Question 1

Which configuration objects can be selected for the source field of a firewall policy? (choose two)

A. Firewall service
B. User or user group
C. IP Pool
D. FQDN address

Question 2

By default, when logging to disk, when does FortiGate delete logs?

A. 30 days
B. 1 year
C. Never
D. 7 days
*******************************************************************************
Fortigate Study Guide Page 237:
“By default, logs older than 7 days are deleted from disk (log age is configurable)”
*******************************************************************************

Question 3

Which of the following conditions are required for establishing an IPSec VPN between two FortiGate devices?
(Choose two)

A. If XAuth is enable as a server in one peer, it must be enable as client in the other peer.
B. If the VPN is configured as route-based, there must be at least one firewall policy with the action set to IP
Sec.
C. If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or
Dynamic DNS in the other peer.
D. If the VPN is configured as a policy-based in one peer, it must also be configured as policy based in the other
peer.

*******************************************************************************

Proof for A: Fortigate Security Study Guide Page 621

Proof for C: Fortigate Security Study Guide Page 616
*******************************************************************************
Question 4

Based on this output, which statements are correct? (Choose two)

A. The all VDOM is not synchronized between the primary and secondary FortiGate derives
B. The root VDOM is not synchronized between the primary and secondary FortiGate derives
C. The global configuration is synchronized between the primary and secondary FortiGate derives
D. The FortiGate derives have three VDOMS

Question 5

Which of the following statements about NTLM authentication are correct? (choose two)

A. It is useful when users log in to DCs that are not monitored by a collector agent
B. It takes over as the primary authentication method when configured alongside FSSO
C. Multi-domain environments require DC agents on every domain controller
D. NTLM-enabled web browsers are required

*******************************************************************************

Fortigate Infrastructure Guide Page 248: “When both FSSO and NTLM are enabled, NTLM is used as a
fallback for FSSO” -> so B is wrong
Fortigate Infrastructure Guide Page 247: NTLM authentication is useful when: “Users are logged in to DCs
that are not being monitored by the collector”. -> so A is right
Fortigate Infrastructure Guide Page 247: “NTLM authentication does not require DC agents,..”
-> so C is wrong
That D is right:
https://www.fortinetguru.com/2016/07/configuring-authenticated-access/12/
is the name of the browser that is NTLM enabled.

*******************************************************************************
Question 6

View the following exhibit, which shows the firewall policies and the object uses in the firewall policies

The administrator is using the Policy Lookup feature and has entered the search create shown in the following
exhibit.

Which of the following will be highlighted based on the input criteria?

A. Policy with ID1

B. Policies with ID 2 and 3
C. Policy with ID 5
D. Policy with ID 4
*******************************************************************************
Ans is A. Policy with ID1
facebook.com is a FQDN object defined, not ISDB object.
facebook.com is not equal to Facebook.Web
Policy ID 2 and 3 is out.
Policy ID 4 source interface does not match
Policy ID 5 destination is Facebook.Web, not facebook.com
Policy ID1 best match!

I agree the answer is A. Also which give it away is the Protocol is TCP. C there is no service or protocols assigned it is
blank. Good catch
The correct answer is policy ID 1. It could be policy ID 5 but based on the output we don’t know if the IP address for
facebook.com is part of the Internet Service Object so therefore we’re not sure if it will match that policy. We know
that it will match policy ID1 for sure

https://vceguide.com/which-of-the-following-will-be-highlighted-based-on-the-input-criteria/
*******************************************************************************

Question 7

An administrators is attempting to allow access to https://fortinet.com though a firewall policy that is configured
with a web filter and an SSL inspection profile configured for deep inspection which of the following are possible
actions to eliminate the certificate error generated by deep inspection? (choose two)

A. Implement firewall authentication for all users that need access to Fortinet.com
B. Manually install the FortiGate deep inspection certificate as a trusted CA
C. Configure Fortinet.com access to bypass the IPS engine
D. Configure an SSL-inspection exemption for Fortinet.com

Question 8

An administrator has configured a dialup IPSec VPN with XAuth. Which statement best describes what occurs
during this scenario?

A. Phase 1 negotiations will skip preshared key exchange

B. Only digital certificates will be accepted as an authentication method in phase 1.C
C. Dialup clients must provide a username and password for authentication
D. Dialup clients must provide their local ID during phase 2 negotiations
Question 9

Examine the IPS sensor configuration shown in the exhibit, and then answer the question-below

What are the expected action if traffic matches this IPS sensor? (choose two)

A. The sensor will gather a packet log for all matched traffic
B. The sensor will not block attackers matching the A32S.Bonet signature
C. The sensor will block all attacks for Windows Servers
D. The sensor will reset all connections that match these signatures

Question 10

An administrator has configured the following settings:

What does the configuration do? (choose two)

A. Reduces the amount of logs generated by denied traffic

B. Enforces derive detection on all interfaces for 30 minutes
C. Blocks denied users for 30 minutes
D. Creates a session for traffic being denied

*******************************************************************************
block-session-timer
Set the time duration in seconds for blocked or denied sessions to remain in the session table. Range: 1 –
300 seconds (1 second to 5 minutes). Default is 30.
For this option to be effective, enable the sess-denied-traffic system setting (see ses-denied-traffic {enable
| disable} for details). Keeping denied sessions in the session table longer can reduce CPU usage. However,
each session in the session table uses sytem memory. So you may want to adjust this timer for optimum
performance.

*******************************************************************************

Question 11

How does FortiGate verify the login credentials of a remote LDAP user?

A. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored
on the LDAP server
B. FortiGate sends the user-entered credentials to the LDAP server for authentication
C. FortiGate queries the LDAP server for credentials
D. FortiGate queries its own database for credentials

Question 12

View the exhibit

Which users and user groups are allowed access to the network through captive portal?

A. Users and groups defined in the firewall policy

B. Only individual users – not groups – defined in the captive portal configuration
C. Groups defined in the captive portal configuration
D. All users

*******************************************************************************

If you hover over the info icon, “Allow all: all users can login but access will be defined but relevant
policies”
 Guide 6.0 page 222
 Fortigate Security 6.0 P.210

*******************************************************************************

Question 13

Which of the following statements about policy-based IPSec tunnels are true? (choose two)

A. They can be configured in both NAT/Route and transparent operation modes

B. They support L2TP-over-IPSec
C. They require two firewall policies, one for each directions of traffic flow
D. They support GRE-over-IPSec
*******************************************************************************

FortiGate Infrastructure Study Guide 6.0 Page 204

*******************************************************************************

Question 14

An administrator wants to block HTTP uploads Examine exhibit, which contains the proxy address created for that
purpose

Where must the proxy address be used?

A. As the source in a firewall policy

B. As the source in a proxy policy
C. As the destination in a firewall policy
D. As the destination in a proxy policy
*******************************************************************************

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/720455/proxy-policy-addresses

section: HTTP method

“Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a
policy will only allow or block requests that match the selected HTTP method”

*******************************************************************************

Question 15

Which one of the following processes is involved in updating IPS from FortiGuard?

A. FortiGate IPS update requests are sent using UDP port 443
B. Protocol decoder update requests are sent to service.fortiguard.net.
C. IPS signature update requests are sent to update.fortiguar.net.
D. IPS engine updates can only be obtained using push updates
*******************************************************************************
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/07-FortiGuard.htm
 update.fortiguard.net: For AV and IPS updates
 service.fortiguard.net: For web filtering and anti-spam updates
 “Fortigate IPS update requests are sent to update.fortiguard.net”
*******************************************************************************
Question 16

An administrator wants to create a policy-based IPSec VPN tunnel between two FortiGate derives which
configuration steps must be performed on both derives to support this scenario? (choose three)

A. Define the phase 1 parameters, without enabling IPsec interface mode

B. Define the phase 2 parameters
C. Set the phase 2 encapsulation method to transport mode
D. Define at least one firewall policy, with the action set to IPsec
E. Define a route to the remote network over the IPsec tunnel
*******************************************************************************

A) FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf —> “Enable to reate route-based. Disable to

create policy-based.”

B) https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Defining_VPN_Policies/
Defining_Policies_for_Policy_and_Route.htm —> “Specify the Phase 2 parameters”

D) FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf —> “In a policy-based configuration, only one

firewall policy with the action IPsec is usually requerid”

*******************************************************************************

Question 17

An administrator wants to configure a FortiGate as a DNS server. FortiGate must use a DNS database first, and
then relay all irresolvable queries to an external DNS server. Which of the following DNS methods must you use?

A. Recursive
B. Non-recursive
C. Forward to primary and secondary DNS
D. Forward to system DNS

*******************************************************************************

“Recursive: Replies to queries for items in FortiGate’s DNS database and forwards all other queries to a
separate DNS server for resolution.”
FortiGate_Security_6.2_Study_Guide-Online p43

*******************************************************************************

Question 18

View the exhibit

Why is the administrator getting the error shown in the exhibit?

A. The administrator must first enter the command edit global

B. The administrator admin does not have the privileges required to configure global settings
C. The global settings cannot be configured from the root VDOM context
D. The command config system global does not exist in FortiGate

Question 19

If the issuer and Subject values are the same in a digital certificate, which type of entify was the certificate issued
to?

A. A CRL
B. A person
C. A subordinate CA
D. A root CA

Question 20

Which statements about a One-to-One IP pool are true? (choose two)

A. It is used for destination NAT

B. It allows the fixed mapping of an internal address range to an external address range
C. It does not use port address translation ID
D. It allows the configuration of ARP replies
*******************************************************************************

Explain:
A: One-To-one type of SNAT (not sure)
B: In the one-to-one pool type, an internal IP address is mapped with an external address on a first-come,
first-served
basis. Mappings are not fixed.
C: in one-to-one, PAT is not required.
D: arp reply option has in IP pool.

*******************************************************************************

Question 21

Examine the two static routes shown in the exhibit, then answer the following question

Which of the following is the expected FortiGate behavior regading these two routes to the same destination?

A. FortiGate will load balance all traffic across both routes

B. FortiGate will use the port1 route as the primary candidate
C. FortiGate will route twice as much traffic to the port2 route
D. FortiGate will only actuate the port1 route in the routing table
*******************************************************************************

Fortigate Infrastructure Guide Page 23:

“If multiple static routes have the same distance, they are all active; however, only the one with the lowest
priorits is considered the best path.”

*******************************************************************************

Question 22

Examine the exhibit, which shows the partial output of an IKE real-time debug

Which of the following statement about the output is true?

A. The VPN is configured to use pre-shared key authentication

B. Extended authentication (XAuth) was successful
C. Remote is the host name of the remote IPsec peer
D. Phase 1 went down

Question 23

How can you block or allow to Twitter using a firewall policy?

A. Configure the Destination field as Internet Service objects for Twitter

B. Configure the Action field as Internet Service objects for Twitter
C. Configure the Service field as Internet Service objects for Twitter
D. Configure the source field as Internet Service objects for Twitter

Question 24

When browsing to an internal web server using a web-model SSL VPN bookmark, which IP address is used as the
source of the HTTP request?

A. Remote user´s public IP address

B. The public IP addressof the FortiGate derive
C. The remote user´s virtual IP address
D. The internal IP address of the FortiGate derive

*******************************************************************************

D  “Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP
address” (Security Study Guide, 546)
*******************************************************************************

Question 25

Which of the following service can be inspected by the DLP profile? (choose three)

A. NFS
B. FTP
C. IMAP
D. CIFS
E. HTTP-POST

Question 26

A company needs to provide SSL VPN access to two user groups. The company also needs to display different
welcome messages on the SSL VPN login screen for both user groups. What is required in the SSL VPN
configuration to meet these requirements?

A. Different SSL VPN realms for each group

B. Two separate SSL VPNS in different interfaces of the same VDOM
C. Two firewall policies with different captive portals
D. Different virtual SSL VPN IP addresses for each group

Question 27

The FSSO Collector Agent set to advanced access mode for the Windows Active Directory uses which of the
following?

A. LDAP convention
B. NTLM convention
C. Windows convention NetBlos\Username
D. RSSO convention

Question 28

NGFW mode allows policy-based configuration for most inspection rules. Which security profile's configuration
does not change when you enable policy-based inspection?

A. Web filtering
B. Antivirus
C. Web proxy
D. Application control

Question 29

Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two)

A. If the DHCP method fails, browsers will try the DNS method
B. The browser needs to be preconfigured with the DHCP server's IP address
C. The browser sends a DHCPINFORM request to the DHCP server
D. The DHCP server provides the PAC file for download
Question 30

What is the limitation of using a UR List and application control on the same firewall policy, in NGFW policy-based
mode?

A. It limits the scope of application control to the browser-based technology category only
B. It limits the scope of application control to scan application traffic based on application category only.
C. It limits the scope of application control to scan application traffic using parent signatures only
D. It limits the scope of application control to scan application traffic on DNS protocol only.

Question 31

View the exhibit

Based on the configuration shown in the exhibit, what statements about application control behavior are true?
(Choose two)

A. Access to all unknown applications will be allowed

B. Access to browser based Social.Media applications will be blocked
C. Access to mobile social media applications will be blocked
D. Access to all applications in Social.Media category will be blocked

*******************************************************************************

if application control and web control enabled in the same policy in NGFW policy based it will inspect
applications only in browsers:
FortiGate Security 6.0 Study Guide, page 411:
Application Control in NGFW Policy Mode – You can configure the URL Category within the same policy,
however, adding a URL filter will cause application control to scan application in only the browser-based
technology category. For example, Facebook Messenger on the Facebook website.
*******************************************************************************

Question 32

An administrator is running the following sniffer command:

diagnose sniffer packet any "host 10.0.2.10” 3

What information will be included in the sniffer output? (Choose three.)

A. IP header
B. Ethernet header
C. Packet payload
D. Application header
E. Interface name
*******************************************************************************

Infrastructure Study Guide, 57

*******************************************************************************

Question 33

An administrator has configured two VLAN interface:

A DHCP server is connected to the VLAN 10 interface. A DHCP Client is connected to e VLAN5 interface. However,
the DHCP client cannot get a dynamic IP address from the DHCP server. What is the cause of the problem?

A. Both interfaces must belong to the same forward domain

B. The role of the VLAN10 Interface must be set to server
C. Both interfaces must have the same VLAN ID
D. Both interfaces must be in different NDOMs

Question 34

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the
reasons for that? (choose three).

A. The interface has been configured configured for one-arm sniffer

B. The interface is a member of a virtual wire pair
C. The operation mode is transparent
D. The interface is a member of a zone
E. Captive portal is enabled in the interface

*******************************************************************************

A is true (Page 34 Security Study Guide 6.2)

B is true (https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/
Top_VirtualWirePair.htm)
C is true (Page 17 Security Study Guide 6.2)
*******************************************************************************
Question 35

Examine the IPS sensor and DOS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

A. SMTP.Login.Brute Force
B. IMAP.Login.brute.Force
C. Ip_src_session
D. Location:server Protocol:SMTP
*******************************************************************************

C  https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts - Firewall/DoS
Protection.htm
*******************************************************************************
Question 36

When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that
FortiGate can forward Internet traffic?

A. It must be configured in a static route using the sdwan virtual interface

B. It must be provided in the SD-WAN member interface configuration
C. It must be configured in a policy-route using the sdwan virtual interface
D. It must be learned automatically through a dynamic routing protocol
*******************************************************************************

Guía de Estudio Infrastucture 6.2 – página 70

Because the gateway is specify during the sd-wan configuration interface

*******************************************************************************

Question 37

Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOS_SERVER IPS sensor in an attempt to determine whether the influx of
HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs
for the HTTPS traffic. What is a possible reason for this?

A. The IPS filter is missing the Protocol: HTTPS option

B. The HTTPS signatures have not been added to the sensor
C. A DoS policy should be used, instead of an IPS sensor
D. A DoS policy should be used, instead of an IPS sensor
E. The firewall policy is not using a full SSL inspection profile
Question 38

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interface added to the
physical interface. Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have
IP addresses in different subnets.

A. The two VLAN sub interface can have the same VLAN ID, only if they have IP addresses in different subnets
B. The two VLAN sub interface must have different VLAN IDs
C. The two VLAN sub interface must can have the same VLAN ID, only if they belong to different VDOMs
D. The two VLAN sub interfaces can have the VLAN ID, only if they have IP addresses in the same subnet

*******************************************************************************

“You can add multiple VLANs to the same physical interface on a FortiGate. However, VLAN subinterfaces
added to the same physical interface can’t have the same VLAN ID or have IP addresses on the same
subnet. You can add VLAN subinterfaces with the same VLAN ID to different physical interfaces.”

1) Después de agregar los VDOM adicionales, puede proceder a especificar qué interfaces pertenecen a
cada VDOM. Cada interfaz (física o VLAN) puede pertenecer a un solo VDOM.
“Esto descatrta totalmente la C”

2) Las VLAN dividen su LAN física en múltiples LAN lógicas. En el modo de operación NAT, cada VLAN forma
un dominio de difusión separado. Varias VLAN pueden coexistir en la misma interfaz física, siempre que
tengan diferentes ID de VLAN. De esta manera, una interfaz física se divide en dos o más interfaces lógicas.
Se agrega una etiqueta a cada trama de Ethernet para identificar la VLAN a la que pertenece.
“Esto descatrta totalmente la A y la D”

*******************************************************************************

Question 39

How does FortiGate select the central SNAT policy that is applied to a TCP session?

A. It selects the SNAT policy specified in the configuration of the outgoing interface
B. It selects the first matching central SNAT policy, reviewing from top bottom
C. It selects the central SNAT policy with the lowest priority
D. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.

Question 40

Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (choose
two)

A. Source IP
B. Spillover
C. Volume
D. Session
Question 41

View the exhibit

Which of the following statements are correct? (Choose two)

A. This setup requires at least two firewall policies with the action set to IPsec.
B. Dead peer detection must be disabled to support this type of IPsec setup.
C. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the
TunnelB VPN is down.
D. This is a redundant IPsec setup.

Question 42

What information is flushed when the chunk-size value is changed in the config dlp settings?

A. The database for DLP document fingerprinting

B. The supported file types in the DLP filters
C. The archived files and messages
D. The file name patterns in the DLP filters

*******************************************************************************

https://help.fortinet.com/cli/fos50hlp/56/Content/FortiOS/fortiOS-cli-ref-56/config/dlp/settings.htm

==============Changing the chunk size will flush the entire database.==============

*******************************************************************************

Question 43

Which is the correct description of a hash result as it relates to digital certificates?

A. A unique value used to verify the input data

B. An output value that is used to identify the person or deduce that authored the input data.
C. An obfuscation used to mask the input data
D. An encrypted output value used to safe-guard the input data
Question 44

View the exhibit

What does this raw log indicate? (Choose two)

A. FortiGate blocked the traffic.

B. type indicates that a security event was recorded
C. 10.0.1.20 is the IP address for lavito.tk.
D. policyid indicates that traffic went through the IPS firewall policy

*******************************************************************************
Correct
A. FortiGate blocked the traffic. (action=blocked)
B. type indicates that a security event was recorded. (type=UTM)

Incorrect
C. 10.0.1.20 is the IP address for lavito.tk.
D. policyid indicates that traffic went through the IPS firewall policy. (Policy ID 1 is for FullAccess Policy
Name)

*******************************************************************************

Question 45

An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best
practices to do so? (Choose three)

A. Configure split tunneling for content inspection

B. Configure host restrictions by IP or MAC address
C. Configure two-factor authentication using security certificates
D. Configure SSL offloading to a content processor (FortiASIC)
E. Configure a client integrity check (host-check)

Question 46

Which of the following statements are best practices for troubleshooting FSSO? (Choose two)

A. Include the group of guest users in a policy

 B. Extend timeout timers
C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers
D. Ensure all firewalls allow the FSSO required ports

Question 47

Which of the following FortiGate configuration tasks will create a route in the policy route table? (Choose two)

A. Static route created with a Named Address object

B. Static route created with an Internet Services object
C. SD-WAN route created for individual member interfaces
D. SD-WAN rule created to route traffic based on link latency

Question 48

What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two)

A. Services defined in the firewall policy

B. Highest to lowest priority defined in the firewall policy
C. Incoming and outgoing interfaces
D. Lowest to highest policy ID number

Question 49

Examine the routing database shown in the exhibit, and then answer the following question

Which of the following statements are correct? (Choose two)

A. The port3 default route has the highest distance

B. The port3 default route has the lowest metric
C. There will be eight routes active in the routing table
D. The port1 and port2 default routes are active in the routing table
Question 50

On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose two)

A. Hourly
B. real time
C. on-demand
D. store-and-upload

*******************************************************************************

B and D, reference page 247 “Logging and Monitoring” FortiGate_Security_6.0_Study_Guide_v2:

Configure logging options:
* store-and-upload (CLI configuration only)—>only available to Fortigate with an internal hard drive
* Real Time
* Every minute
* Every 5 minutes (default)
*******************************************************************************

Question 51

An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the
following DoS sensors can be used to achieve this?

A. tcp_port_scan
B. ip_dst_session
C. udp_flood
D. ip_src_session

Question 52

If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does the FortiGate take?

A. It blocks all future traffic for that IP address for a configured interval
B. It archives the data for that IP address
C. It provides a DLP block replacement page with a link to download the file
D. It notifies the administrator by sending an email
*******************************************************************************
https://help.fortinet.com/cli/fos50hlp/54/Content/FortiOS/fortiOS-cli-ref-54/config/dlp/sensor.htm

quarantine-ip : block access through the FortiGate unit for any IP address that sends traffic matching a
sensor with this action. The IP address is added to the Banned User list for a duration of time that is
determined by set expiry.

*******************************************************************************
Question 53

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about
this IPsec VPN configuration is true?

A. A phase 2 configuration is not required

B. This VPN cannot be used as part of a hub-and-spoke topology
C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed
D. The IPsec firewall policies must be placed at the top of the list

Question 54

You have tasked to design a new IPsec deployment with the following criteria:

 There are two HQ sues that all satellite offices must connect to
 The satellite offices do not need to communicate directly with other satellite offices
 No dynamic routing will be used
 The design should minimize the number of tunnels being configured

Which topology should be used to satisfy all of the requirements?

A. Partial mesh
B. Hub-and-spoke
C. Fully meshed
D. Redundant

Question 55

Examine the network diagram shown in the exhibit, and then answer the following question

A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and
port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes
will satisfy this requirement on FGT1? (Choose two)

A. 172.20.2.0/24 (1/150) via 10.10.3.2, port3 [10/0]

B. 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]
C. 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]
D. 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]

Question 56

What files are sent to FortiSandbox for inspection in flow-based inspection mode?

A. All suspicious files that do not have their hash value in the FortiGuard antivirus signature database
 B. All suspicious files that are above the defined oversize limit value in the protocol options
C. All suspicious files that match patterns defined in the antivirus profile
D. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile
*******************************************************************************

 Page 468 of Fortigate security 6.2 study guide :

 You can send all files, or only files deemed suspicious to fortisandbox.
*******************************************************************************

Question 57

What FortiGate configuration is required to actively prompt users for credentials?

A. You must enable one or more protocols that support active authentication on a firewall policy
B. You must position the firewall policy for active authentication before a firewall policy foe passive
authentication.
C. You must assign users to a group for active authentication
D. You must enable the Authentication setting on the firewall policy

Question 58

Examine the network diagram shown in the exhibit, then answer, the answer the following question

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the
Web server?

A. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]

B. 0.0.0.0/0 [20/0] via 10.4.200.2, port2
C. 10.4.200.0/30 is directly connected, port2
D. 172.16.32.0/24 is directly connected, port1

Question 59

Which statements about DNS filter profiles are true? (Choose two)

A. They can inspect HTTP traffic

B. They can redirect blocked requests to a specific portal
C. They can block DNS request to known botnet command and control servers
 D. They must be applied in firewall policies with SSL inspection enabled

Question 60

Examine the exhibit, which contains a session diagnostic output

Which of the following statements about the session diagnostic output is true?

A. The session is in ESTABLISHED state

B. The session is in LISTEN state
C. The session is in TIME_WAIT state
D. The session is in CLOSE_WAIT state
*******************************************************************************

Answer is A. protocol_state=01 means “ESTABLISHED”

*******************************************************************************

Question 61

A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the
default prof_admin profile is true?

A. It can create administrator accounts with access to the same VDOM

B. It cannot have access to more than one VDOM
C. It can reset the password for the admin account
D. It can upgrade the firmware on the FortiGate device

*******************************************************************************

1) Efectivamente puede crear otras cuentas del tipo prof_admin pero solo con acceso al mismo VDOM.
2) Al crea este tipo de perfil de administrador se le puede dar acceso a uno o más VDOM (B Incorrecta)
3) Puede restablecer su contraseña que es de administrador en este caso pero no puede restablecer
ninguna otra cuenta de administrador ni en su misma VDOM. (C Incorrecta)
4) No puede actualizar el firmware en el dispositivo FortiGate eso solo es para el administrador con acceso
Global.

Question 62

View the exhibit

What should be done next to troubleshoot the problem?

A. Run a sniffer in the web server

B. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”
C. Capture the traffic using an external sniffer connected to port1
D. Execute a debug flow

Question 63

Which statement about FortiGuard services for FortiGate is true?

A. The web filtering database is downloaded locally on the FortiGate

B. Antivirus signatures are downloaded locally on the FortiGate
C. FortiGate downloads IPS updates using UDP port 53 or 8888
D. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates

Question 64

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are
true? (Choose two)

A. Log downloads from the GUI are limited to the current filter view
B. Log backups from the CLI cannot be restored to another FortiGate
C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
D. Log downloads from the GUI are stored as LZ4 compressed files
*******************************************************************************

Fortigate Security Guide 6.0 p276 (B) p278 (A)

For sure A is correct notice how the wording of “DOWNLOADS” instead of backups is used. Direct from
study guide: “Can download logs on the GUI based on the current view, including any log filters set.
D also mentions Log “DOWNLOADS” and not backups…. .DOWNLOADS from the gui are .log files similar to
a text document so D is incorrect
Also it clearly stats that Log “backups cannot be restored to another FortiGate” A & B are the best options
in my opinion.

*******************************************************************************
Question 65

Which statements best describe auto discovery VPN (ADVPN). (Choose two)

A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
B. ADVPN is only supported with IKEv2.
C. Tunnels are negotiated dynamically between spokes.
D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals
are defined in advance.

Question 66

Which of the following static routes are not maintained in the routing table? (Choose two)

A. Named Address routes

B. Dynamic routes
C. ISDB routes
D. Policy routes

Question 67

Which statement is true regarding SSL VPN timers? (Choose two)

A. Allow to mitigate DoS attacks from partial HTTP requests

B. SSL VPN settings do not have customizable timers
C. Disconnect idle SSL VPN users when a firewall policy authentication timeout occurs
D. Prevent SSL VPN users from being logged out because of high network latency

Question 68

Which of the following are purposes of NAT traversal in IPsec? (Choose two)

A. To delete intermediary NAT devices in the tunnel path

B. To dynamically change phase 1 negotiation mode aggressive mode
C. To encapsulation ESP packets in UDP packets using port 4500
D. To force a new DH exchange with each phase 2 rekey
*******************************************************************************

A  To detect. That ‘delete’ scared me.

C  “When NAT Traversal is set to Forced, UDP port 4500is always used” —— (Security Study Guide, 609)

*******************************************************************************
Question 69

View the exhibit:

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this
configuration, which statement is true?

A. Addicting Games is allowed based on the Application Overrides configuration

B. Addicting Games is blocked based on the Filter Overrides configuration
C. Addicting Games can be allowed only if the Filter Overrides actions is set to Exempt
D. Addicting Games is allowed based on the Categories configuration

Question 70

If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is
used?

A. The Services field removes the requirement of creating multiple VIPs for different services
B. The Services field is used when several VIPs need to be bundled into VIP groups
C. The Services field does not allow source NAT and destination NAT to be combined in the same policy
D. The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single
computer

Question 71

Which statements about virtual domains (VDOMs) are true? (choose two)

A. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate
B. Each VDOM can be configured with different system hostnames
C. Different VLAN sub- interface of the same physical interface can be assigned to different VDOMS
D. Each VDOM has its own routing table
Question 72

An employee connects to the https://example.com on the Internet using a web browser. The web server’s certificate
was signed by a private internal CA. The FortiGate that is inspecting this traffic is configured for full SSL inspection.

This exhibit shows the configuration settings for the SSL/SSH inspection profile that is applied to the policy that is
invoked in this instance. All other settings are set to defaults. No certificates have been imported into FortiGate.
View the exhibit and answer the question-that follows.

Which certificate is presented to the employee’s web browser?

A. The web server’s certificate

B. The user’s personal certificate signed by a private internal CA
C. A certificate signed by Fortinet_CA_SSL
D. A certificate signed by Fortinet_CA_Untrusted
*******************************************************************************
According to FortiGate Security 6.0 Study Guide, P.304,
“When the Untrusted SSL Certificates setting is set to Allow and FortiGate receives an untrusted SSL
certificate, FortiGate generates and signs a temporary certificate using the Fortinet_CA_Untrusted private
key. It then sends the temporary certificate to the browser. The browser presents a warning to the user
indicating that the site is untrusted.”
*******************************************************************************

Question 73

Which of the following statements correctly describes FortiGates route lookup behavior when searching for a
suitable gateway? (Choose two)

A. Lookup is done on the trust packet from the session originator

B. Lookup is done on the last packet sent from the responder
C. Lookup is done on every packet, regardless of direction
D. Lookup is done on the trust reply packet from the responder
*******************************************************************************

Por defecto, muchos aspectos de FortiGate tienen estado. Es decir, FortiGate decide muchas cosas al
comienzo de una sesión, cuando recibe el primer paquete.
Para cada sesión, FortiGate realiza dos búsquedas de enrutamiento:
• Para el primer paquete enviado por el creador
• Para el primer paquete de respuesta proveniente del respondedor

Después de completar estas dos búsquedas, FortiGate escribe la información de enrutamiento en su tabla
de sesión. Subsecuente los paquetes se enrutan de acuerdo con la tabla de sesión, no con la tabla de
enrutamiento. Por lo tanto, todos los paquetes que pertenecen a la misma sesión siguen la misma ruta.

*******************************************************************************

Question 74

HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could
resolve this problem? (Choose two)

A. Enable Allow Invalid SSL Certificates for the relevant security profile
B. Change web browsers to one that does not support HPKP
C. Exempt those web sites that use HPKP from full SSL inspection
D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers

Question 75

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and
server) have terminated the session?

A. To remove the NAT operation

B. To generate logs
C. To finish any inspection operations
D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

*******************************************************************************

Page 182 of 6.2 Study Guide

*******************************************************************************

Question 76

Refer to the following exhibit.

Why is FortiGate not blocking the test file over FTP download?

A. Deep-inspection must be enabled for FortiGate to fully scan FTP traffic

B. FortiGate needs to be operating in flow-based inspection mode in order to scan FTP traffic
C. The FortiSandbox signature database is required to successfully scan FTP traffic
D. The proxy options profile needs to scan FTP traffic on a non-standard port

*******************************************************************************
FileZilla is set on port 223.

*******************************************************************************
Question 77

Examine the exhibit, which shows the output of a web filtering real time debug:

Why is the site www.bing.com being blocked?

A. The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites

B. The web site www.bing.com is categorized by FortiGuard as Malicious Websites
C. The user has not authenticated with the FortiGate yet
D. The rating for the web site www.bing.com has been locally overridden to a category that is being blocked

Question 78

Which statement about data leak prevention (DLP) on a FortiGate is true?

A. It can archive files and messages

B. Traffic shaping can be applied to DLP sensors
C. It can be applied to a firewall policy in a flow-based VDOM
D. Files can be sent to FortiSandbox for detecting DLP threats
E.

Question 79

When using WPAD DNS method, which FQDN format do browsers use to query the DNS server?

A. srv_proxy.<local-domain>/wpad.dat
B. srv_tcp.wpad.<local-domain>
C. wpad.<local-domain>
D. proxy.<local-domain>.wpad
*******************************************************************************

When using DNS, the most widely supported resolution method, an entry is made in the local authoritative
zone to map the name wpad (such as wpad.example.com) to one or more IP addresses. The browser is
configured to automatically look in the following locations to find the WPAD configuration, which is in
effect a PAC file, as described in PAC policy. ECMP
https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/600_Objects/607_Web-proxy-
global.htm
*******************************************************************************

Question 80
Which statements about HA for FortiGate devices are true? (Choose two)

A. Sessions handled by proxy-based security profiles cannot be synchronized

B. Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs
C. HA management interface settings are synchronized between cluster members
D. Heartbeat interfaces are not required on the primary device

Question 81

Which of the following statements about virtual domains (VDOMs) are true? (Choose two)

A. The root VDOM is the management VDOM by default

B. A FortiGate device has 64 VDOMs, created by default.
C. Each VDOM maintains its own system time.
D. Each VDOM maintains its own routing table

Question 82

Examine this PAC file configuration:

Which of the following statements are true? (Choose two)

A. Browsers can be configured to retrieve this PAC file from the FortiGate.
B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com:
8060.
D. Any web request fortinet.com is allowed to bypass the proxy.

Question 83

Which of the following statements about converse mode are true? (Choose two)

A. FortiGate stops sending files to FortiSandbox for inspection

B. FortiGate stops doing RPF checks over incoming packets
C. Administrators cannot change the configuration
D. Administrators can access the FortiGate only through the console port

Question 84

During the digital verification process, comparing the original and fresh hash results satisfies which security
requirement?

A. Authentication
B. Data integrity
C. Non-repudiation
D. Signature verification
*******************************************************************************

La pregunta dice que compara el original con el resultado (hash fresh), esta es la fase 3 del proceso de
verificacion para determinar la integridad (data integrity).

In the third, and final, part of the verification process, FortiGate compares the fresh hash result to the
original hash result. If the two values are identical, then the integrity of the certificate is confirmed. If the
two hash results are different, then the version of the certificate that FortiGate has is not the same as the
one that the CA signed, and data integrity fails

*******************************************************************************

Question 85

Which statement about the IP authentication header (AH) used by IPsec is true?

A. AH does not provide any data integrity or encryption

B. AH does not support perfect forward secrecy
C. AH provides data integrity but no encryption
D. AH provides strong data integrity but weak encryption

Question 86

Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then answer the
following question:

An administrator has added the following static route on FGTI.

Since the change, the new static route is not showing up in the routing table. Given the information provided,
which of the following describes the cause of this problem?

A. The new route’s destination subnet overlaps an existing route.

 B. The new route’s Distance value should be higher than 10.
C. The Gateway IP address is not in the same subnet as port1.
D. The Priority is 0, which means that this route will remain inactive.

Question 87

What FortiGate components are tested during the hardware test? (Choose three.)

A. Administrative access
B. HA heartbeat
C. CPU
D. Hard disk
E. Network interfaces

Question 88

Which of the following statements describe WMI polling mode for FSSO collector agent? (Choose two)

A. WMI polling can increase bandwidth usage with large networks.

B. The NetSessionEnum function is used to track user logoffs.
C. The collector agent uses a Windows API to query DCs for user logins.
D. The collector agent does not need to search any security event logs.

Question 89

Which statements correctly describe transparent mode operation? (Choose three)

A. All interfaces of the transparent mode FortiGate device must be on different IP subnets.
B. Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
C. The transparent FortiGate is visible to network hosts in an IP traceroute.
D. It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
E. The FortiGate acts as transparent bridge and forwards traffic at Layer-2.

Question 90

Which statements about the firmware upgrade process on an active-active high availability (HA) cluster are true?
(Choose two)

A. The firmware image must be manually uploaded to each FortiGate.

B. Only secondary FortiGate devices are rebooted.
C. Uninterruptable upgrade is enabled by default.
D. Traffic load balancing is temporally disabled while upgrading the firmware.

Question 91

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed
by a third-party CA?

A. The public key of the web server certificate must be installed on the browser.
B. The web-server certificate must be installed on the browser.
C. The CA certificate that signed the web-server certificate must be installed on the browser.
D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.
Question 92

A. Which statement is true regarding the policy ID numbers of firewall policies?

B. Defines the order in which rules are processed.
C. Represent the number of objects used in the firewall policy.
D. Change when firewall policies are re-ordered.
E. Required to modify a firewall policy using the CLI.

Question 93

Which statements regarding the firewall policy authentication timeout is true?

A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from
the user’s source IP.
B. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this
timer has expired.
C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from
the user’s source MAC.
D. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this
timer has expired.

Question 94

Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple dialup tunnels?

A. In aggressive mode, the remote peers are able to provide their peer IDs in the first message.
B. FortiGate is able to handle NATed connections only in aggressive mode.
C. FortiClient only supports aggressive mode.
D. Main mode does not support XAuth for user authentication.

Question 95

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires
authorization?

A. It always authorizes the traffic without requiring authentication.

B. It drops the traffic.
C. It authenticates the traffic using the authentication scheme SCHEME2.
D. It authenticates the traffic using the authentication scheme SCHEME1.
Question 96

View the Exhibit.

VDOM1 is operating in transparent mode VDOM2 is operating in NAT Route mode. There is an inteface VDOM link
between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is connected to port2. A web server
with the IP address 10.200.1.2/24 is connected to port1.
What is required in the FortiGate configuration to route and allow connections from the client workstation to the
web server? (Choose two)

A. A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination.
B. A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination.
C. One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the destination
interface.
D. One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the destination
interface.

Question 97

An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark Port
Forward. What step is required for this configuration?

A. Configure an SSL VPN realm for clients to use the port forward bookmark.
B. Configure the client application to forward IP traffic through FortiClient.
C. Configure the virtual IP address to be assigned t the SSL VPN users.
D. Configure the client application to forward IP traffic to a Java applet proxy

Question 98

View the Exhibit

Which statement about the exhibit is true? (Choose two.)

 A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

B. port-VLAN1 is the native VLAN for the port1 physical interface.

C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Question 99

Which action can be applied to each filter in the application control profile?

A. Block, monitor, warning, and quarantine

B. Allow, monitor, block and learn

C. Allow, block, authenticate, and warning

D. Allow, monitor, block, and quarantine

Question 100

An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy Options is not listed under
Security Profiles on the GUI. What can cause this issue?

A. FortiGate needs to be switched to NGFW mode.

B. Proxy options section is hidden by default and needs to be enabled from the Feature Visibility menu.

C. Proxy options are no longer available starting in FortiOS 5.6.

D. FortiGate is in flow-based inspection mode.

Question 101

An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has
been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote
quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site
B?

A. 192.168.3.0/24

B. 192.168.2.0/24

C. 192.168.1.0/24

D. 192.168.0.0/8

Question 102
What settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy
called Full Access? (Choose two.)

A. Enable Event Logging.

B. Enable a web filter security profile on the Full Access firewall policy.

C. Enable Log Allowed Traffic on the Full Access firewall policy.

D. Enable disk logging.

Question 103

View the certificate shown to the exhibit, and then answer the following question:

The CA issued this certificate to which entity?

A. A root CA
B. A person
C. A bridge CA
D. A subordinate CA

Question 104

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based
inspection mode? (Choose two.)

A. Warning

B. Exempt

C. Allow

D. Learn

Question 105
Which of the following statements about central NAT are true? (Choose two.)

A. IP tool references must be removed from existing firewall policies before enabling central NAT.
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall policy.

*******************************************************************************
A is correct:
“Must remove VIP and IP pool references from existing policies…”
https://www.coursehero.com/file/29790754/L2-FortiGate-I-04-NATpdf/

B is correct:
Fortigate Study Guide Page 135:
“By default, Central NAT is disabled and can only be enabled on the CLI”.

*******************************************************************************

Question 106

An administrator is investigating a report of users having intermittent issues with browsing the web. The
administrator ran diagnostics and received the output shown in the exhibit.

Examine the diagnostic output shown exhibit. Which of the following options is the most likely cause of this issue?

A. NAT port exhaustion

B. High CPU usage
C. High memory usage
D. High session timeout value

Question 107

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port
disabled? (Choose two)

A. This is known as A subordinate CA.

B. Source IP is translated to the outgoing interface IP.

C. Connections are tracked using source port and source MAC address.
 D. Port address translation is not used.

Question 108

Which of the following features is supported by web filter in flow-based inspection mode with NGFW mode set to
profile-based?

A. FortiGuard Quotas
B. Static URL
C. Search engines
D. Rating option

Question 109

How can you format the FortiGate flash disk?

A. Load a debug FortiOS image.

B. Load the hardware test (HQIP) image.
C. Execute the CLI command execute formatlogdisk.
D. Select the format boot device option from the BIOS menu.

Question 110

An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the
firewall policy Destination field?

A. A VIP group
B. The mapped IP address object of the VIP object
C. A VIP object
D. An IP pool

Question 111

Which statements about antivirus scanning mode are true? (Choose two)

A. In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to the client.
B. In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol option
profiles.
C. In proxy-based inspection mode, if a virus is detected, a replacement message may not be displayed
immediately.
 D. In quick scan mode, you can configure antivirus profiles to use any of the available signature data bases.

Question 112

When override is enabled, which of the following shows the process and selection criteria that are used to elect
the primary FortiGate in an HA cluster?

A. Connected monitored ports > HA uptime > priority > serial number
B. Priority > Connected monitored ports > HA uptime > serial number
C. Connected monitored ports > priority > HA uptime > serial number
D. HA uptime > priority > Connected monitored ports > serial number

Question 113

Which of the following statements about the FSSO collector agent timers is true?

A. The workstation verify interval is used to periodically check if a workstation is still a domain member.
B. The IP address change verify interval monitors the server IP address where the collector agent is installed,
and updates the collector agent configuration if it changes.
C. The dead entry timeout interval is used to age out entries with an unverified status.
D. The user group cache expiry is used to age out the monitored groups.

*******************************************************************************

Fortigate Infrastructure Study Guide Page 262

*******************************************************************************

Question 114

A team manager has decided that while some members of the team need access to particular website, the
majority of the team does not. Which configuration option is the most effective option to support this request?

A. Implement a web filter category override for the specified website.

B. Implement web filter authentication for the specified website
C. Implement web filter quotas for the specified website.
D. Implement DNS filter for the specified website.

*******************************************************************************

A is the correct answer. B will allow the entire group to override the blocked page and enable the users
more access than is intended. With A the FortiGate administrator can override specific websites and apply
the override rating to a specific user or user group.
Toni the correct answer is ‘A’, with web filter override, you create an authentication scheme, and only
those users that are allowed can authenticate.
*******************************************************************************

Question 115
Examine the following web filtering log.

Which statement about the log message is true?

A. The action for the category Games is set to block.

B. The usage quota for the IP address 10.0.1.10 has expired.
C. The name of the applied web filter profile is default.
D. The web site miniclip.com matches a static URL filter whose action is set to Warning.

Question 116

Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath
(ECMP) routing? (Choose two)

A. Priority
B. Metric
C. Distance
D. Cost

Question 117

In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the
path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
B. Client > secondary FortiGate> web server.
C. Clinet >secondary FortiGate> primary FortiGate> web server.
D. Client> primary FortiGate> secondary FortiGate> web server.

Fortigate Infrastructure Study Guide: Page 308

Question 118

Examine this output from a debug flow.

Why did the FortiGate drop the packet?

A. The next-hop IP address is unreachable.

B. It failed the RPF check.
C. It matched an explicitly configured firewall policy with the action DENY.
D. It matched the default implicit firewall policy.
Question 119

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

A. By default, FortiGate uses WINS servers to resolve names.

B. By default, the SSL VPN portal requires the installation of a client’s certificate.
C. By default, split tunneling is enabled.
D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

*******************************************************************************

C [Refer to https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-sslvpn/SSLVPN_Examples/
Split_Tunnel.htm, where it specifies that Split-tunnelling is enabled by default on FortiGate units.

As for the port, the default is actually 10443 not 443 most of the time. This can be checked by going to any
FortiGate unit’s CLI and typing : “config vpn ssl settings”
and then: “show full-config | grep port 443”

C is more likely to be the answer, and for the future, please provide some decent background to your
feedbacK]

*******************************************************************************

Question 120

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require
inspection?

A. It is allowed, but with no inspection

B. It is allowed and inspected as long as the inspection is flow based
C. It is dropped.
D. It is allowed and inspected, as long as the only inspection required is antivirus.
*******************************************************************************

¿Por qué? Bueno el modo de conservación esta ON y el AV-Failopen está en PASS, eso indica que todo el
tráfico de ser aceptado sin inspeccionar como indica la opción A, pero el detalle es que aparte de estar en
modo conservación excede el extreme threshold y cuando esto pasa que por defecto está en 95% todas las
nuevas sesiones se eliminan (dropped) indistinto de como este configurado el Firewall.

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-security-profiles/
Other_Profile_Considerations/Conserve%20mode.htm?Highlight=conserve%20mode
The FortiOS kernel enters conserve mode when memory use reaches the red threshold (default 88%
memory use). When the red threshold is reached, FortiOS functions that react to conserve mode, such as
the antivirus transparent proxy, apply conserve mode based on configured conserve mode settings. As
well, FortiOS generates conserve mode log messages and SNMP traps and a conserve mode banner
appears on the GUI.

If memory use reaches the extreme threshold (95% memory used), new sessions are “dropped” and red
threshold conserve mode actions continue.

*******************************************************************************

Question 121

Examine this output from a debug flow:

Which statements about the output are correct? (Choose two)

A. FortiGate received a TCP SYN/ACK packet.

B. The source IP address of the packet was translated to 10.0.1.10.
C. FortiGate routed the packet through port 3.
D. The packet was allowed by the firewall policy with the ID 00007fc0.

Question 122

Which is a requirement for creating an inter-VDOM link between two VDOMs?

A. The inspection mode of at least one VDOM must be proxy-based.

B. At least one of the VDOMs must operate in NAT mode.
C. The inspection mode of both VDOMs must match.
D. Both VDOMs must operate in NAT mode.

Question 123

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three)

A. Traffic to inappropriate web sites

B. Traffic to inappropriate web sites
C. Server information disclosure attacks
D. Credit card data leaks
E. SQL injection attacks

Question 124
You are configuring the root FortiGate to implement the security fabric. You are configuring port10 to communicate
with a downstream FortiGate. View the default Edit Interface in the exhibit below:

When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are required to
be configured? (Choose two.)

A. Device detection enabled

B. Administrative Access: FortiTelemetry
C. IP/Network Mask
D. Role: Security Fabric

Question 125
Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address
10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic
coming from a workstation with the IP address 10.0.1.10/24?

A. 10.200.1.10
B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
C. 10.200.1.1
D. 10.0.1.254

*******************************************************************************

The question says it all. The SNAT will then be A.

Try doing diagnose: #diagnose session sys session list
you will see the SNAT (10.200.1.10), 10.200.1.1 is just the egress IP.

I would say that A is correct. From: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-

firewall-52/Firewall%20Objects/Virtual%20IPs.htm
Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated
to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port
forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address
configured as the External Address in the VIP settings.
In our case, the policy where VIP si present it doaes not have NAT enabled and it the port forward is
checked.

*******************************************************************************

Question 126

Examine this network diagram:

Examine this explicit web proxy configuration:

What filter can be used used in the command diagnose sniffer packet to capture the traffic between the client and
the explicit web proxy?

A. “host 192.168.0.1 and port 80”

B. “host 10.0.0.50 and port 80”
C. “host 192.168.0.2 and port 8080”
D. “host 10.0.0.50 and port 8080”
Question 127

Examine the network diagram shown in the exhibit, and then answer the following question:

A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and
port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes
will satisfy this requirement on FGT1? (Choose two)

A. 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]

B. 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]
C. 172.20.2.0/24 (1/150) via 10.10.3.2, port3 [10/0]
D. 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]

*******************************************************************************

https://vceguide.com/which-of-the-following-static-routes-will-satisfy-this-requirement-on-fgt1/

*******************************************************************************

Question 128

Which two statements about antivirus scanning mode are true? (Choose two.)

A. In proxy-based inspection mode, files bigger than the buffer size are scanned
B. In full scan flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the
client
C. In quick scan mode, you can configure antivirus profiles to use any of the available antivirus signature
databases
D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to
the client

Question 129

Examine the FortiGate configuration:

What will happen to unauthenticated users when an active authentication policy is followed by a fall though
policy without authentication?

A. User authentication happens at an interface level

B. The user will be denied access to resources without authentication
C. The user must log in again to authenticate
D. The user will not be prompted for authentication

Question 130

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all
FortiGate derives?

A. Customer VDOM
B. FG-traffic VDOM
C. Global VDOM
D. Root VDOM

Question 131

Which two actions are valid for a FortiGuard category-based filter, in a web filter profile for a firewall policy in
proxy-based inspection mode? (choose two)

A. Learn
B. Exempt
C. Allow
D. Warning

Question 132

To complete the final step of a Security Fabric configuration, an administrator must authorize all the derives on
which derive?

A. For Manager
B. Root FortiGate
C. Fort Analyzer
D. Downstream FortiGate

Question 133

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

A. Subject Key Identifier value

B. SMMIE Capabilities values
C. Subject value
D. Subject Alternative Name value

https://vceguide.com/which-of-the-following-statements-correctly-describes-fortigates-route-lookup-behavior-
when-searching-for-a-suitable-gateway/