ABT
What must be configured to allow traffic through a next-generation firewall (NGFW) FortiGate 7.4 ?
Välj ett alternativ:
Firewall Policy
Access Control List (ACL)
Security Policy
Authentication Policy
Firewall Policy
Which three(3) pieces of information does Fortigate use to identify the hostname of HTTPS server when “SSL certificate inspection” is enabled?
Välj ett eller flera alternativ:
The server name identification (SNI) extension
The expiration date of the server certificate
The serial number of the server certificate
The host field in the HTTPS header
The subject field in the server certificate
The subject alternative name (SAN) field.
The server name identification (SNI) extension
The subject alternative name (SAN) field
The host field in the HTTPS header
Which three(3) pieces of information does Fortigate use to identify the hostname of HTTPS server when “SSL certificate inspection” is enabled?
Välj ett eller flera alternativ:
Interface name
Application header
CRC from TCP header
IP header
Packet payload
Ethernet header
Interface name
Packet payload
Application header
Which statement about this view of firewall policy list is true?
Välj ett alternativ:
The firewall policies are listed by ingress and egress interfaces pairing view.
The firewall policies are listed by Sequence Grouping view.
The Implicit group can include more than one deny firewall policy.
The firewall policies are listed by Usage Count view.
The firewall policies are listed by ingress and egress interfaces pairing view.
Which of the following two(2) are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode?
Välj ett eller flera alternativ:
Exempt
Warning
Learn
Allow
Warning
Allow
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable Next-Hop? (Choose two)
Välj ett eller flera alternativ:
Lookup is done on the last packet sent from the responder
Lookup is done on every packet, regardless of direction
Lookup is done on the first packet from the session originator
Lookup is done on the first reply packet from the responder
Lookup is done on every packet, regardless of direction
Lookup is done on the first packet from the session originator
date=2022-06-14 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=1 sessionid=31232959 user="anonymous" group="ldap_users" srcip=192.168.1.24 srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80 dstintf="port1" service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile" profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304 rcvdbyte=60135 msg="URL belongs to an allowed category in policy" method=domain class=0 cat=140 catdesc="custom1"
What two(2) things does this raw log indicate?
Välj ett eller flera alternativ:
The traffic originated from 66.171.121.44.
192.168.1.24 is the IP address for www.fortinet.com.
The traffic matches the webfilter profile on firewall policy ID 2.
This is https traffic.
FortiGate allowed the traffic to pass.
The traffic matches the webfilter profile on firewall policy ID 2.
FortiGate allowed the traffic to pass.
Using https, why would the firewall policy not block a well-known virus, for example eicar?
Välj ett alternativ:
The firewall policy does not apply deep content inspection.
The firewall policy is not configured in proxy-based inspection mode.
The action on the firewall policy is not set to deny.
Web filter is not enabled on the firewall policy to complement the antivirus profile.
The firewall policy is not configured in proxy-based inspection mode.
Which two(2) statements about antivirus scanning in a firewall policy set to proxy-based inspection mode, are true?
Välj ett eller flera alternativ:
The client must wait for the antivirus scan to finish scanning before it receives the file.
FortiGate informs the sender that it has a virus.
If a virus is detected, a block replacement message is displayed immediately.
FortiGate sends a reset packet to the client if antivirus reports the file as infected.
If a virus is detected, a block replacement message is displayed immediately.
The client must wait for the antivirus scan to finish scanning before it receives the file.
The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
Choose an option:
Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
Apple FaceTime will be allowed, based on the Video/Audio category configuration.
Apple FaceTime will be allowed, based on the Apple filter configuration.
Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
What is a key benefit of using VDOMs on a FortiGate firewall?
Choose an option:
They enable logical separation of networks with independent security policies.
They allow multiple FortiGate devices to function as one unit.
They improve hardware performance by overclocking the CPU.
They eliminate the need for routing between internal networks.
They enable logical separation of networks with independent security policies.
When configuring an SSL Inspection profile in FortiGate OS 7.4, which setting determines how FortiGate handles invalid certificates?
Choose an options:
Deep Packet Inspection Mode
Untrusted Certificate Action
Cipher Suite Enforcement
Session Timeout Policy
Untrusted Certificate Action
Which NAT method translates the source IP address in a packet to another IP address?
Choose an option:
SNAT
VIP
IPPOOL
DNAT
SNAT
What happens if a FortiGate firewall with an active FortiGuard subscription cannot reach FortiGuard servers?
Choose an option:
It continues using the last updated security database.
It automatically disables all security services.
It blocks all traffic until connectivity is restored.
It reverts to using local firewall rules only.
It continues using the last updated security database.
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?
Choose an option:
Traffic matching the signature will be silently dropped and logged.
The signature setting uses a custom rating threshold.
Traffic matching the signature will be allowed and logged.
The signature setting includes a group of other signatures.
Traffic matching the signature will be silently dropped and logged.
Which statement about this firewall policy list is true?
Välj ett alternativ:
LAN to WAN, WAN to LAN, and Implicit are sequence grouping view lists.
The firewall policies are listed by ID sequence view.
The firewall policies are listed by ingress and egress interfaces pairing view.
The Implicit group can include more than one deny firewall policy.
The firewall policies are listed by ID sequence view.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.
Choose one or more options:
The sensor will block all attacks aimed at Windows servers.
The sensor will gather a packet log for all matched traffic.
The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature.
The sensor will reset all connections that match these signatures.
The sensor will block all attacks aimed at Windows servers.
The sensor will gather a packet log for all matched traffic.
When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.
Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)
Choose one or more options:
Allow & Warning
Allow
Ignore
Block & Warning
Block
Allow
Block & Warning
Allow & Warning
Which two behaviours result from this full SSL configuration? (Choose two.)
Choose one or more options:
A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.
A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
The browser bypasses all certificate warnings and allows the connection.
A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.
A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)
Choose one or more options:
In the firewall policy configuration, add 10.0.1.3 as an address object in the source field
Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
In the IP pool configuration, set type to overload.
In the IP pool configuration, set endip to 192.2.0.12.
In the IP pool configuration, set type to overload.
In the IP pool configuration, set endip to 192.2.0.12.
Which of the following is a required component when creating a firewall policy in FortiGate?
Choose an option:
DHCP Server Configuration
Schedule
Source and Destination Addresses
Log Settings
Source and Destination Addresses
Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)
B. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
D. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
Question 2: (Select one)
Which statement about the HA override setting in FortiGate HA clusters is true?
A. You must configure override settings manually and separately for each cluster member.
Question 3: (Select two)
Which two statements about incoming and outgoing interfaces in firewall policies are true?
C. A zone can be chosen as the outgoing interface.
D. Multiple interfaces can be selected as incoming and outgoing interfaces.
Question 4: (Select three)
Which three methods can you use to deliver the token code to a user who is configured to use two-factor authentication?
B. Email
C. SMS text message
E. FortiToken Mobile
Question 5: (Select one)
Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?
D. It captures the login and logoff events and forwards them to the collector agent.
Question 6: (Select one)’
Which route will be selected when trying to reach 10.20.30.254?
D. 10.20.30.0/24 via 172.20.167.254, port3
Question 7: (Select one)
What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
B. Both control ECMP algorithms.
Question 8: (Select one)
What interface must be used as the source for the firewall policy?
A. ssl.Corporation
Question 9: (Select one)
Which statement about firewall policy NAT is true?
C. You must configure SNAT for each firewall policy.
Question 10: (Select one)
What is eXtended Authentication (XAuth)?
It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
Question 11: (Select one)
An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN.
How can this be achieved?
B. Disabling split tunneling
Question 12: (Select one)
FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.
What is the most likely reason for this situation?
A. The user was authenticated using passive authentication
Question 13: (Select two)
Which two behaviors result from full SSL inspection?
A. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
Question 14: (Select two)
How will FortiGate perform RPF checks for a user at 192.168.32.15 accessing 172.16.32.254? (Choose two.)
A. Strict RPF check will allow the traffic
C. Loose RPF check will allow the traffic
Question 15: Carrier-Grade NAT IP Pools (Select two)
Which IP pool types are useful for CGNAT deployments?
A. Port block allocation
D. Fixed port range
Question 16: (Select one)Which statement about the configuration settings is true?
When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
Question 17: (Select three)
Which settings/protocols provide secure administrative access?
A. SSH
D. Trusted host
E. HTTPS
Question 18: (Select one)
Which NAT method translates the source IP address in a packet to another IP address
C. SNAT
Question 19: (Select one)
What must be configured to enable failover?
You must configure session-pickup-enable under configure system ha.
Question 20: (Select one)
Which type of traffic inspection requires FortiGate to act as a CA?
SSL traffic inspection when protecting multiple clients connecting to multiple servers.
Question 21: (Select two)
Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)
B. FortiAnalyzer IP ADDRESS
D. Fabric name
Question 22: (Select two)
Which two statements about advanced AD access mode for the FSSO collector agent are true? (Choose two.)
It supports monitoring of nested groups.
FortiGate can act as an LDAP client to configure the group filters.