Fortinet NSE 7 - Enterprise Firewall 7.2 NSE7_EFW-7.2 Exam Practice Test

To block the advertisement of the 10.1.10.0 prefix in OSPF, you can configure a distribute-list-out or a route-map out.A distribute-list-out is used to filter outgoing routing updates from being advertised to OSPF neighbors1.A route-map out can also be used for filtering and is applied to outbound routing updates2.Reference:=Technical Tip: Inbound route filtering in OSPF usi ... - Fortinet Community,OSPF | FortiGate / FortiOS 7.2.2 - Fortinet Documentation

Question 14

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 15

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 16

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 17

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 18

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 19

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

Question 20

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 21

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 22

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 23

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 24

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 25

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference

Question 26

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 27

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 28

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 29

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 30

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 31

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 32

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 33

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 34

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 35

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 36

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 37

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 38

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager.Reference:=ADVPN | FortiManager 7.2.0 - Fortinet Documentation

Question 39

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.

Question 40

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 41

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 42

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 43

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 44

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 45

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 46

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 47

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 48

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 49

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 50

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 51

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 52

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 53

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 54

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 55

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 56

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration.This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 destination1.

Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration.This option controls whether the FortiGate adds a static route to the phase 2 destination network using the tunnel interface as the gateway2.

Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance3. This feature is not related to the routing table or the phase 1 configuration.

Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device4. This option is not related to the routing table or the phase 1 configuration.Reference: =

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 57

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 58

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 59

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 60

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 61

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 62

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 63

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 64

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 65

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 66

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 67

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 68

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 69

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 70

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 71

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 72

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 73

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 74

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 75

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 76

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 77

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 78

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 79

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 80

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 81

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 82

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 83

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 84

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 85

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 86

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 87

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 88

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 89

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 90

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

Question 91

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 92

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 93

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 94

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 95

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 96

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 97

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 98

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 99

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 100

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 101

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 102

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 103

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 104

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 105

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 106

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 107

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 108

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 109

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 110

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 111

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 112

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 113

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 114

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 115

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 116

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 117

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 118

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 119

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 120

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 121

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 122

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 123

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 124

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 125

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 126

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 127

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 128

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 129

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 130

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 131

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 132

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 133

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 134

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 135

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 136

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 137

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 138

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 139

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 140

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 141

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 142

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 143

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 144

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 145

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 146

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 147

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 148

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 149

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 150

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 151

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 152

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 153

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 154

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 155

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 156

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 157

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 158

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 159

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 160

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 161

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 162

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 163

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 164

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 165

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 166

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 167

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 168

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 169

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 170

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 171

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 172

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 173

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 174

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 175

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 176

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 177

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 178

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 179

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 180

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 181

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 182

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 183

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 184

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 185

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 186

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 187

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 188

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 189

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 190

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 191

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 192

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 193

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 194

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 195

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 196

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 197

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 198

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 199

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 200

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 201

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 202

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 203

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 204

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 205

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 206

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 207

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 208

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 209

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 210

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 211

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 212

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 213

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 214

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 215

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 216

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 217

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 218

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 219

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 220

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 221

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 222

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 223

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 224

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 225

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 226

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 227

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 228

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 229

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 230

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 231

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 232

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 233

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 234

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 235

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 236

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 237

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 238

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 239

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 240

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 241

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 242

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 243

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 244

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 245

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 246

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 247

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 248

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 249

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 250

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 251

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 252

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 253

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 254

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 255

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 256

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 257

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 258

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 259

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 260

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 261

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 262

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 263

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 264

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 265

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 266

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 267

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 268

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 269

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 270

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 271

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 272

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 273

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 274

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 275

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 276

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 277

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 278

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 279

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 280

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 281

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 282

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 283

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 284

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 285

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 286

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 287

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 288

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 289

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 290

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 291

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 292

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 293

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 294

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 295

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 296

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 297

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 298

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 299

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 300

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 301

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 302

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 303

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 304

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 305

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 306

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 307

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 308

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 309

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 310

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 311

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 312

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 313

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 314

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 315

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 316

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 317

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 318

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 319

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 320

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 321

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 322

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 323

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 324

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 325

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 326

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 327

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 328

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 329

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 330

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 331

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 332

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 333

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 334

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 335

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 336

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 337

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 338

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 339

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 340

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 341

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 342

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 343

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 344

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 345

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 346

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 347

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 348

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 349

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 350

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 351

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 352

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 353

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 354

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 355

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 356

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 357

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 358

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 359

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 360

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 361

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 362

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 363

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 364

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 365

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 366

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 367

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 368

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 369

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 370

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 371

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 372

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 373

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 374

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 375

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 376

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 377

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 378

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 379

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 380

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 381

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 382

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 383

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 384

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 385

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 386

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 387

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 388

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 389

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 390

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 391

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 392

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 393

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 394

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 395

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 396

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 397

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 398

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 399

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 400

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 401

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 402

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 403

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 404

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 405

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 406

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 407

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 408

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 409

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 410

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 411

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 412

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 413

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 414

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 415

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 416

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 417

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 418

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 419

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 420

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 421

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 422

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 423

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 424

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 425

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 426

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 427

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 428

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 429

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 430

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 431

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 432

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 433

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 434

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 435

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 436

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 437

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 438

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 439

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 440

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 441

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 442

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 443

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 444

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 445

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 446

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 447

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 448

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 449

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 450

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 451

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 452

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 453

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 454

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 455

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 456

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 457

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 458

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 459

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 460

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 461

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 462

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 463

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 464

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 465

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 466

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 467

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 468

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 469

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 470

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 471

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 472

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 473

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 474

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 475

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 476

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 477

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 478

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 479

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 480

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 481

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 482

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 483

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 484

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 485

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 486

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 487

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 488

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 489

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 490

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 491

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 492

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 493

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 494

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 495

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 496

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 497

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 498

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 499

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 500

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 501

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 502

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 503

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 504

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 505

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 506

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 507

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 508

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 509

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 510

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 511

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 512

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 513

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 514

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 515

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 516

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 517

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 518

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 519

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 520

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 521

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 522

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 523

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 524

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 525

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 526

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 527

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 528

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 529

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 530

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 531

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 532

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 533

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 534

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 535

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 536

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 537

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 538

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 539

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 540

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 541

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 542

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 543

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 544

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 545

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 546

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 547

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 548

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 549

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 550

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 551

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 552

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 553

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 554

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 555

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 556

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 557

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 558

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 559

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 560

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 561

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 562

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 563

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 564

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 565

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 566

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 567

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 568

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 569

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 570

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 571

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 572

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 573

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 574

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 575

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 576

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 577

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 578

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 579

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 580

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 581

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 582

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 583

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 584

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 585

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 586

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 587

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 588

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 589

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 590

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 591

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 592

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 593

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 594

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 595

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 596

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 597

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 598

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 599

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 600

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 601

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 602

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 603

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 604

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 605

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 606

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 607

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 608

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 609

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 610

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 611

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 612

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 613

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 614

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 615

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 616

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 617

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 618

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 619

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 620

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 621

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 622

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 623

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 624

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 625

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 626

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 627

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 628

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 629

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 630

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 631

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 632

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 633

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 634

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 635

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 636

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 637

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 638

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 639

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 640

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 641

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 642

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 643

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 644

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 645

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 646

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 647

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 648

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 649

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 650

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 651

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 652

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 653

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 654

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 655

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 656

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 657

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 658

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 659

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 660

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 661

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 662

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 663

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 664

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 665

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 666

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 667

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 668

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 669

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 670

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 671

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 672

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 673

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 674

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 675

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 676

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 677

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 678

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 679

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 680

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 681

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 682

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 683

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 684

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 685

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 686

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 687

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 688

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 689

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 690

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 691

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 692

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 693

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 694

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 695

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 696

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 697

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 698

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 699

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 700

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Question 701

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 702

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 703

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 704

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 705

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 706

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 707

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 708

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 709

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 710

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 711

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 712

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 713

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 714

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 715

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 716

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 717

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 718

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 719

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 720

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 721

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 722

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 723

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 724

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 725

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 726

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 727

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 728

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 729

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 730

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 731

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 732

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 733

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 734

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 735

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 736

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 737

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 738

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 739

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 740

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 741

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 742

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 743

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 744

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 745

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 746

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 747

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 748

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 749

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 750

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 751

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 752

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 753

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 754

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 755

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 756

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 757

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 758

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 759

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 760

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 761

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 762

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 763

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 764

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 765

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 766

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 767

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 768

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 769

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 770

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 771

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 772

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 773

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 774

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 775

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 776

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 777

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 778

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 779

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 780

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 781

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 782

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 783

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 784

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 785

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 786

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 787

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 788

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 789

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 790

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 791

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 792

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 793

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 794

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 795

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 796

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 797

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 798

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 799

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 800

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 801

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 802

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 803

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 804

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 805

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 806

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 807

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 808

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 809

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 810

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 811

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 812

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 813

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 814

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 815

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 816

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 817

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 818

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 819

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 820

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 821

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 822

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 823

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 824

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 825

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 826

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 827

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 828

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 829

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 830

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 831

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 832

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

ARemove the 16.1.10.C prefix from the OSPF network

BConfigure a distribute-list-out

CConfigure a route-map out

DDisable Redistribute Connected

Answer : B, C

Question 833

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 834

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 835

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 836

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 837

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 838

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 839

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 840

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 841

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 842

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 843

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 844

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 845

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 846

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 847

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

ABased on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

BOn NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.

COn both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

DSpoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Answer : B

Question 848

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 849

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

AFortiGate uses the first entry listed in the SAN field in the server certificate

BFortiGate uses the CN information from the Subject field in the server certificate

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Question 850

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 851

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 852

Which two features are true regarding IPS hardware acceleration? (Choose two.)

Acp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors

Bset np-access-mode basic will provide last path for IPS inspected traffic

CFortiGate does not support IPSA if the cp-accel-mode is configured as none.

DNetwork processors provide pre-IPS anomaly filtering and logging

Answer : A, B

Question 853

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

Question 854

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 855

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 856

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)

ANGFW-1 sends its LSA updates to 224.0.0.6 address

BNGFW-1 sends its LSA updates to 224.0.0. 5 address

CNGFW-1 forms neighbor adjacency only with DR and BDR router.

DNGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds

Answer : A, C

Question 857

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 858

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 859

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 860

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 861

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 862

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 863

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 864

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

ANPs and CPs are enabled

BOnly CPs arc disabled

COnly NPs are disabled

DNPs and CPs arc disabled

Answer : A

FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 865

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 866

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 867

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

ADead peer detection is set to enable.

BThe IKE version is 2.

CBoth IPsec SAs are loaded on the kernel.

DForward error correction in phase 2 is set to enable.

Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

Question 868

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 869

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

AConfigure the hub as a route reflector

BConfigure auto-discovery-sender on the hub

CAdd a prefix list to the hub that permits routes to be shared between the spokes

DEnable route redistribution under config router bgp

Answer : B

Question 870

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 871

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 872

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 873

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

Question 874

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 875

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

AThe script successfully added a static route with gateway 10.20.121.2 on the manages device

BCLI scripts must start with # l.

CThe commands are missing d3_cmd at beginning

DThe CLI scripts failed to execute because of an incomplete command

Answer : D

Question 876

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 877

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 878

Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.

Which two parameters must you set in the BGP configuration? (Choose two)

Aebgp-enforce-multihop

Brecursive-next-hop

Cibgp-enfoce-multihop

Dupdate-source

Answer : A, D

Question 879

Exhibit.

Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

Which two parameters must you configure on the corresponding single hub? (Choose two.)

ASet auto-discovery-sender enable

BSet ike-version 2

CSet auto-discovery-forwarder enable

DSet auto-discovery-receiver enable

Answer : A, B

For an ADVPN spoke configuration shown, the corresponding hub must have auto-discovery-sender enabled to send shortcut advertisement messages to the spokes. Also, the hub would need to have auto-discovery-forwarder enabled if it is to forward on those shortcut advertisements to other spokes. This allows the hub to inform all spokes about the best path to reach each other. The ike-version does not need to be reconfigured on the hub if it's already set to version 2 and auto-discovery-receiver is not necessary on the hub because it's the one sending the advertisements, not receiving.

FortiOS Handbook - ADVPN

Question 880

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

Question 881

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 882

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 883

Exhibit.

Refer to the exhibit, which shows information about an OSPF interlace

What two conclusions can you draw from this command output? (Choose two.)

AThe port3 network has more man one OSPF router

BThe OSPF routers are in the area ID of 0.0.0.1.

CThe interfaces of the OSPF routers match the MTU value that is configured as 1500.

DNGFW-1 is the designated router

Answer : A, C

From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.

Fortinet FortiOS Handbook: OSPF Configuration

Question 884

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 885

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)

AOSPF peer interface must have same cost value

BOSPF peer interface must have same MTU size

COSPF peer interface must have same Hello and Wait time

DOSPF peer interface must have same Hello and Dead time

EOSPF peer interfaces must have same network and mask

Answer : B, D, E

Question 886

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?

ABFD is only supported when two FortiGate devices are directly connected on the same network

BBFD is using BGP keepalive messages to check the status of BGP peer

CBFD is used to detect one way device failure

DBFD is enabled under config router bfd configuration

Answer : C

Question 887

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 888

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

AFortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes

BAfter the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router

CThe OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode

DIn an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover

Answer : B, C

Question 889

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)

ACreate an IP address exception

BAdjust the rate-based signature threshold and its duration.

CEnable the preserve source pore option in the firewall policy

DPermanently bypass the affected endpoints

Answer : B, D

Question 890

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

Question 891

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 892

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 893

What are two functions of automation stitches? (Choose two.)

AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.

DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Answer : A, D

Question 894

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 895

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Fortinet FortiOS Handbook: CLI Reference

Question 896

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

AEnable AD-VPN in IPsec phase 1

BDisable add-route on hub

CConfigure IP addresses on IPsec virtual interfaces

DSet protected network to all

Answer : A

Question 897

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)

AYou can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command

BAt the time of failover, FortiGate_A will change its priority to 30

CBy default, preemption mode is enabled

DIn VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Answer : B, C

Question 898

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 899

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

1: Technical Tip: 'set net-device' new route-based IPsec logic2

Question 900

Exhibit.

Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

Which two parameters must you configure on the corresponding single hub? (Choose two.)

ASet auto-discovery-sender enable

BSet ike-version 2

CSet auto-discovery-forwarder enable

DSet auto-discovery-receiver enable

Answer : A, B

FortiOS Handbook - ADVPN

Question 901

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Question 902

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

Question 903

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

AOnly some IKE version 2 packets are considered fragmentable.

BThe reassembly timeout default value is 30 seconds.

CIt is performed at the IP layer.

DThe maximum number of IKE version 2 fragments is 128.

Answer : A, D

Question 904

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 905

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?

AThe local FortiGate has initiated a TCP connection, but there is no response from its BGP peer

BThe local FortiGate starts sending its routing table with its iBGP peer

CThe local FortiGate is having a fully established and active BGP connection with its peer

DThe local FortiGate is missing the config neighbor command in its BGP configuration

Answer : A

Question 906

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.

CThe FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.

DOnly the last FortiGate that handled a session in the Security Fabric

Answer : B