A.  

This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.

B.  

Peer IDs are unencrypted and exposed, creating a security risk.

C.  

FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated.

D.  

A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.

A.  

Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives.

B.  

Enable Scan Outgoing Connections to avoid clickingsuspicious links or attachments that can deliver botnet malware and create false positives.

C.  

Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity.

D.  

Install missingor expired SSUTLS certificates on the client PC to prevent expected false positives.

A.  

config neighbor

B.  

config redistribute bgp

C.  

config router route-map

D.  

config redistribute ospf

A.  

The FortiGate device can inject external routing information.

B.  

The FortiGate device is in the area 0.0.0.5.

C.  

The FortiGate device does not support OSPF ECMP.

D.  

The FortiGate device is a backup designated router.

A.  

You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks.

B.  

The LAN interface must use a 802.3ad type interface.

C.  

This connection is using a FortiLInk to manage VLANs on FortiGate.

D.  

FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.

A.  

Add a URL wildcard domain to the website CA certificate and use it in the SSL/SSH Inspection Profile.

B.  

In the Protocol Port Mapping section of the SSL/SSH Inspection Profile, enter 443, 8443 to analyze both standard (443) and non-standard (8443) HTTPS ports.

C.  

To analyze nonstandard ports in web filter profiles, use TLSv1.3 in the SSL/SSH Inspection Profile.

D.  

Administrators can block traffic on nonstandard ports by enabling the SNI check in the SSL/SSH Inspection Profile.

A.  

Installation of the session key in the network processor (NP)

B.  

Data encryption and decryption

C.  

Security inspections such as ACL, HPE, and IP integrity header checking

D.  

Offloading the packets directly to the content processor (CP)

A.  

Use the DNS filter to block application signatures and protocol decoders.

B.  

Use application control to limit non-URL-based software handling.

C.  

Enable application detection-based SD-WAN rules.

D.  

Configure a web filter profile in flow mode.

A.  

Use routing protocols to specify allowed subnets over the tunnel.

B.  

Configure an IPsec-aggregate to create redundancy between each firewall peer.

C.  

Clearly indicate to the VPN which segments will be encrypted in the phase two selectors.

D.  

Configure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.

A.  

Set route-overlap to either use-new or use-old

B.  

Set net-device to ecmp

C.  

Set single-source to enable

D.  

Set route-overlap to allow

A.  

The administrator must implement BGP to inject the new remote office network into the corporate FortiGate device

B.  

The administrator must configure a static route to the subnet 192.168.l.0/24 on the corporate FortiGate device.

C.  

The administrator must configure virtual links on both FortiGate devices.

D.  

The administrator must implement OSPF over IPsec on both FortiGate devices.

A.  

The suspicious packet is related to a cluster that has VDOMs enabled.

B.  

The network includes FortiGate devices configured with the FGSP protocol.

C.  

The suspicious packet is related to a cluster with a group-id value lower than 255.

D.  

The suspicious packet corresponds to port 7 on a FortiGate device.

A.  

Use metadata variables to dynamically assign values according to each FortiGate device.

B.  

Use provisioning templates and install configuration settings at the device layer.

C.  

Use the Global ADOM to deploy global object configurations to each FortiGate device.

D.  

Apply Jinja in the FortiManager scripts for large-scale and advanced deployments.

E.  

Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices.

A.  

Use IKEv2, which encrypts peer IDs and prevents exposure.

B.  

Opt for SSL VPN web mode because it does not use peer IDs at all.

C.  

Choose IKEv1 aggressive mode because it simplifies peer identification.

D.  

Stick with IKEv1 main mode because it offers better performance.

A.  

The prefix 172.16.1.248/30 in the BGP Networks section on FortiGate_B

B.  

A BGP route map out for 172.16.1.248/30 on FortiGate_B

C.  

Enable Redistribute Connected in the BGP section on FortiGate_B.

D.  

A BGP route map in for 172.16.1.248/30 on FortiGate_A

A.  

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard.

B.  

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard.

C.  

The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model.

D.  

The ISDB limits access by URL and domain.

A.  

network-import-check

B.  

ibgp-enforce-multihop

C.  

neighbor-group

D.  

route-reflector-client