NEW QUESTION 1
Exhibit

You ate trying to configure Link-Aggregation Group (LAG), but ports A and B do not appear on the list of member options. Referring to the exhibit, which statement is correct in this situation?

• A. The FortiGate model being used does not support LAG.
• B. The FortiGate model does not have an Integrated Switch Fabric (ISF).
• C. The FortiGate SFP+ slot does not have the correct module.
• D. The FortiGate interfaces are defective and require replacemen

Answer: B

NEW QUESTION 2
An old router has been replaced by a FortiWan device. The routers management IP address and now the network administrator to remove the old router from the FortiSIEM configuration.
Which two statements are true about this oper atjon? (Choose two)

• A. FortiSIEM will discover a new device for the FortiWAN with the same IP.
• B. The old router will be completely deleted from FortiSIEM's CMDB.
• C. FotiSEIM needs a special syslog for FortiWAN.
• D. FortiSIM will move the old router device into the Decommission folde

Answer: CD

NEW QUESTION 3
A FortOS devices is used for termination of VPNs for number of remote spoke VPN units (designated group A spokes) using a phase 1 main mode dial-up tunnel using pre-shared. Your company recently acquired another organization. You are asked establish VPN correctively for the newly acquired organization's sites which new devices will be provisioned (designated Group B spokes). Both exiting (Group A) and new (Group B) spoke units are dynamically addressed. You are asked to ensure that spokes from the acquired organization (Group B) have different access permission than your existing VPN spokes (Group A).
Which two solutions meet the represents for the new spoke group? (Choose two.)

• A. implements a new phase 1 dial-up mode tunnel with preshared keys and XAut
• B. Use identity to filter traffic.
• C. Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spoke
• D. Use standard policies to filter for the new dial-up tunnel
• E. Implement a new phase 1 dial-up main mode tunnel with certificate authenticatio
• F. Use standard policies to filter for the dial-up tunnel.
• G. Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer I
• H. Use standard policies to filter traffic for the new dial-up tunnel.

Answer: AB

NEW QUESTION 4
You deploy a FortiGate device in a remote office based on the requirements shown below.
-- Due to company's security policy, management IP of your FortiGate is not allowed to access the Internet.
-- Apply Web Filtering, Antivirus, IPS and Application control to the protected subnet.
-- Be managed by a central FortiManager in the head office. Which action will help to achieve the requirements?

• A. Configure a default route and make sure that the FortiGate device can pmg to service fortiguard net.
• B. Configure the FortiGuard override server and use the IP address of the FortiManager
• C. Configure the FortiGuard override server and use the IP address of service, fortiguard net.
• D. Configure FortiGate to use FortiGuard Filtering Port 8888.

Answer: B

NEW QUESTION 5
Exhibit

The exhibit shows the steps for creating a URL rewrite policy on a FortWet-Which statement represents the purpose of this policy?

• A. The policy redirects all HTTP URLs to HTTPS.
• B. The policy redirects all HTTPS URLs to HTTP.
• C. The policy redirects only HTTPS URLs containing the ˆ/ (. *) S string to HTTP.
• D. The pokey redirects only HTTP URLs containing theˆ/ ( .*)S string to HTTP

Answer: A

NEW QUESTION 6
Exhibit

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device. Which two statements are true about the traffic matching being inspection by this SPP? (Choose two.)

• A. Traffic that does match any spp policy will not be inspection by this spp.
• B. FortiDDos will not send a SYNACK if a SYN packet is coming from an IP address that is not the legtimate IP (LIP) address table.
• C. FortiDooS will start dropping packets as soon as the traffic executed the configured maintain threshold.
• D. SYN packets with payloads will be droope

Answer: AB

NEW QUESTION 7
You have a customer experiencing problem with a legacy L3L4 firewall device and IPV6 SIP VoIP traffic. They devices is dropping SIP packets, consequently, it process SIP voice calls. Which solution would solve the customer's problem?

• A. Deploy a FortiVoice and enable IPv6 SIP.
• B. Replace their legacy device with a FortiGate and configure it to extract information from the body of the IPv6 packet.
• C. Deploy a FotiVoice and enable an IPv6 SIP session helper.
• D. Replace their legacy device with a FortiGate and deploy a FortiVoice to extract information from the body of the IPv6 SIP packet

Answer: A

NEW QUESTION 8
Exhibit

You created an aggregate interface between your FortiGate and consisting of two 1 GBPs links in the exhibit. However, the maximum bandwidth never exceeds 1 Gbps and employees are complaining that the is slow. After troubleshooting, you notice only one member interface is being used. The configuration for the aggregation interface is shown in the exhibit.
In ths scenario, which command will solve this problem?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: A

NEW QUESTION 9
Exhibit

Only users authenticated in FortiGate-B reach the server. A customer wants to deploy a single sing-on solution for VPN users. Once a user’s is connected and authenticated to the VPN in FortiGate-A, the user does not need to authenticate again in FortiGate-B to reach the server.
Which two actions satisfy this requirement? (Choose two.)

• A. Use Kerberos authentication.
• B. FortiGate-A must generate a RADUIS accounting packets.
• C. Use FortiAuthenticator.
• D. Use the Collector Agen

Answer: CD

NEW QUESTION 10
A customer wants to enable SYN Rood mitigation in a FortiDDoS device. The FortiDDoS must reply with one SYN/ACK packet per SYN packet ftom a new source IP address. Which SYN packet from a new source IP address. Which SYN flood mitigation mode must the customer use?

• A. SYN cookie
• B. SYN/ACK cookie
• C. ACK cookie
• D. SYN retransmission

Answer: A

NEW QUESTION 11
You are administrating the FortiGate 5000 and FortiGate 7000 series products. You want to access the HTTPS GU of the blade located n logical slot of the secondary chassis in a high-availability cluster.
Which URL will accomplish this task?

• A. https//192.168.1.99.44302
• B. https//192.168.1.99.44313
• C. https//192.168.1.99.44322
• D. https//192.168.1.99.44323

Answer: A

NEW QUESTION 12
Exhibit

The exhibit shows a topology where a FortiGate is two VDOMS, root and vd-vlasn. The root VDCM provides SSL-VPN access, where the users authenticated by a FortiAuthenticatator.
The vd-lan VDOM provids internal access to a Web server. For the remote users to access the internal web server, there are a few requirements, which are shown below.
--At traffic must come from the SSI-VPN
--The vd-lan VDOM only allows authenticated traffic to the Web server.
-- Users must only authenticate once, using the SSL-VPN portal.
-- SSL-VPN uses RADIUS-based authentication.
referring to the exhibit, and the requirement describe above, which two statements are true? (Choose two.)

• A. vd-lan authentication messages from root using FSSO.
• B. vd-lan connects to Fort authenticator as a regular FSSO client.
• C. root is configured for FSSO while vd-lan is configuration for RSSO.
• D. root sends “RADIUS Accounting Messages" to FortiAuthenticato

Answer: AC

NEW QUESTION 13
Exhibit

You have configured an HA cluster with Two FortiGates You want to make sore that you are able to manage the individual duster members using ports3.
Referring to the exhibit, what are two ways to accomplish this task? (Choose two.)

• A. Disable the sync feature on porl3: then configure specific IPs for ports on both cluster members.
• B. Configure port3 to be a dedicated HA management interface, then configure specific IPs for port3 on both cluster members.
• C. Create a management VDOM and Disable the HA synchronization for this VDOM, assign ports to this VDOM, then configure specific IPs for ports on both cluster member.
• D. Allow administrative access in the HA heartbeat interface

Answer: BC

NEW QUESTION 14
You have a customer with a SCADA environmental control devices that is trigged a false-positive OPS alert whenever the device's Web GUI is accessed. You cannot seem to create a functional custom IPS filter expert this behavior, and it appears that the device is so old that it does HTTPS support. You need to prevent the false posited IPS alert occurring. In this scenario, which two actions would accomplish this task? (Choose two.)

• A. Create a very granular firewall for that device's IP address which does not perform IPS scanning.
• B. Reconfigure the FortiGate to operate in proxy-based inspection mode instead of flow-base
• C. Create a URL filter with the exempt action for that device's IP address.
• D. Change the relevant firewall policies to use SSL certificate-inspection instead of SSL deep-inspectio

Answer: BC

NEW QUESTION 15
Your client wants to use a central RADIUS server for management authentication when connecting to the FortiGate GUL and provide different levels of access for different types of employees.
Which three actions required providing the requested functionality? (Choose three.)

• A. Enable radius-vdom-override in the CLI.
• B. Create a wildcard administrator on the FortGate
• C. Enable occprofile-override in the CLI.
• D. Set the RADIUS authencation type to MS-CHApV2.
• E. Create multiple administrator profiles with matching RADIUS VSA

Answer: CDE

NEW QUESTION 16
You want to manage a FortiCloud service. The FortiGate shows up in your list devices on the FortiCloud Web site, but all management functions are either missing or grayed out.
Which statement a correct in this scenario?

• A. The managed FcrtGate a running a version of ForflOS that is either too new or too for FortCloud.
• B. The managed FortiGate requires that a FortiCloud management license be purchased and applied.
• C. You must manually configure system control-management on the FortiGate CLI and set the management type to fortiguard.
• D. The management tunnel mode on the managed FortiGate must be changed to norma

Answer: C

NEW QUESTION 17
Exhibit

Referring to the exhibit, which two behaviors will the FortiClient endpoint has after receiving the profile update from the FortiClient EMS? (Choose two.)

• A. Files executed from a mapped network drive will not be inspected by the FortiCltent endpoint Antivirus engine.
• B. The user will not be able to access a Web downloaded file for at least 60 seconds when the FortiSandbox is reachable.
• C. The user will not be able to access a Web downloaded file for a maximum seconds if it is not a virus and the FortiSandbox s reachable.
• D. The user will not be able to access a Web downloaded file when the FortiSandbox is unreachabl

Answer: AD

NEW QUESTION 18
Exhibit

What are two ways to establish communication between an existing NAT VDOM and a new transparent VDOM? (Choose two.)

• A. Set the set ip 10.10.10. i command to vlink2l.
• B. Set type ppp to the vdom-link, vlink2.
• C. Set the not ip 10.I0.I0.1 command to vlink20.
• D. Set type ethernet to the vdom-link, vlink2.

Answer: AC

NEW QUESTION 19
You are building a FortiGala cluster which is stretched over two locations. The HA connections for the cluster are terminated on the data centers.
Once the FortiGates have booted, they do form a cluster.
The network operators inform you that CRC eoors are present on the switches where the FortiGAtes are connected. What would you do to solve this problem?

• A. Replace the caables where the CRC errors occur.
• B. Change the ethertype for the HA packets.
• C. Set the speedduplex setting to 1 Gbps /Full Duplex.
• D. Place the HA interfaces in dedicated VLAN

Answer: A

NEW QUESTION 20
An organization has one central site And three remote sites. A FotiSIEM has been drafted on the central site and now all devices across the remote sites need to be monitored by the FortiSlEM.
When action would reduce the WAN usage by the monitoring system?

• A. Deploy a single Supervisor on the central site and enable WAN optimize on the WAN gateways.
• B. Install local Collection remote site.
• C. Disable monitoring on the remote sites during the day.
• D. install a Supervisor and a Collector for each remote sit

Answer: C

NEW QUESTION 21
You ate asked lo add a FortiDDoS to the network to combat detected slow connection attacks such as Slowloris. Which prevention mode on FortiDDoS will protect you against this specific type of attack?

• A. aggressive aging mode
• B. rate limiting mode
• C. blocking mode
• D. asymmetric mode

Answer: A

NEW QUESTION 22
Exhibit

Referring to the exhibit, which two statements are true about local authentication? (Choose two.)

• A. The user will be blocked 15 seconds after five login failures.
• B. When a ClientHello message indicating a renegotiation is received, the FortiGate will allow the TCP connection.
• C. The user's IP address will be blocked 15 seconds after five login failures.
• D. After five minutes, the user will need to re-authenticate.

Answer: BD

NEW QUESTION 23
Exhibit
[MISSING]
You configure AV and Web filtering for your outgoing internet connection.
You later notice that not all Web session are being inspection and you start troubleshooting the problem. Referring to the exhibit, what would cause this problem?

• A. The Web session is using QUIC which a not inspected by the FortiGate
• B. These are problem with the connection to the Web filter servers, therefore the Web session cannot be categorized.
• C. The SSL inspection options are not set to inspection
• D. Web filtering is not licensed, therefore no inspection occur

Answer: A

NEW QUESTION 24
......