NEW QUESTION 1

View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 2

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 3

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

• A. The public key of the web server certificate must be installed on the browser.
• B. The web-server certificate must be installed on the browser.
• C. The CA certificate that signed the web-server certificate must be installed on the browser.
• D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Answer: C

NEW QUESTION 4

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

• A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
• B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
• C. Virtual IP addresses are used to distinguish between cluster members.
• D. The primary device in the cluster is always assigned IP address 169.254.0.1.

Answer: BD

NEW QUESTION 5

Which statement about the IP authentication header (AH) used by IPsec is true?

• A. AH does not provide any data integrity or encryption.
• B. AH does not support perfect forward secrecy.
• C. AH provides data integrity bur no encryption.
• D. AH provides strong data integrity but weak encryption.

Answer: C

NEW QUESTION 6

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

• A. Traffic to botnetservers
• B. Traffic to inappropriate web sites
• C. Server information disclosure attacks
• D. Credit card data leaks
• E. SQL injection attacks

Answer: CDE

NEW QUESTION 7

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

• A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
• B. FortiGate automatically negotiates a new security association after the existing security association expires.
• C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
• D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=12069

NEW QUESTION 8

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: CD

NEW QUESTION 9

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

• A. 192.168.1.0/24
• B. 192.168.0.0/24
• C. 192.168.2.0/24
• D. 192.168.3.0/24

Answer: C

NEW QUESTION 10

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

• A. SSH
• B. HTTPS
• C. FTM
• D. FortiTelemetry

Answer: AB

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

NEW QUESTION 11

Which two statements ate true about the Security Fabric rating? (Choose two.)

• A. It provides executive summaries of the four largest areas of security focus.
• B. Many of the security issues can be fixed immediately by clicking Apply where available.
• C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
• D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Answer: BC

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/292634/security-rating

NEW QUESTION 12

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate, enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495
Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

NEW QUESTION 13

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

• A. Proxy-based inspection
• B. Certificate inspection
• C. Flow-based inspection
• D. Full Content inspection

Answer: AC

NEW QUESTION 14

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

• A. It always authorizes the traffic without requiring authentication.
• B. It drops the traffic.
• C. It authenticates the traffic using the authentication scheme SCHEME2.
• D. It authenticates the traffic using the authentication scheme SCHEME1.

Answer: D

Explanation:
“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”

NEW QUESTION 15

Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

• A. Set the maximum session TTL value for the TELNET service object.
• B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
• C. Create a new service object for TELNET and set the maximum session TTL.
• D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Answer: CD

NEW QUESTION 16

View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

• A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
• B. port-VLAN1 is the native VLAN for the port1 physical interface.
• C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
• D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Answer: AC

NEW QUESTION 17
......