configuration? (Choose two.)
Select one or more:
A. The browser bypasses all certificate warnings and allows the connection.
B. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
D. A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.

A

B. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.

158
Q

An administrator has configured central DNAT and virtual IPs.

Which item can be selected in the firewall policy Destination field?
Select one:
A. An IP pool
B. A VIP object
C. A VIP group
D. The mapped IP address object of the VIP object

A

D. The mapped IP address object of the VIP object

159
Q

An administrator configured antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.

What is causing this issue?
Select one:
A. Full content inspection for HTTPS is disabled.
B. The test file is larger than the oversize limit.
C. Hardware acceleration is in use.
D. HTTPS protocol is not enabled under Inspected Protocols.

A

A. Full content inspection for HTTPS is disabled.

160
Q

Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode are true? (Choose two.)
Select one or more:
A. The client must wait for the antivirus scan to finish scanning before it receives the file.
B. A file does not need to be buffered completely before it is moved to the antivirus engine for scanning.
C. If a virus is detected, a block replacement message is displayed immediately.
D. FortiGate sends a reset packet to the client if antivirus reports the file as infected.

A

A. The client must wait for the antivirus scan to finish scanning before it receives the file.
C. If a virus is detected, a block replacement message is displayed immediately.

161
Q

View the exhibit.

Which statement about the configuration settings is true?
Select one:
A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.
C. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
D. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.

A

C. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

162
Q
Which three actions are valid for static URL filtering? (Choose three.)
Select one or more:
A. Warning
B. Exempt 
C. Allow 
D. Block 
E. Shape
A

B. Exempt
C. Allow
D. Block

163
Q

Which statement about traffic flow in an active-active HA cluster is true?
Select one:
A. The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client.
B. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.
C. The ACK from the client is received on the physical MAC address of the primary device.
D. The SYN packet from the client always arrives at the primary device first.

A

D. The SYN packet from the client always arrives at the primary device first.

164
Q

Examine the exhibit showing a routing table.
Exhib_route
Which route will be selected when trying to reach 10.20.30.254?
Select one:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3
B. 0.0.0.0/0 [10/0] via 172.20.121.2, port1
C. 10.30.20.0/24 [10/0] via 172.20.121.2, port1
D. 10.20.30.0/26 [10/0] via 172.20.168.254, port2

A

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3

165
Q
Which load balancing method is not supported in equal cost multipath (ECMP) load balancing, but is supported in SD-WAN?
Select one:
A. Source-destination IP based 
B. Weight based
C. Source IP based
D. Volume based
A

C. Source IP based

166
Q

Which statement about the HA override setting in FortiGate HA clusters is true?
Select one:
A. You must configure override settings manually and separately for each cluster member.
B. It reboots FortiGate.
C. It synchronizes device priority on all cluster members.
D. It enables monitored ports.

A

A. You must configure override settings manually and separately for each cluster member.

167
Q

View the exhibit.

date=2021-03-16 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=”root” policyid=2 identidx=1 sessionid=31232959 user=”anonymous” group=”ldap_users” srcip=192.168.1.24 srcport=63355 srcintf=”port2” dstip=66.171.121.44 dstport=80 dstintf=”port1” service=”http” hostname=”www.fortinet.com” profiletype=”Webfilter_Profile” profile=”default” status=”passthrough” reqtype=”direct” url=”/” sentbyte=304 rcvdbyte=60135 msg=”URL belongs to an allowed category in policy” method=domain class=0 cat=140 catdesc=”custom1”

What does this raw log indicate? (Choose two.)
Select one or more:
A. 192.168.1.24 is the IP address for www.fortinet.com.
B. FortiGate allowed the traffic to pass
C. The traffic matches the webfilter profile on firewall policy ID 2.
D. The traffic originated from 66.171.121.44.

A

B. FortiGate allowed the traffic to pass

C. The traffic matches the webfilter profile on firewall policy ID 2.

168
Q
Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
Select one or more:
A. HTTPS 
B. FortiTelemetry
C. Trusted authentication
D. SSH 
E. Trusted host
A

A. HTTPS
D. SSH
E. Trusted host

169
Q

A client workstation is connected to FortiGate port2. FortiGate port1 is connected to an ISP router. port2 and port3 are both configured as a software switch.

Which IP address must be configured on the workstation as the default gateway?
Select one:
A. The software switch interface IP address
B. The FortiGate management IP address
C. The port2 IP address
D. The router IP address

A

A. The software switch interface IP address