NEW QUESTION 1
How does FortiGate verify the login credentials of a remote LDAP user?

• A. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.
• B. FortiGate sends the user-entered credentials to the LDAP server for authentication.
• C. FortiGate queries the LDAP server for credentials.
• D. FortiGate queries its own database for credentials.

Answer: B

NEW QUESTION 2
Which of the following static routes are not maintained in the routing table? (Choose two.)

• A. Named Address routes
• B. Dynamic routes
• C. ISDB routes
• D. Policy routes

Answer: BD

NEW QUESTION 3
A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true?

• A. It can create administrator accounts with access to the same VDOM.
• B. It cannot have access to more than one VDOM.
• C. It can reset the password for the admin account.
• D. It can upgrade the firmware on the FortiGate device.

Answer: C

NEW QUESTION 4
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

• A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
• B. ADVPN is only supported with IKEv2.
• C. Tunnels are negotiated dynamically between spokes.
• D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Answer: AC

NEW QUESTION 5
How does FortiGate select the central SNAT policy that is applied to a TCP session?

• A. It selects the SNAT policy specified in the configuration of the outgoing interface.
• B. It selects the first matching central SNAT policy, reviewing from top to bottom.
• C. It selects the central SNAT policy with the lowest priority.
• D. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.

Answer: B

NEW QUESTION 6
Which one of the following processes is involved in updating IPS from FortiGuard?

• A. FortiGate IPS update requests are sent using UDP port 443.
• B. Protocol decoder update requests are sent to service.fortiguard.net.
• C. IPS signature update requests are sent to update.fortiguard.net.
• D. IPS engine updates can only be obtained using push updates.

Answer: C

NEW QUESTION 7
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 8
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 9
When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster?

• A. Connected monitored ports > HA uptime > priority > serial number
• B. Priority > Connected monitored ports > HA uptime > serial number
• C. Connected monitored ports > priority > HA uptime > serial number
• D. HA uptime > priority > Connected monitored ports > serial number

Answer: C

NEW QUESTION 10
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 11
Which action can be applied to each filter in the application control profile?

• A. Block, monitor, warning, and quarantine
• B. Allow, monitor, block and learn
• C. Allow, block, authenticate, and warning
• D. Allow, monitor, block, and quarantine

Answer: D

NEW QUESTION 12
View the exhibit.


What does this raw log indicate? (Choose two.)

• A. FortiGate blocked the traffic.
• B. type indicates that a security event was recorded.
• C. 10.0.1.20 is the IP address for lavito.tk.
• D. policyid indicates that traffic went through the IPS firewall policy.

Answer: BD

NEW QUESTION 13
Which statement is true regarding SSL VPN timers? (Choose two.)

• A. Allow to mitigate DoS attacks from partial HTTP requests.
• B. SSL VPN settings do not have customizable timers.
• C. Disconnect idle SSL VPN users when a firewall policy authentication timeout occurs.
• D. Prevent SSL VPN users from being logged out because of high network latency.

Answer: AD

NEW QUESTION 14
View the exhibit:

The client cannot connect to the HTTP web server. The administrator ran the FortiGate built-in sniffer and got the following output:

What should be done next to troubleshoot the problem?

• A. Run a sniffer in the web server.
• B. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”.
• C. Capture the traffic using an external sniffer connected to port1.
• D. Execute a debug flow.

Answer: C

NEW QUESTION 15
Examine the exhibit, which shows the partial output of an IKE real-time debug.

Which of the following statement about the output is true?

• A. The VPN is configured to use pre-shared key authentication.
• B. Extended authentication (XAuth) was successful.
• C. Remote is the host name of the remote IPsec peer.
• D. Phase 1 went down.

Answer: A

NEW QUESTION 16
Which of the following services can be inspected by the DLP profile? (Choose three.)

• A. NFS
• B. FTP
• C. IMAP
• D. CIFS
• E. HTTP-POST

Answer: BCE

NEW QUESTION 17
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAND ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces must have different VLAN IDs.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Answer: B

NEW QUESTION 18
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

• A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
• B. Client > secondary FortiGate> web server.
• C. Client >secondary FortiGate> primary FortiGate> web server.
• D. Client> primary FortiGate> secondary FortiGate> web server.

Answer: D

NEW QUESTION 19
Which is a requirement for creating an inter-VDOM link between two VDOMs?

• A. The inspection mode of at least one VDOM must be proxy-based.
• B. At least one of the VDOMs must operate in NAT mode.
• C. The inspection mode of both VDOMs must match.
• D. Both VDOMs must operate in NAT mode.

Answer: A

NEW QUESTION 20
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

• A. Web filtering
• B. Antivirus
• C. Web proxy
• D. Application control

Answer: C

NEW QUESTION 21
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

• A. The interface has been configured for one-arm sniffer.
• B. The interface is a member of a virtual wire pair.
• C. The operation mode is transparent.
• D. The interface is a member of a zone.
• E. Captive portal is enabled in the interface.

Answer: ABC

NEW QUESTION 22
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

What are the expected actions if traffic matches this IPS sensor? (Choose two.)

• A. The sensor will gather a packet log for all matched traffic.
• B. The sensor will not block attackers matching the A32S.Botnet signature.
• C. The sensor will block all attacks for Windows servers.
• D. The sensor will reset all connections that match these signatures.

Answer: AC

NEW QUESTION 23
Examine this output from a debug flow:

Which statements about the output are correct? (Choose two.)

• A. FortiGate received a TCP SYN/ACK packet.
• B. The source IP address of the packet was translated to 10.0.1.10.
• C. FortiGate routed the packet through port 3.
• D. The packet was allowed by the firewall policy with the ID 00007fc0.

Answer: AC

NEW QUESTION 24
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

• A. A phase 2 configuration is not required.
• B. This VPN cannot be used as part of a hub-and-spoke topology.
• C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
• D. The IPsec firewall policies must be placed at the top of the list.

Answer: C

NEW QUESTION 25
......