NEW QUESTION 1
Examine the following partial outputs from two routing debug commands; then answer the question below:

Why the default route using port2 is not displayed in the output of the second command?

• A. It has a lower priority than the default route using port1.
• B. It has a higher priority than the default route using port1.
• C. It has a higher distance than the default route using port1.
• D. It is disabled in the FortiGate configuration.

Answer: C

Explanation:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD32103

NEW QUESTION 2
When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

• A. FortiGate uses CN information from the Subject field in the server’s certificate.
• B. FortiGate switches to the full SSL inspection method to decrypt the data.
• C. FortiGate blocks the request without any further inspection.
• D. FortiGate uses the requested URL from the user’s web browser.

Answer: A

NEW QUESTION 3
View the exhibit, which contains the output of a debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

• A. In the network on port4, two OSPF routers are down.
• B. Port4 is connected to the OSPF backbone area.
• C. The local FortiGate’s OSPF router ID is 0.0.0.4
• D. The local FortiGate has been elected as the OSPF backup designated router.

Answer: BC

NEW QUESTION 4
Examine the output from the ‘diagnose vpn tunnel list’ command shown in the exhibit; then answer the question below.

Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?

• A. diagnose sniffer packet any ‘port 500’
• B. diagnose sniffer packet any ‘esp’
• C. diagnose sniffer packet any ‘host 10.0.10.10’
• D. diagnose sniffer packet any ‘port 4500’

Answer: D

Explanation:
NAT-T is enabled. natt: mode=silentProtocol ESP is used. ESP is encapsulated in UDP port 4500 when NAT-T is enabled.

NEW QUESTION 5
View the exhibit, which contains a partial routing table, and then answer the question below.

Assuming all the appropriate firewall policies are configured, which of the following pings will FortiGate route? (Choose two.)

• A. Source IP address 10.1.0.24, Destination IP address 10.72.3.20.
• B. Source IP address 10.72.3.27, Destination IP address 10.1.0.52.
• C. Source IP address 10.72.3.52, Destination IP address 10.1.0.254.
• D. Source IP address 10.73.9.10, Destination IP address 10.72.3.15.

Answer: BC

NEW QUESTION 6
View the exhibit, which contains the output of get sys ha status, and then answer the question below.

Which statements are correct regarding the output? (Choose two.)

• A. The slave configuration is not synchronized with the master.
• B. The HA management IP is 169.254.0.2.
• C. Master is selected because it is the only device in the cluster.
• D. port 7 is used the HA heartbeat on all devices in the cluster.

Answer: AD

NEW QUESTION 7
A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

• A. Both session have the local flag on.
• B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
• C. One session has the proxy flag on, the other one does not.
• D. One of the sessions has the IP address of port2 as the source IP address.

Answer: AD

NEW QUESTION 8
An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?

• A. TCP half open.
• B. TCP half close.
• C. TCP time wait.
• D. TCP session time to live.

Answer: A

Explanation:
http://docs-legacy.fortinet.com/fos40hlp/43prev/wwhelp/wwhimpl/common/html/wwhe
lp.htm?context=fgt&file=CLI_get_Commands.58.25.html
The tcp-halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACKremains in the table.
The tcp-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACKremains in the table.
The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in thetable. A closed session remains in the session table for a few seconds more to allow any out-of-sequence packet.

NEW QUESTION 9
An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn’t the script make any changes to the managed device?

• A. Commands that start with the # sign are not executed.
• B. CLI scripts will add objects only if they are referenced by policies.
• C. Incomplete commands are ignored in CLI scripts.
• D. Static routes can only be added using TCL scripts.

Answer: A

Explanation:
https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Sc
A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.

NEW QUESTION 10
A FortiGate device has the following LDAP configuration:

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user –samid administrator
“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab” Based on the output, what FortiGate LDAP setting is configured incorrectly?

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: B

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD37516

NEW QUESTION 11
View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

• A. Its initial value is calculated based on the round trip delay (RTT).
• B. Its initial value is statically set to 10.
• C. Its value is incremented with each packet lost.
• D. It determines which FortiGuard server is used for license validation.

Answer: C

NEW QUESTION 12
Which two statements about OCVPN are true? (Choose two.)

• A. Only root vdom supports OCVPN.
• B. OCVPN supports static and dynamic IPs in WAN interface.
• C. OCVPN offers only Hub-Spoke VPNs.
• D. FortiGate devices under different FortiCare accounts can be used to form OCVPN.

Answer: AB

NEW QUESTION 13
Which statement about memory conserve mode is true?

• A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.
• B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.
• C. A FortiGate starts dropping new sessions when the configured memory use threshold reaches red
• D. A FortiGate enters conserve mode when the configured memory use threshold reaches red

Answer: C

NEW QUESTION 14
A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

• A. The user student must not be listed in the CA’s ignore user list.
• B. The user student must belong to one or more of the monitored user groups.
• C. The student workstation’s IP subnet must be listed in the CA’s trusted list.
• D. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

Answer: AD

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

NEW QUESTION 15
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn’t the tunnel come up?

• A. The pre-shared keys do not match.
• B. The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.
• C. The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.
• D. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Answer: C

NEW QUESTION 16
View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

• A. FortiGate will exempt the connection based on the Web Content Filter configuration.
• B. FortiGate will block the connection based on the URL Filter configuration.
• C. FortiGate will allow the connection based on the FortiGuard category based filter configuration.
• D. FortiGate will block the connection as an invalid URL.

Answer: B

Explanation:
fortigate does it in order Static URL -> FortiGuard – > Content -> Advanced (java, cookie removal..)so block it in first step

NEW QUESTION 17
A FortiGate device has the following LDAP configuration:

The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time debug while testing the student account:

Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: BC

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=13141

NEW QUESTION 18
......