Q1. - (Topic 11) 

In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate operating in NAT/Route mode, when searching for a suitable gateway? 

A. A lookup is done only when the first packet coming from the client (SYN) arrives. 

B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives. 

C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK). 

D. A lookup is always done each time a packet arrives, from either the server or the client side. 

View Answer

Q2. - (Topic 14) 

Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled? 

A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number. 

B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number. 

C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number. 

D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number. 

View Answer

Q3. - (Topic 21) 

What functions can the IPv6 Neighbor Discovery protocol accomplish? (Choose two.) 

A. Negotiate the encryption parameters to use. 

B. Auto-adjust the MTU setting. 

C. Autoconfigure addresses and prefixes. 

D. Determine other nodes reachability. 

View Answer

Q4. - (Topic 3) 

Examine the following CLI configuration: config system session-ttl set default 1800 end What statement is true about the effect of the above configuration line? 

A. Sessions can be idle for no more than 1800 seconds. 

B. The maximum length of time a session can be open is 1800 seconds. 

C. After 1800 seconds, the end user must re-authenticate. 

D. After a session has been open for 1800 seconds, the FortiGate sends a keepalive packet to both client and server. 

View Answer

Q5. - (Topic 1) 

What capabilities can a FortiGate provide? (Choose three.) 

A. Mail relay. 

B. Email filtering. 

C. Firewall. 

D. VPN gateway. 

E. Mail server. 

View Answer

Q6. - (Topic 1) 

Which statements are true regarding the factory default configuration? (Choose three.) 

A. The default web filtering profile is applied to the first firewall policy. 

B. The ‘Port1’ or ‘Internal’ interface has the IP address 192.168.1.99. 

C. The implicit firewall policy action is ACCEPT. 

D. The ‘Port1’ or ‘Internal’ interface has a DHCP server set up and enabled (on device models that support DHCP servers). 

E. Default login uses the username: admin (all lowercase) and no password. 

View Answer

Q7. - (Topic 10) 

Which statements are true regarding traffic shaping that is applied in an application sensor, and associated with a firewall policy? (Choose two.) 

A. Shared traffic shaping cannot be used. 

B. Only traffic matching the application control signature is shaped. 

C. Can limit the bandwidth usage of heavy traffic applications. 

D. Per-IP traffic shaping cannot be used. 

View Answer

Q8. - (Topic 22) 

Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor? 

A. No protection profile can be applied over the IPsec traffic. 

B. Phase-2 anti-replay must be disabled. 

C. Both the phase 1 and phases 2 must use encryption algorithms supported by the NP6. 

D. IPsec traffic must not be inspected by any FortiGate session helper. 

View Answer

Q9. - (Topic 6) 

Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?. 

A. Policy-based only. 

B. Route-based only. 

C. Either policy-based or route-based VPN. 

D. GRE-based only. 

View Answer

Q10. - (Topic 19) 

Data leak prevention archiving gives the ability to store files and message data onto a 

FortiAnalyzer unit for which of the following types of network traffic? (Choose three.) 

A. POP3 

B. SNMP 

C. IPsec 

D. SMTP 

E. HTTP 

View Answer