What are two functions of automation stitches? (Choose two.)
Answer : A, D
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
What is true about the Fitter override option in the application control profile?
Answer : B
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
What is true about the Fitter override option in the application control profile?
Answer : B
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
What is true about the Fitter override option in the application control profile?
Answer : B
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
What is true about the Fitter override option in the application control profile?
Answer : B
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
What is true about the Fitter override option in the application control profile?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
What is true about the Fitter override option in the application control profile?
Answer : B
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
What is true about the Fitter override option in the application control profile?
Answer : B
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
What is true about the Fitter override option in the application control profile?
Answer : B
What are two functions of automation stitches? (Choose two.)
Answer : A, D
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
What is true about the Fitter override option in the application control profile?
Answer : B
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
What are two functions of automation stitches? (Choose two.)
Answer : A, D
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
Answer : B
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
Answer : D
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which two features are true regarding IPS hardware acceleration? (Choose two.)
Answer : A, B
Which two statements about ADVPN are true? (Choose two.)
Answer : A, D
C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from the output?
Answer : B
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Refer to the exhibit.
Refer to the exhibit, which shows information about an OSPF interface
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Refer to the exhibit.
which contains a partial configuration of the global system. What can you conclude from this output?
Answer : A
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
FortiOS Handbook - CLI Reference for FortiOS 5.2
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
Answer : B, C
From the command output shown in the exhibit:
B . The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C . Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Exhibit.
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?
Answer : D
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
Exhibit.
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.
Which two parameters must you configure on the corresponding single hub? (Choose two.)
Answer : A, B
For an ADVPN spoke configuration shown, the corresponding hub must have auto-discovery-sender enabled to send shortcut advertisement messages to the spokes. Also, the hub would need to have auto-discovery-forwarder enabled if it is to forward on those shortcut advertisements to other spokes. This allows the hub to inform all spokes about the best path to reach each other. The ike-version does not need to be reconfigured on the hub if it's already set to version 2 and auto-discovery-receiver is not necessary on the hub because it's the one sending the advertisements, not receiving.
FortiOS Handbook - ADVPN
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
Exhibit.
Refer to the exhibit, which shows information about an OSPF interlace
What two conclusions can you draw from this command output? (Choose two.)
Answer : A, C
From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.
Fortinet FortiOS Handbook: OSPF Configuration
What is true about the Fitter override option in the application control profile?
Answer : B
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
Answer : B, D, E
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
An administrator configured the following command on FortiGate
config router ospf
sec reszart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)
Answer : B, C
You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two)
Answer : B, D
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
Answer : C
From the partial OSPF (Open Shortest Path First) configuration output:
B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.
Refer to the exhibit.
The exhibit shows a prefix list configuration
What can you conclude from the above prefix-list configuration?
Answer : C
What are two functions of automation stitches? (Choose two.)
Answer : A, D
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
Refer to the exhibit.
The partial interlace configurator! of two FortiGate devices is shown
Which two conclusions can you draw from this configuration? (Choose two.)
Answer : B, C
Exhibit.
ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)
Answer : A, B
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
Exhibit.
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.
Which two parameters must you configure on the corresponding single hub? (Choose two.)
Answer : A, B
For an ADVPN spoke configuration shown, the corresponding hub must have auto-discovery-sender enabled to send shortcut advertisement messages to the spokes. Also, the hub would need to have auto-discovery-forwarder enabled if it is to forward on those shortcut advertisements to other spokes. This allows the hub to inform all spokes about the best path to reach each other. The ike-version does not need to be reconfigured on the hub if it's already set to version 2 and auto-discovery-receiver is not necessary on the hub because it's the one sending the advertisements, not receiving.
FortiOS Handbook - ADVPN
What is true about the Fitter override option in the application control profile?
Answer : B
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Answer : B
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
Answer : A, D
In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
Answer : D
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
Exhibit.
Refer to the exhibit which provides information on BGP neighbors
What can you conclude from this command output?
Answer : A
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?
Answer : C
Refer to the exhibit, which shows an ADVPN network,
An administrator must configure an ADVPN using IBGP and EBGP to connect
overlay network 1 with 2.
What must the administrator configure in the phase 1 VPN IPSEC configuration
of the Hub2ub tunnels?
Answer : B
Which two statements about metadata variables are true? (Choose two.)
Answer : C, D
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
Answer : B, C