Fortinet NSE 7 - Enterprise Firewall 7.2 NSE7_EFW-7.2 Exam Practice Test

Page: 1 / 14
Total 80 questions
Question 1

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 2

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 3

What is true about the Fitter override option in the application control profile?



Answer : B


Question 4

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 5

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 6

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 7
Question 8

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 9

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 10

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 11
Question 12

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 13

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 14

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 15

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 16

What is true about the Fitter override option in the application control profile?



Answer : B


Question 17

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 18

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 19

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 20

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 21

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 22

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 23
Question 24

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 25

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 26
Question 27

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 28

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 29

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 30

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 31

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 32

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 33

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 34

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 35

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 36

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 37

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 38

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 39

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 40

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 41

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 42

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 43

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 44
Question 45

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 46

What is true about the Fitter override option in the application control profile?



Answer : B


Question 47

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 48

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 49

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 50

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 51

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 52

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 53

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 54

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 55

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 56

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 57
Question 58

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 59

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 60

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 61

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 62

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 63

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 64

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 65
Question 66

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 67

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 68

What is true about the Fitter override option in the application control profile?



Answer : B


Question 69

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 70

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 71

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 72

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 73

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 74

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 75

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 76

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 77

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 78

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 79

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 80

What is true about the Fitter override option in the application control profile?



Answer : B


Question 81

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 82

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 83

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 84

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 85

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 86

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 87

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 88

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 89

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 90

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 91

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 92

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 93

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 94

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 95

What is true about the Fitter override option in the application control profile?



Answer : B


Question 96

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 97

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 98

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 99

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 100

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 101

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 102

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 103

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 104

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 105

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 106

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 107

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 108

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 109

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 110

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 111

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 112

What is true about the Fitter override option in the application control profile?



Answer : B


Question 113

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 114

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 115

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 116

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 117

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 118

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 119

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 120

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 121

What is true about the Fitter override option in the application control profile?



Answer : B


Question 122

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 123

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 124

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 125

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 126

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 127

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 128

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 129

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 130

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 131

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 132

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 133

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 134

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 135

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 136

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 137
Question 138

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 139

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 140

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 141

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 142

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 143

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 144

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 145

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 146

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 147

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 148
Question 149

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 150

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 151

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 152

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 153

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 154

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 155

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 156

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 157

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 158

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 159

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 160

What is true about the Fitter override option in the application control profile?



Answer : B


Question 161

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 162

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 163

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 164

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 165

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 166

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 167

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 168

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 169

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 170

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 171

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 172

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 173

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 174
Question 175

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 176

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 177

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 178

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 179

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 180

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 181

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 182

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 183

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 184

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 185

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 186

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 187

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 188

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 189

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 190

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 191

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 192

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 193
Question 194

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 195

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 196

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 197

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 198

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 199

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 200

What is true about the Fitter override option in the application control profile?



Answer : B


Question 201

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 202
Question 203

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 204

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 205

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 206

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 207

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 208

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 209

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 210

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 211

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 212

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 213

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 214

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 215

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 216
Question 217

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 218

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 219

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 220

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 221
Question 222

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 223

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 224

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 225

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 226

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 227

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 228

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 229
Question 230

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 231

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 232

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 233

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 234

What is true about the Fitter override option in the application control profile?



Answer : B


Question 235

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 236

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 237

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 238

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 239

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 240

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 241

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 242

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 243

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 244

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 245

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 246

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 247

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 248

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 249

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 250

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 251

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 252

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 253

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 254
Question 255

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 256

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 257

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 258
Question 259

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 260

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 261

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 262

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 263

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 264

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 265

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 266

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 267
Question 268

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 269

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 270

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 271

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 272

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 273

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 274

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 275

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 276

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 277

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 278

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 279

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 280

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 281

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 282

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 283

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 284

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 285

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 286

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 287

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 288

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 289

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 290

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 291

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 292

What is true about the Fitter override option in the application control profile?



Answer : B


Question 293

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 294

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 295

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 296

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 297

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 298

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 299

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 300

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 301

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 302

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 303

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 304

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 305

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 306

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 307

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 308

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 309

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 310

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 311

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 312

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 313

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 314
Question 315

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 316

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 317

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 318

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 319

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 320

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 321

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 322
Question 323

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 324

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 325

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 326

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 327

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 328

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 329

What is true about the Fitter override option in the application control profile?



Answer : B


Question 330

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 331

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 332

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 333

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 334
Question 335

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 336

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 337

What is true about the Fitter override option in the application control profile?



Answer : B


Question 338

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 339

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 340

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 341

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 342

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 343

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 344

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 345

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 346

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 347

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 348

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 349

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 350
Question 351

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 352

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 353

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 354

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 355

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 356

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 357

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 358

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 359

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 360

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 361

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 362

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 363

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 364

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 365

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 366

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 367

What is true about the Fitter override option in the application control profile?



Answer : B


Question 368

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 369

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 370

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 371

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 372

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 373

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 374

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 375

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 376
Question 377

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 378

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 379

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 380

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 381

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 382

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 383

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 384

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 385

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 386

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 387

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 388
Question 389

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 390

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 391

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 392

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 393

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 394

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 395

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 396

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 397

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 398

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 399

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 400

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 401

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 402

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 403
Question 404

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 405

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 406

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 407

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 408

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 409

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 410

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 411

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 412

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 413

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 414

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 415

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 416

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 417

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 418

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 419

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 420

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 421

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 422

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 423

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 424

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 425
Question 426
Question 427

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 428

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 429

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 430

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 431

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 432

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 433

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 434

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 435

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 436

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 437

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 438

What is true about the Fitter override option in the application control profile?



Answer : B


Question 439

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 440

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 441

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 442

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 443

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 444

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 445

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 446

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 447
Question 448

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 449

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 450

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 451

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 452

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 453

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 454

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 455

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 456
Question 457

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 458

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 459

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 460

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 461

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 462

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 463

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 464

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 465

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 466

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 467

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 468

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 469

What is true about the Fitter override option in the application control profile?



Answer : B


Question 470

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 471

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 472

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 473

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 474

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 475

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 476

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 477

What is true about the Fitter override option in the application control profile?



Answer : B


Question 478

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 479

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 480

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 481

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 482

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 483

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 484

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 485

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 486

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 487

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 488

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 489

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 490

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 491

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 492

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 493

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 494

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 495
Question 496

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 497

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 498

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 499

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 500

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 501

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 502

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 503

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 504

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 505

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 506

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 507

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 508

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 509

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 510

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 511

What is true about the Fitter override option in the application control profile?



Answer : B


Question 512

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 513

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 514
Question 515
Question 516

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 517

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 518

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 519

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 520

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 521

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 522

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 523

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 524

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 525

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 526

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 527

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 528

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 529

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 530

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 531

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 532

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 533

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 534

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 535
Question 536

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 537

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 538

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 539

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 540

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 541

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 542

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 543

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 544

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 545

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 546

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 547

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 548

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 549

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 550

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 551

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 552

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 553

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 554

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 555
Question 556

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 557

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 558

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 559

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 560

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 561

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 562

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 563

What is true about the Fitter override option in the application control profile?



Answer : B


Question 564

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 565

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 566

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 567

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 568

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 569

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 570

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 571
Question 572

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 573

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 574

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 575

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 576

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 577

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 578

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 579

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 580

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 581

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 582

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 583

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 584

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 585

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 586

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 587

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 588

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 589

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 590

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 591

What is true about the Fitter override option in the application control profile?



Answer : B


Question 592

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 593

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 594

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 595

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 596

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 597

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 598

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 599

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 600

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 601

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 602

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 603
Question 604

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 605

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 606

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 607
Question 608

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 609

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 610

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 611

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 612

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 613

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 614

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 615

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 616

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 617

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 618

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 619

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 620

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 621
Question 622

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 623

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 624

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 625

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 626

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 627

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 628
Question 629

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 630

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 631

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 632

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 633

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 634

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 635

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 636

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 637

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 638

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 639

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 640

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 641

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 642

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 643

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 644

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 645
Question 646

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 647

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 648

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 649

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 650

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 651

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 652

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 653

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 654

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 655

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 656

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 657

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 658

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 659

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 660

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 661

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 662
Question 663
Question 664

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 665

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 666

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 667

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 668

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 669

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 670

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 671

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 672

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 673

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 674

What is true about the Fitter override option in the application control profile?



Answer : B


Question 675

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 676

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 677

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 678

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 679

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 680

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 681

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 682

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 683

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 684

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 685

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 686

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 687

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 688
Question 689

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 690

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 691

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 692

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 693

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 694

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 695

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 696

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 697

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 698

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 699

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 700

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 701
Question 702

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 703

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 704

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 705

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 706

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 707
Question 708

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 709

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 710

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 711

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 712

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 713

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 714

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 715

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 716

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 717

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 718
Question 719

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 720

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 721

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 722

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 723

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 724

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 725

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 726
Question 727

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 728

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 729
Question 730

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 731

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 732

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 733

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 734

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 735

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 736

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 737

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 738

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 739

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 740

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 741

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 742

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 743

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 744
Question 745

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 746

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 747

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 748

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 749

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 750

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 751

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 752

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 753

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 754

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 755

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 756

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 757

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 758

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 759

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 760

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 761

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 762

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 763

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 764

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 765

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 766

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 767

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 768

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 769

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 770

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 771

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 772

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 773

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 774
Question 775

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 776

What is true about the Fitter override option in the application control profile?



Answer : B


Question 777

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 778

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 779

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 780

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 781

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 782

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 783

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 784

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 785

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 786

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 787

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 788

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 789

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 790

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 791

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 792

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 793

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 794

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 795

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 796

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 797

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 798

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 799

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 800
Question 801

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 802

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 803

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 804

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 805

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 806

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 807

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 808

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 809

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 810

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 811

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 812

What is true about the Fitter override option in the application control profile?



Answer : B


Question 813

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 814

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 815

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 816

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 817

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 818

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 819

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 820

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 821

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 822

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 823

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 824

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 825

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 826

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 827

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 828

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 829

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 830

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 831

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 832

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)



Question 833
Question 834

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 835

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 836

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 837

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 838

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 839

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 840

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 841

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 842

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 843
Question 844
Question 845

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 846

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 847

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?



Answer : B


Question 848

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 849

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?



Answer : D


Question 850

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 851

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 852

Which two features are true regarding IPS hardware acceleration? (Choose two.)



Answer : A, B


Question 853

Which two statements about ADVPN are true? (Choose two.)



Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.


Question 854

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?



Answer : B


Question 855

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 856

Refer to the exhibit.

Refer to the exhibit, which shows information about an OSPF interface

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C


Question 857

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 858

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 859

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 860

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 861
Question 862

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 863

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 864

Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?



Answer : A

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.


FortiOS Handbook - CLI Reference for FortiOS 5.2

Question 865

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 866
Question 867

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)



Answer : B, C

From the command output shown in the exhibit:

B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.


Question 868

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 869

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?



Answer : B


Question 870

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 871

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 872

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 873
Question 874

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 875

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?



Answer : D


Question 876

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 877

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Question 878
Question 879

Exhibit.

Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

Which two parameters must you configure on the corresponding single hub? (Choose two.)



Answer : A, B

For an ADVPN spoke configuration shown, the corresponding hub must have auto-discovery-sender enabled to send shortcut advertisement messages to the spokes. Also, the hub would need to have auto-discovery-forwarder enabled if it is to forward on those shortcut advertisements to other spokes. This allows the hub to inform all spokes about the best path to reach each other. The ike-version does not need to be reconfigured on the hub if it's already set to version 2 and auto-discovery-receiver is not necessary on the hub because it's the one sending the advertisements, not receiving.


FortiOS Handbook - ADVPN

Question 880

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 881

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 882

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 883

Exhibit.

Refer to the exhibit, which shows information about an OSPF interlace

What two conclusions can you draw from this command output? (Choose two.)



Answer : A, C

From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.


Fortinet FortiOS Handbook: OSPF Configuration

Question 884

What is true about the Fitter override option in the application control profile?



Answer : B


Question 885

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)



Answer : B, D, E


Question 886

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 887

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 888

An administrator configured the following command on FortiGate

config router ospf

sec reszart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)



Answer : B, C


Question 889

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)



Answer : B, D


Question 890

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?



Question 891

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?



Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


Question 892

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?



Answer : C


Question 893

What are two functions of automation stitches? (Choose two.)



Answer : A, D


Question 894

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 895

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 896

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?



Question 897

Refer to the exhibit.

The partial interlace configurator! of two FortiGate devices is shown

Which two conclusions can you draw from this configuration? (Choose two.)



Answer : B, C


Question 898

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)



Answer : A, B


Question 899

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)



Question 900

Exhibit.

Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

Which two parameters must you configure on the corresponding single hub? (Choose two.)



Answer : A, B

For an ADVPN spoke configuration shown, the corresponding hub must have auto-discovery-sender enabled to send shortcut advertisement messages to the spokes. Also, the hub would need to have auto-discovery-forwarder enabled if it is to forward on those shortcut advertisements to other spokes. This allows the hub to inform all spokes about the best path to reach each other. The ike-version does not need to be reconfigured on the hub if it's already set to version 2 and auto-discovery-receiver is not necessary on the hub because it's the one sending the advertisements, not receiving.


FortiOS Handbook - ADVPN

Question 901

What is true about the Fitter override option in the application control profile?



Answer : B


Question 902

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?



Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


Question 903

Which two statements about IKE version 2 fragmentation are true? (Choose two.)



Answer : A, D

In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.


Question 904

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?



Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.


Question 905

Exhibit.

Refer to the exhibit which provides information on BGP neighbors

What can you conclude from this command output?



Answer : A


Question 906

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?



Question 907

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?



Answer : C


Question 908

Refer to the exhibit, which shows an ADVPN network,

An administrator must configure an ADVPN using IBGP and EBGP to connect

overlay network 1 with 2.

What must the administrator configure in the phase 1 VPN IPSEC configuration

of the Hub2ub tunnels?



Answer : B


Question 909

Which two statements about metadata variables are true? (Choose two.)



Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference


Question 910

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)



Answer : B, C


Page:    1 / 14   
Total 80 questions