A.  

www.example.com:443

B.  

www.example.com

C.  

example.com

D.  

www.example.com/index.html

A.  

Antivirus engine

B.  

Intrusion prevention system engine

C.  

Flow engine

D.  

Detection engine

A.  

Disabled

B.  

On Demand

C.  

Enabled

D.  

On Idle

A.  

The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

B.  

The sensor will block all attacks aimed at Windows servers.

C.  

The sensor will reset all connections that match these signatures.

D.  

The sensor will gather a packet log for all matched traffic.

A.  

The port3 default route has the lowest metric.

B.  

The port1 and port2 default routes are active in the routing table.

C.  

The ports default route has the highest distance.

D.  

There will be eight routes active in the routing table.

A.  

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.  

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.  

The cluster can load balance ICMP connections to the secondary.

D.  

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

A.  

FortiCache

B.  

FortiSIEM

C.  

FortiAnalyzer

D.  

FortiSandbox

E.  

FortiCloud

A.  

Enable anti-replay in firewall policy.

B.  

Disable the RPF check at the FortiGate interface level for the source check

C.  

Enable asymmetric routing.

D.  

Disable strict-arc-check under system settings.

A.  

The session is a UDP unidirectional state.

B.  

The session is in TCP ESTABLISHED state.

C.  

The session is a bidirectional UDP connection.

D.  

The session is a bidirectional TCP connection.

A.  

10.200. 1. 1

B.  

10.200.3. 1

C.  

10.200. 1. 100

D.  

10.200. 1. 10

A.  

192. 168.3.0/24

B.  

192. 168.2.0/24

C.  

192. 168. 1.0/24

D.  

192. 168.0.0/8

A.  

Traffic is blocked because Action is set to DENY in the firewall policy.

B.  

Traffic belongs to the root VDOM.

C.  

This is a security log.

D.  

Log severity is set to error on FortiGate.

A.  

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

B.  

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C.  

The two VLAN subinterfaces must have different VLAN IDs.

D.  

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

A.  

On HQ-FortiGate, set IKE mode to Main (ID protection).

B.  

On both FortiGate devices, set Dead Peer Detection to On Demand.

C.  

On HQ-FortiGate, disable Diffie-Helman group 2.

D.  

On Remote-FortiGate, set port2 as Interface.

A.  

Heuristics scan

B.  

Trojan scan

C.  

Antivirus scan

D.  

Ransomware scan

A.  

System event logs

B.  

Forward traffic logs

C.  

Local traffic logs

D.  

Security logs

A.  

The public key of the web server certificate must be installed on the browser.

B.  

The web-server certificate must be installed on the browser.

C.  

The CA certificate that signed the web-server certificate must be installed on the browser.

D.  

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

A.  

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

B.  

A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

C.  

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

D.  

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

A.  

Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.

B.  

Configure a web override rating for download.com and select Malicious Websites as the subcategory.

C.  

Set the Freeware and Software Downloads category Action to Warning.

D.  

Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

A.  

10.200.1.10

B.  

10.0.1.254

C.  

10.200.1.1

D.  

10.200.3.1

A.  

Set the maximum session TTL value for the TELNET service object.

B.  

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.  

Create a new service object for TELNET and set the maximum session TTL.

D.  

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

A.  

SSL VPN idle-timeout

B.  

SSL VPN http-request-body-timeout

C.  

SSL VPN login-timeout

D.  

SSL VPN dtls-hello-timeout

A.  

This setup requires at least two firewall policies with the action set to IPsec.

B.  

Dead peer detection must be disabled to support this type of IPsec setup.

C.  

The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

D.  

This is a redundant IPsec setup.

A.  

FortiGuard web filter cache

B.  

FortiGate hostname

C.  

NTP

D.  

DNS

A.  

idle-timeout

B.  

login-timeout

C.  

udp-idle-timer

D.  

session-ttl

A.  

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B.  

If a virus is detected, the last packet is delivered to the client.

C.  

The IPS engine handles the process as a standalone.

D.  

FortiGate buffers the whole file but transmits to the client at the same time.

E.  

Flow-based inspection optimizes performance compared to proxy-based inspection.

A.  

Change the csf setting on ISFW (downstream) to set configuration-sync local.

B.  

Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

C.  

Change the csf setting on both devices to set downstream-access enable.

D.  

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

A.  

Reliable logging is enabled by default in all configuration scenarios.

B.  

Reliable logging is required to encrypt the transmission of logs.

C.  

Reliable logging can be configured only using the CLI.

D.  

Reliable logging prevents the loss of logs when the local disk is full.

A.  

Add the support of NTLM authentication.

B.  

Add user accounts to Active Directory (AD).

C.  

Add user accounts to the FortiGate group fitter.

D.  

Add user accounts to the Ignore User List.

A.  

10.200. 1. 10

B.  

Any available IP address in the WAN (port1) subnet 10.200. 1.0/24

66 of 108

C.  

10.200. 1. 1

D.  

10.0. 1.254

A.  

SSH

B.  

HTTPS

C.  

FTM

D.  

FortiTelemetry

A.  

It always authorizes the traffic without requiring authentication.

B.  

It drops the traffic.

C.  

It authenticates the traffic using the authentication scheme SCHEME2.

D.  

It authenticates the traffic using the authentication scheme SCHEME1.

A.  

Interface name

B.  

Packet payload

C.  

Ethernet header

D.  

IP header

E.  

Application header

A.  

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.  

ADVPN is only supported with IKEv2.

C.  

Tunnels are negotiated dynamically between spokes.

D.  

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

A.  

FortiGate points the collector agent to use a remote LDAP server.

B.  

FortiGate uses the AD server as the collector agent.

C.  

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

D.  

FortiGate queries AD by using the LDAP to retrieve user group information.

A.  

The interface has been configured for one-arm sniffer.

B.  

The interface is a member of a virtual wire pair.

C.  

The operation mode is transparent.

D.  

The interface is a member of a zone.

E.  

Captive portal is enabled in the interface.

A.  

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.  

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.  

Virtual IP addresses are used to distinguish between cluster members.

D.  

The primary device in the cluster is always assigned IP address 169.254.0.1.

A.  

FortiGuard web filter queries

B.  

PKI

C.  

Traffic shaping

D.  

DNS

A.  

ZTNA IP/MAC filtering mode

B.  

ZTNA access proxy

C.  

SSL VPN

D.  

L2TP

A.  

VDOMs without ports with connected devices are not displayed in the topology.

B.  

Downstream devices can connect to the upstream device from any of their VDOMs.

C.  

Security rating reports can be run individually for each configured VDOM.

D.  

Each VDOM in the environment can be part of a different Security Fabric.

A.  

Traffic between port2 and port2-vlan1 is allowed by default.

B.  

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

C.  

port1 is a native VLAN.

D.  

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

A.  

The Services field prevents SNAT and DNAT from being combined in the same policy.

B.  

The Services field is used when you need to bundle several VIPs into VIP groups.

C.  

The Services field removes the requirement to create multiple VIPs for different services.

D.  

The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

A.  

It limits the scope of application control to the browser-based technology category only.

B.  

It limits the scope of application control to scan application traffic based on application category only.

C.  

It limits the scope of application control to scan application traffic using parent signatures only

D.  

It limits the scope of application control to scan application traffic on DNS protocol only.

A.  

Make SSL inspection needs to be a deep content inspection.

B.  

Force access to Facebook using the HTTP service.

C.  

Get the additional application signatures are required to add to the security policy.

D.  

Add Facebook in the URL category in the security policy.

A.  

Policy lookup will be disabled.

B.  

By Sequence view will be disabled.

C.  

Search option will be disabled

D.  

Interface Pair view will be disabled.

A.  

Policy with ID 4.

B.  

Policy with ID 5.

C.  

Policies with ID 2 and 3.

D.  

Policy with ID 4.

A.  

Source IP

B.  

Spillover

C.  

Volume

D.  

Session

A.  

Apple FaceTime will be allowed, based on the Categories configuration.

B.  

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

C.  

Apple FaceTime will be allowed, based on the Apple filter configuration.

D.  

Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

A.  

The Detection Mode setting is not set to Passive.

B.  

Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C.  

The configured participants are not SD-WAN members.

D.  

The Enable probe packets setting is not enabled.

A.  

FortiGate uses the AD server as the collector agent.

B.  

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.  

FortiGate does not support workstation check .

D.  

FortiGate directs the collector agent to use a remote LDAP server.

A.  

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

B.  

It does not require a separate FortiGuard license.

C.  

Full SSL inspection is not required.

D.  

its available only on a proxy-based firewall policy.