NEW QUESTION 1
The FortiGate is an IPsec VPN hub. A VPN spoke protecting subnet 192.168.222.0/24 has successfully brought up a tunnel with the FortiGate. This remote network is present in the FortiGate routing table as shown in the exhibit.

Which statement is true?

• A. This subnet was learned during quick-mode negotiation and was dynamically injected into the routing table.
• B. The FortiGate administrator configured this subnet as a locally connected subnet on the “BranchOffice” phase1 interface.
• C. The route in the exhibit is bound to “BranchOffice_0” which is a tunnel other than “BranchOffice”.
• D. The FortiGate administrator configured a static route for 192.168.222.0/24.

Answer: B

NEW QUESTION 2
A customer is authenticating users using a FortiGate and an external LDAP server. The LDAP user, John Smith, cannot authenticate. The administrator runs the debug command diagnose debug application fnbamd 255 while John Smith attempts the authentication:
Based on the output shown in the exhibit, what is causing the problem?

• A. The LDAP administrator password in the FortiGate configuration is incorrect.
• B. The user, John Smith, does have an account in the LDAP server.
• C. The user, John Smith, does not belong to any allowed user group.
• D. The user, John Smith, is using an incorrect password.

Answer: A

Explanation: Fortigate not binded with LDAP server because of failed authentication. References:

NEW QUESTION 3
A FortiGate is deployed in the NAT/Route operation mode. This operation mode operates at which OSI layer?

• A. Layer 4
• B. Layer 1
• C. Layer 3
• D. Layer 2

Answer: C

NEW QUESTION 4
Which command syntax would you use to configure the serial number of a FortiGate as its host name?

• A.
• B.
• C.
• D.

Answer: AB

Explanation: References:
http://defadhil.blogspot.in/2014/04/how-to- protect-fortigate- from.html

NEW QUESTION 5
You have deployed two FortiGate devices as an HA pair. One FortiGate will process traffic while the other FortiGate is a standby. The standby monitors the primary for failure and only takes the role of processing traffic if it detects that the primary FortiGate has failed.
Which style of FortiGate HA does this scenario describe?

• A. active-passive HA
• B. active-active HA
• C. partial mesh HA
• D. full mesh HA

Answer: A

NEW QUESTION 6
You are an administrator of FortiGate devices that use FortiManager for central management. You need to add a policy on an ADOM, but upon selecting the ADOM drop- down list, you notice that the ADOM is in locked state. Workflow mode is enabled on your FortiManager to define approval or notification workflow when creating and installing policy changes.
What caused this problem?

• A. Another administrator has locked the ADOM and is currently working on it.
• B. There is pending approval waiting from a previous modification.
• C. You need to use set workspace-mode workflow on the CLI.
• D. You have read-only permission on Workflow Approve in the administrator profile.

Answer: D

Explanation: http://docs.fortinet.com/uploaded/files/2250/FortiManager-5.2.1-Administration-Guide.pdf

NEW QUESTION 7
There is an interface-mode IPsec tunnel configured between FortiGate1 and FortiGate2. You want to run OSPF over the IPsec tunnel. On both FortiGates. the IPsec tunnel is based on physical interface port1. Port1 has the default MTU setting on both FortiGate units.
Which statement is true about this scenario?

• A. A multicast firewall policy must be added on FortiGate1 and FortiGate2 to allow protocol 89.
• B. The MTU must be set manually in the OSPF interface configuration.
• C. The MTU must be set manually on the IPsec interface.
• D. An IP address must be assigned to the IPsec interface on FortiGate1 and FortiGate2.

Answer: B

Explanation: If MTU doesn’t match then the neighbour ship gets stuck in exchange state.

NEW QUESTION 8
You verified that application control is working from previous configured categories. You just added Skype on blocked signatures. However, after applying the profile to your firewall policy, clients running Skype can still connect and use the application.
What are two causes of this problem? (Choose two.)

• A. The application control database is not updated.
• B. SSL inspection is not enabled.
• C. A client on the network was already connected to the Skype network and serves as relay prior to configuration changes to block Skype
• D. The FakeSkype.botnet signature is included on your application control sensor.

Answer: AB

NEW QUESTION 9
You notice that your FortiGate’s memory usage is very high and that the unit’s performance is adversely affected. You want to reduce memory usage.
Which three commands would meet this requirement? (Choose three.)

• A.
• B.
• C.
• D.
• E.

Answer: ADE

NEW QUESTION 10
Which three statements about throughput on a wireless network are true? (Choose three.)

• A. A wireless device labelled as 300 Mbps should be expected to provide a throughput of 300Mbps.
• B. Be careful to ensure the capabilities of the wireless clients match those of the access points, in order to achieve higher throughput.
• C. Reducing the duty cycles of the wireless media by generating fewer beacons may improve throughput.
• D. Because of the higher level of RF noise that is typical in the 2.4 GHz ISM band, throughput of 2.4 GHz devices will typically be less than 5 GHz devices.
• E. Because of the full-duplex nature of the medium and the minimal overhead generated by CSMA/CA, the actual aggregate throughput is typically close to the data rate.

Answer: BCD

Explanation: References:
http://www.tp-link.in/faq-499.html

NEW QUESTION 11
The FortiGate is used as an IPsec gateway at a branch office. Two tunnels, tunA and tunB, are established between this FortiGate and the headquarters’ IPsec gateway. The branch office’s subnet is 10.1.1.0/24. The headquarters’ subnet is 10.2.2.0/24. The desired usage for tunA and tunB has been defined as follows:
- sessions initiated from 10.1.1.0/24 to 10.2.2.0/24 must be routed out over tunA when tunA is up
- sessions initiated from 10.1.1.0/24 to 10.2.2.0/24 have to be routed out over tunB when tunA is down
- sessions initiated from 10.2.2.0/24 can ingress either on tunA or on tunB Which static routing configuration meets the requirements?

• A.
• B.
• C.
• D.

Answer: C

NEW QUESTION 12
Which two features are supported only by FortiMail but not by FortiGate? (Choose two.)

• A. DNSBL
• B. built-in MTA
• C. end-to-end IBE encryption
• D. FortiGuard Antispam

Answer: AB

NEW QUESTION 13
You are installing a new FortiAP as shown in the exhibit, however, the FortiAP cannot discover the FortiGate. The FortiAP obtained an IP from the DHCP server and is reachable.

Which two configurations will resolve the problem? (Choose two.)

• A.
• B.
• C.
• D.

Answer: BD

Explanation: https://forum.fortinet.com/tm.aspx?m=112739

NEW QUESTION 14
You have implemented FortiGate in transparent mode as shown in the exhibit. User1 from the Internet is trying to access the 192.168.10.10 Web servers.

Which two statements about this scenario are true? (Choose two.)

• A. User1 would be able to access the Web server intermittently.
• B. User1 would not be able to access any of the Web servers at all.
• C. FortiGate learns Web servers MAC address when the Web servers transmit packets.
• D. FortiGate always flood packets to both Web servers at the same time.

Answer: AC

Explanation: Both servers have same ip address, so there will be intermittent we server connectivity from outside and whichever web server forwards packets fortigate learns its mac address.

NEW QUESTION 15
Referring to the exhibit, which statement is true?

• A. The packet failed the HMAC validation.
• B. The packet did not match any of the local IPsec SAs.
• C. The packet was protected with an unsupported encryption algorithm.
• D. The IPsec negotiation failed because the SPI was unknown.

Answer: A

Explanation: http://kb.fortinet.com/kb/viewContent.do?externalId=FD33101

NEW QUESTION 16
You are asked to establish a VPN tunnel with a service provider using a third-party VPN device. The service provider has assigned subnet 30.30.30.0/24 for your outgoing traffic going towards the services hosted by the provider on network 20.20.20.0/24. You have multiple computers which will be accessing the remote services hosted by the service provider.

Which three configuration components meet these requirements? (Choose three.)

• A. Configure an IP Pool of type Overload for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN forwards the VPN tunnel and select that pool.
• B. Configure IPsec phase 2 proxy IDs for a source of 10.10.10.0/24 and destination of 20.20.20.0/24.
• C. Configure an IP Pool of Type One-to-One for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN towards the VPN tunnel and select that pool.
• D. Configure a static route towards the VPN tunnel for 20.20.20.0/24.
• E. Configure IPsec phase 2 proxy IDs for a source of 30.30.30.0/24 and destination of 20.20.20.0/24.

Answer: CDE

NEW QUESTION 17
Referring to the configuration shown in the exhibit, which three statements are true? (Choose three.)

• A. Traffic logging is disabled in policy 96.
• B. TCP handshake is completed and no FIN/RST has been forwarded.
• C. No packet has hit this session in the last five minutes.
• D. No QoS is applied to this traffic.
• E. The traffic goes through a VIP applied to policy 96.

Answer: BCE

Explanation: References:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD30042