Questions Flashcards
How does fortigate performs routing lookups?
There are two ways it performs routing lookup
- For The first packet sent by The originator
- for The first reply packet coming from The responder
What are some of the dynamic routing protocols supporter by Fortigate?
RIP
OSPF
BGP
IS-IS
What takes precedence over static and dynamic routes?
Policy routes set to the action forward traffic.
A packet that matches the policy route, fortigate bypasses any routing table lookup
What are the two actions that fortigate would take on policy routes?
Forward traffic: Routes the packet to the configured interface and gateway, bypassing the routing table
Stop Policy routing: Stops checking the policy routes, so the packet is routed based on the routing table
Internet services routing
It can help split the traffic.
e.g. you have two ISP and one to use one to send all traffic to AWS, you can use the ISDB to the WAN port to do that, while using the other ISP to do the rest of the traffic
Which configured routes aren’t displayed in the routing table monitor?
Inactive routes
Standby routes
Metric parameter on routes:
If several routes have the same distance, the metric will break the tie.
the lowest the metric is preferred
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?
A- By default, FortiGate uses WINS servers to resolve names.
B- By default, the SSL VPN portal requires the installation of a client’s certificate.
C- By default, split tunneling is enabled.
D- By default, the admin GUI and SSL VPN portal use the same HTTPS port.
D
Which statement is correct regarding the use of application control for inspecting web applications?
A. Application control can identify child and parent applications, and perform different actions on them.
B. Application control signatures are organized in a nonhierarchical structure.
C. Application control does not require SSL inspection to identify web applications.
D. Application control does not display a replacement message for a blocked web application.
A
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)
A and C
Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
B. The traffic sourced from the client and destined to the server is sent to FGT-1.
C. The cluster can load balance ICMP connections to the secondary.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
A and D
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)
A. The keyUsage extension must be set to keyCertSign.
B. The CA extension must be set to TRUE.
C. The issuer must be a public CA.
D. The common name on the subject field must use a wildcard name.
A and B
Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)
A. Services defined in the firewall policy
B. Highest to lowest priority defined in the firewall policy
C. Destination defined as Internet Services in the firewall policy
D. Lowest to highest policy ID number
E. Source defined as Internet Services in the firewall policy
A, B and E
What are two functions of ZTNA? (Choose two.)
A. ZTNA manages access through the client only.
B. ZTNA manages access for remote users only.
C. ZTNA provides a security posture check.
D. ZTNA provides role-based access.
C and D
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?
A. Pre-shared key
B. Dialup user
C. Dynamic DNS
D. Static IP address
B