A.  

The RPF check is run on the first sent packet of any new session.

B.  

The RPF check is run on the first reply packet of any new session.

C.  

The RPF check is run on the first sent and reply packet of any new session.

D.  

The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

A.  

In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

B.  

Advanced mode supports nested or inherited groups.

C.  

In advanced mode, security profiles can be applied only to user groups, not individual users.

D.  

Advanced mode uses the Windows convention —NetBios: Domain\Username.

A.  

The role of the interface prevents setting a DHCP server.

B.  

The DHCP server setting is available only on the CLI.

C.  

Another interface is configured as the only DHCP server on FortiGate.

D.  

The FortiGate model does not support the DHCP server.

A.  

Application control can identify child and parent applications, and perform different actions on them

B.  

Application control signatures are included in Fortinet Antivirus engine

C.  

Application control does not display a replacement message for a blocked web application

D.  

Application control does not require SSL Inspection to Identity web applications

A.  

The underlay zone contains port1 and

B.  

The d-wan zone contains no member.

C.  

The d-wan zone cannot be deleted.

D.  

The virtual-wan-link zone contains no member.

A.  

FortiGate directs the collector agent to use a remote LDAP server.

B.  

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.  

FortiGate does not support workstation check.

D.  

FortiGate uses the AD server as the collector agent.

A.  

The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.

B.  

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

C.  

The browser does not recognize the certificate in use as signed by a trusted CA.

D.  

With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.

A.  

FortiGate load balanced the traffic according to the implicit SD-WAN rule.

B.  

There is no application control profile applied to the firewall policy.

C.  

Destination in the SD-WAN rules are configured per application but the feature visibility is not enabled.

D.  

SD-WAN rule names do not appear immediately. The administrator needs to refresh the page.

A.  

Configure a loopback interface with address 203.0.113.2/32.

B.  

In the VIP configuration, enable arp-reply.

C.  

In the firewall policy configuration, enable match-vip.

D.  

Enable port forwarding on the server to map the external service port to the internal service port.

A.  

FortiGate load balanced the traffic according to the implicit SD-WAN rule.

B.  

There is no application control profile applied to the firewall policy.

C.  

Destination in the SD-WAN rules are configured per application but the feature visibility is not enabled.

D.  

SD-WAN rule names do not appear immediately. The administrator needs to refresh the page.

A.  

Both interfaces must have the interface role assigned

B.  

Both interfaces must have directly connected routes on the routing table

C.  

Both interfaces must have DHCP enabled

D.  

Both interfaces must have IP addresses assigned

A.  

FortiGate will start sending all files to FortiSandbox for inspection.

B.  

FortiGate has entered conserve mode.

C.  

Administrators cannot change the configuration.

D.  

Administrators can access FortiGate onlythrough the console port.

A.  

Strict RPF checks the best route back to the source using the incoming interface.

B.  

Strict RPF allows packets back to sources with all active routes.

C.  

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

D.  

Strict RPF check is run on the first sent and reply packet of any new session.

A.  

Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.

B.  

Change the csf setting on both devices to sec downscream-access enable.

C.  

Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.

D.  

Change the csf setting on ISFW (downstream) to sec configuration-sync local.

A.  

Enable match-vip in the Deny policy.

B.  

Set the Destination address as Webserver in the Deny policy.

C.  

Disable match-vip in the Deny policy.

D.  

Set the Destination address as Deny_IP in the Allow_access policy.

A.  

The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.

B.  

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

C.  

The browser does not recognize the certificate in use as signed by a trusted CA.

D.  

With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.

A.  

An SD-WAN zone can contain physical and logical interfaces

B.  

You can use an SD-WAN zone in static route definitions

C.  

You can define up to three SD-WAN zones per FortiGate device

D.  

An SD-WAN zone must contains at least two members

E.  

An SD-WAN zone is a logical grouping of members

A.  

On Demand

B.  

On Idle

C.  

Disabled

D.  

Enabled

A.  

The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

B.  

The browser does not trust the certificate used by FortiGate for SSL inspection

C.  

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

D.  

The matching firewall policy is set to proxy inspection mode

A.  

NTurbo offloads traffic to the content processor.

B.  

NTurbo creates two inspection sessions on the FortiGate device.

C.  

NTurbo buffers the whole file and then sends it to the antivirus engine.

D.  

NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.

A.  

Execute a debug flow.

B.  

Capture the traffic using an external sniffer connected to part1.

C.  

Execute another sniffer on FortiGate, this time with the filter "hose 10.o.1.10".

D.  

Run a sniffer on the web server.

A.  

All traffic from a source IP to a destination IP is sent to the same interface.

B.  

Traffic is sent to the link with the lowest latency.

C.  

Traffic is distributed based on the number of sessions through each interface.

D.  

All traffic from a source IP is sent to the same interface

A.  

Full content inspection

B.  

Proxy-based inspection

C.  

Certificate inspection

D.  

Flow-based inspection

A.  

The NetSessionEnum function is used to track user logouts.

B.  

NetAPI polling can increase bandwidth usage in large networks.

C.  

The collector agent must search Windows application event logs.

D.  

The collector agent uses a Windows API to query DCs for user logins.

A.  

Enable the parameter Never Timeout in the admin profiles

B.  

Increase the admintimeout value under config system accprofile super_admin.

C.  

Increase the admintimeout value under config system global

D.  

Increase the offline value of the Override idle Timeout parameter in the NOC_Access admin profile

A.  

One server was contacted to retrieve the contract information.

B.  

There is at least one server that lost packets consecutively.

C.  

A local FortiManaqer is one of the servers FortiGate communicates with.

D.  

FortiGate is using default FortiGuard communication settings.

A.  

www.example.com:443

B.  

www.example.com

C.  

www.example.com/index.hrml

D.  

example.com

A.  

The selected SSL inspection profile has certificate inspection enabled

B.  

The browser does not trust the FortiGate self-siqned CA certificate

C.  

The EICAR test file exceeds the protocol options oversize limit

D.  

The website is exempted from SSL inspection

A.  

Enable match-vip in the Deny policy.

B.  

Set the Destination address as Webserver in the Deny policy.

C.  

Disable match-vip in the Deny policy.

D.  

Set the Destination address as Deny_IP in the Allow_access policy.

A.  

There will be eight routes active in the routing table

B.  

The port1 and port2 default routes are active in the routing table

C.  

The port3 default route has the highest distance

D.  

The port3 default route has the lowest metric

A.  

The selected SSL inspection profile has certificate inspection enabled

B.  

The browser does not trust the FortiGate self-siqned CA certificate

C.  

The EICAR test file exceeds the protocol options oversize limit

D.  

The website is exempted from SSL inspection

A.  

SSL VPN idle-timeout

B.  

SSL VPN login-timeout

C.  

SSL VPN dtls-hello-timeout

D.  

SSL VPN session-ttl

A.  

Pre-shared key and certificate signature as authentication methods

B.  

Extended authentication (XAuth)to request the remote peer to provide a username and password

C.  

Extended authentication (XAuth) for faster authentication because fewer packets are exchanged

D.  

No certificate is required on the remote peer when you set the certificate signature as the authentication method

A.  

The issuer must be a public CA

B.  

The CA extension must be set to TRUE

C.  

The Authority Key Identifier must be of type SSL

D.  

The keyUsage extension must be set to

A.  

Enable the parameter Never Timeout in the admin profiles

B.  

Increase the admintimeout value under config system accprofile super_admin.

C.  

Increase the admintimeout value under config system global

D.  

Increase the offline value of the Override idle Timeout parameter in the NOC_Access admin profile

A.  

Downstream devices can connect to the upstream device from any of their VDOMs

B.  

Each VDOM in the environment can be part of a different Security Fabric

C.  

VDOMs without ports with connected devices are not displayed in the topology

D.  

Security rating reports can be run individually for each configured VDOM

A.  

www.example.com:443

B.  

www.example.com

C.  

www.example.com/index.hrml

D.  

example.com

A.  

The host field in the HTTP header.

B.  

The server name indication (SNI) extension in the client hello message.

C.  

The subject alternative name (SAN) field in the server certificate.

D.  

The subject field in the server certificate.

E.  

The serial number in the server certificate.

A.  

If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.

B.  

If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.

C.  

If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP

D.  

If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.

A.  

The sensor will gather a packet log for all matched traffic.

B.  

The sensor will reset all connections that match these signatures.

C.  

The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.

D.  

The sensor will block all attacks aimed at Windows servers.

A.  

Connected monitored ports > Priority > System uptime > FortiGate serial number

B.  

Connected monitored ports > System uptime > Priority > FortiGate serial number

C.  

Connected monitored ports > Priority > HA uptime > FortiGate serial number

D.  

Connected monitored ports > HA uptime > Priority > FortiGate serial number

A.  

Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.

B.  

Set the Freeware and Software Downloads category Action to Warning

C.  

Configure a web override rating for download, com and select Malicious Websites as the subcategory.

D.  

Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.

A.  

All traffic from a source IP to a destination IP is sent to the same interface.

B.  

Traffic is sent to the link with the lowest latency.

C.  

Traffic is distributed based on the number of sessions through each interface.

D.  

All traffic from a source IP is sent to the same interface

A.  

LDAP server

B.  

RADIUS server

C.  

DHCP server

D.  

Windows server

A.  

FortiGuard category filter and rating filter

B.  

Static domain filter, SSL inspection filter, and external connectors filters

C.  

DNS-based web filter and proxy-based web filter

D.  

Static URL filter, FortiGuard category filter, and advanced filters

A.  

FGCP is not used when FortiGate is in transparent mode

B.  

FGCP elects the primary FortiGate device

C.  

FGCP is used to discover FortiGate devices in different HA groups

D.  

FGCP runs only over the heartbeat links

A.  

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group

B.  

This option places all users into even/ RADIUS user group, including groups that are used for the LDAP server on FortiGate

C.  

This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case is FortiAuthenticator

D.  

This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group

A.  

FortiGate directs the collector agent to use a remote LDAP server.

B.  

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.  

FortiGate does not support workstation check.

D.  

FortiGate uses the AD server as the collector agent.

A.  

The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

B.  

The browser does not trust the certificate used by FortiGate for SSL inspection

C.  

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

D.  

The matching firewall policy is set to proxy inspection mode

A.  

Strict RPF checks the best route back to the source using the incoming interface.

B.  

Strict RPF allows packets back to sources with all active routes.

C.  

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

D.  

Strict RPF check is run on the first sent and reply packet of any new session.

A.  

FGT-1 will remain the primary because FGT-2 has lower priority.

B.  

FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.

C.  

FGT-1 will synchronize the override disable setting with FGT-2.

D.  

The HA cluster will become out of sync because the override setting must match on all HA members.