NEW QUESTION 1
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate,enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate,enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

NEW QUESTION 2
Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

• A. The debug flow is of ICMP traffic.
• B. A firewall policy allowed the connection.
• C. A new traffic session is created.
• D. The default route is required to receive a reply.

Answer: B

NEW QUESTION 3
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check.
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900

NEW QUESTION 4
Which two statements about antivirus scanning mode are true? (Choose two.)

• A. In proxy-based inspection mode, files bigger than the buffer size are scanned.
• B. In flow-based inspection mod
• C. FortiGate buffers the file, but also simultaneously transmits it to the client.
• D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
• E. In flow-based inspection mode, files bigger than the buffer size are scanned.

Answer: CD

NEW QUESTION 5
Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: B

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

NEW QUESTION 6
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: CD

NEW QUESTION 7
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

• A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
• B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
• C. Virtual IP addresses are used to distinguish between cluster members.
• D. The primary device in the clusteris always assigned IP address 169.254.0.1.

Answer: AB

NEW QUESTION 8
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

• A. Policy lookup will be disabled.
• B. By Sequence view will be disabled.
• C. Search option will be disabled
• D. Interface Pair view will be disabled.

Answer: A

NEW QUESTION 9
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

• A. System time
• B. FortiGuaid update servers
• C. Operating mode
• D. NGFW mode

Answer: AD

NEW QUESTION 10
How do you format the FortiGate flash disk?

• A. Load a debug FortiOS image.
• B. Load the hardware test (HQIP) image.
• C. Execute the CLI command execute formatlogdisk.
• D. Select the format boot device option from the BIOS menu.

Answer: D

NEW QUESTION 11
In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

• A. The IP version of the sources and destinations in a firewall policy must be different.
• B. The Incoming Interfac
• C. Outgoing Interfac
• D. Schedule, and Service fields can be shared with both IPv4and IPv6.
• E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
• F. The IP version of the sources and destinations in a policy must match.
• G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer: ACE

NEW QUESTION 12
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. The IPS filter is missing the Protocol: HTTPS option.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. A DoS policy should be used, instead of an IPS sensor.
• E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 13
View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

• A. Addicting.Games is allowed based on the Application Overrides configuration.
• B. Addicting.Games is blocked on the Filter Overrides configuration.
• C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
• D. Addcting.Games is allowed based on the Categories configuration.

Answer: A

NEW QUESTION 14
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
*All traffic must be routed through the primary tunnel when both tunnels are up
*The secondary tunnel must be used only if the primary tunnel goes down
*In addition, FortiGate should be able to detect a dead tunnel to speed up tunnelfailover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

• A. Enable Dead Peer Detection.
• B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
• C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
• D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the state route for the secondary tunnel.

Answer: A

NEW QUESTION 15
Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

• A. The signature setting uses a custom rating threshold.
• B. The signature setting includes a group of other signatures.
• C. Traffic matching the signature will be allowed and logged.
• D. Traffic matching the signature will be silently dropped and logged.

Answer: B

NEW QUESTION 16
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 17
Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

• A. The session is in SYN_SEXT state.
• B. The session is in FIN_ACK state.
• C. The session is in FTN_WAIT state.
• D. The session is in ESTABLISHED state.

Answer: D

NEW QUESTION 18
......