NEW QUESTION 1
An administrator has enabled HA session synchronization in a HA cluster with two members. Which flag is added to a primary unit’s session to indicate that it has been synchronized to the secondary unit?

• A. redir.
• B. dirty.
• C. synced
• D. nds.

Answer: C

Explanation:
The synced sessions have the ‘synced’ flag. The command ‘diag sys session list’ can be used to see the sessions on the member, with the associated flags.

NEW QUESTION 2
Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.

Why didn’t the tunnel come up?

• A. IKE mode configuration is not enabled in the remote IPsec gateway.
• B. The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration.
• C. The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration.
• D. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

Answer: C

NEW QUESTION 3
Refer to the exhibit, which contains the output of a BGP debug command.

Which statement about the exhibit is true?

• A. The local router has received a total of three BGP prefixes from all peers.
• B. The local router has not established a TCP session with 100.64.3.1.
• C. Since the counters were last reset, the 10.200.3.1 peer has never been down.
• D. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.

Answer: B

NEW QUESTION 4
Examine the output of the ‘get router info ospf neighbor’ command shown in the exhibit; then answer the question below.

Which statements are true regarding the output in the exhibit? (Choose two.)

• A. The interface ToRemote is OSPF network type point-to-point.
• B. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.
• C. The local FortiGate is the backup designated router for the wan1 network.
• D. The OSPF routers with the IDs 0.0.0.69 and 0.0.0.117 are both designated routers for the wan1 network.

Answer: AC

Explanation:
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13685-13.html

NEW QUESTION 5
Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

• A. 1
• B. 2
• C. 3
• D. 4

Answer: B

NEW QUESTION 6
Refer to the exhibit, which contains partial output from an IKE real-time debug.

Which two statements about this debug output are correct? (Choose two.)

• A. The remote gateway IP address is 10.0.0.1.
• B. The initiator provided remote as its IPsec peer ID.
• C. It shows a phase 1 negotiation.
• D. The negotiation is using AES128 encryption with CBC hash.

Answer: BC

NEW QUESTION 7
Examine the following traffic log; then answer the question below.
date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."
What does the log mean?

• A. There is not enough available memory in the system to create a new entry in the NAT port table.
• B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
• C. FortiGate does not have any available NAT port for a new connection.
• D. The limit for the maximum number of entries in the NAT port table has been reached.

Answer: B

NEW QUESTION 8
The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

• A. Determines the optimal number of IPS engines required based on system load.
• B. Downloads signatures on demand from FDS based on scanning requirements.
• C. Determines when it is secure enough to stop scanning session traffic.
• D. Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer: C

Explanation:
Configuring IPS intelligenceStarting with FortiOS 5.2, intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte. config ips globalset intelligent-mode {enable|disable}end

NEW QUESTION 9
Examine the partial output from two web filter debug commands; then answer the question below:

Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?

• A. Finance and banking
• B. General organization.
• C. Business.
• D. Information technology.

Answer: C

NEW QUESTION 10
View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

However, the IKE real time debug does not show any output. Why?

• A. The debug output shows phases 1 and 2 negotiations onl
• B. Once the tunnel is up, it does not show any more output.
• C. The log-filter setting was set incorrectl
• D. The VPN’s traffic does not match this filter.
• E. The debug shows only error message
• F. If there is no output, then the tunnel is operating normally.
• G. The debug output shows phase 1 negotiation onl
• H. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Answer: B

NEW QUESTION 11
Which statement is true regarding File description (FD) conserve mode?

• A. IPS inspection is affected when FortiGate enters FD conserve mode.
• B. A FortiGate enters FD conserve mode when the amount of available description is less than 5%.
• C. FD conserve mode affects all daemons running on the device.
• D. Restarting the WAD process is required to leave FD conserve mode.

Answer: B

NEW QUESTION 12
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.

Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?

• A. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP prefix yet.
• B. The TCP session for the BGP connection to 10.200.3.1 is down.
• C. The local peer has received the BGP prefixed from the remote peer.
• D. The local peer is receiving the BGP keepalives from the remote peer but it has not received the OpenConfirm yet.

Answer: B

Explanation:
http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

NEW QUESTION 13
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

• A. Neighbor range
• B. Route reflector
• C. Next-hop-self
• D. Neighbor group

Answer: B

Explanation:
Route reflectors help to reduce the number of IBGP sessions inside an AS. A route reflector forwards the routers learned from one peer to the other peers. If you configure route reflectors, you dont’ need to create a full mesh IBGP network. All clients in a cluster only talck to route reflector to get sync routing updates. Route reflectors pass the routing updates to other route reflectors and border routers within the AS.

NEW QUESTION 14
Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

• A. The link health monitor (if configured) is up.
• B. There is no other route, to the same destination, with a higher distance.
• C. The outgoing interface is up.
• D. The next-hop IP address is up.

Answer: AC

NEW QUESTION 15
Refer to the exhibit, which contains the debug output of diagnose dvm device list.

Which two statements about the output shown in the exhibit are correct? (Choose two.)

• A. ADOMs are disabled on the FortiManager
• B. The FortiGate configuration is in sync with latest running revision history.
• C. There are pending device-level changes yet to be installed on Local-FortiGate.
• D. The policy package has been modified for Local-FortiGate.

Answer: BC

NEW QUESTION 16
View the exhibit, which contains the output of a web diagnose command, and then answer the question below.

Which one of the following statements explains why the cache statistics are all zeros?

• A. The administrator has reallocated the cache memory to a separate process.
• B. There are no users making web requests.
• C. The FortiGuard web filter cache is disabled in the FortiGate’s configuration.
• D. FortiGate is using a flow-based web filter and the cache applies only to proxy-based inspection.

Answer: C

NEW QUESTION 17
Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network. What HA setting must be changed in one of the HA clusters to fix the problem?

• A. Group ID.
• B. Group name.
• C. Session pickup.
• D. Gratuitous ARPs.

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverVMAC.htm

NEW QUESTION 18
......