NEW QUESTION 1
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

• A. Traffic to botnet servers
• B. Traffic to inappropriate web sites
• C. Server information disclosure attacks
• D. Credit card data leaks
• E. SQL injection attacks

Answer: ACE

NEW QUESTION 2
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 3
An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best practices to do so? (Choose three.)

• A. Configure split tunneling for content inspection.
• B. Configure host restrictions by IP or MAC address.
• C. Configure two-factor authentication using security certificates.
• D. Configure SSL offloading to a content processor (FortiASIC).
• E. Configure a client integrity check (host-check).

Answer: CDE

NEW QUESTION 4
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

• A. To remove the NAT operation.
• B. To generate logs
• C. To finish any inspection operations.
• D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Answer: D

NEW QUESTION 5
Which statements about DNS filter profiles are true? (Choose two.)

• A. They can inspect HTTP traffic.
• B. They can redirect blocked requests to a specific portal.
• C. They can block DNS requests to known botnet command and control servers.
• D. They must be applied in firewall policies with SSL inspection enabled.

Answer: CD

NEW QUESTION 6
An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices Winch configuration steps must be performed on both devices to support this scenario? (Choose three.)

• A. Define the phase 1 parameters, without enabling IPsec interface mode
• B. Define the phase 2 parameters.
• C. Set the phase 2 encapsulation method to transport mode
• D. Define at least one firewall policy, with the action set to IPsec.
• E. Define a route to the remote network over the IPsec tunnel.

Answer: CDE

NEW QUESTION 7
View the exhibit.

Based on this output, which statements are correct? (Choose two.)

• A. The all VDOM is not synchronized between the primary and secondary FortiGate devices.
• B. The root VDOM is not synchronized between the primary and secondary FortiGate devices.
• C. The global configuration is synchronized between the primary and secondary FortiGate devices.
• D. The FortiGate devices have three VDOMs.

Answer: CD

NEW QUESTION 8
Which statements about HA for FortiGate devices are true? (Choose two.)

• A. Sessions handled by proxy-based security profiles cannot be synchronized.
• B. Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs.
• C. HA management interface settings are synchronized between cluster members.
• D. Heartbeat interfaces are not required on the primary device.

Answer: BC

NEW QUESTION 9
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

• A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
• B. Client > secondary FortiGate> web server.
• C. Client >secondary FortiGate> primary FortiGate> web server.
• D. Client> primary FortiGate> secondary FortiGate> web server.

Answer: D

NEW QUESTION 10
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check.
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

NEW QUESTION 11
Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

• A. The port3 default route has the highest distance.
• B. The port3 default route has the lowest metric.
• C. There will be eight routes active in the routing table.
• D. The port1 and port2 default routes are active in the routing table.

Answer: AD

NEW QUESTION 12
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 13
Which of the following statements about virtual domains (VDOMs) are true? (Choose two.)

• A. The root VDOM is the management VDOM by default.
• B. A FortiGate device has 64 VDOMs, created by default.
• C. Each VDOM maintains its own system time.
• D. Each VDOM maintains its own routing table.

Answer: AD

NEW QUESTION 14
Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two.)

• A. If the DHCP method fails, browsers will try the DNS method.
• B. The browser needs to be preconfigured with the DHCP server’s IP address.
• C. The browser sends a DHCPONFORM request to the DHCP server.
• D. The DHCP server provides the PAC file for download.

Answer: AC

NEW QUESTION 15
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 16
What FortiGate components are tested during the hardware test? (Choose three.)

• A. Administrative access
• B. HA heartbeat
• C. CPU
• D. Hard disk
• E. Network interfaces

Answer: CDE

NEW QUESTION 17
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

• A. A CRL
• B. A person
• C. A subordinate CA
• D. A root CA

Answer: D

NEW QUESTION 18
What FortiGate configuration is required to actively prompt users for credentials?

• A. You must enable one or more protocols that support active authentication on a firewall policy
• B. You must position the firewall policy for active authentication before a firewall policy foe passive authentication.
• C. You must assign users to a group for active authentication
• D. You must enable the Authentication setting on the firewall policy

Answer: C

NEW QUESTION 19
Which statements correctly describe transparent mode operation? (Choose three.)

• A. All interfaces of the transparent mode FortiGate device must be on different IP subnets.
• B. Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
• C. The transparent FortiGate is visible to network hosts in an IP traceroute.
• D. It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
• E. FortiGate acts as transparent bridge and forwards traffic at Layer 2.

Answer: BDE

NEW QUESTION 20
By default, when logging to disk, when does FortiGate delete logs?

• A. 30 days
• B. 1 year
• C. Never
• D. 7 days

Answer: D

NEW QUESTION 21
Which one of the following processes is involved in updating IPS from FortiGuard?

• A. FortiGate IPS update requests are sent using UDP port 443.
• B. Protocol decoder update requests are sent to service.fortiguard.net.
• C. IPS signature update requests are sent to update.fortiguard.net.
• D. IPS engine updates can only be obtained using push updates.

Answer: C

NEW QUESTION 22
Which statement about FortiGuard services for FortiGate is true?

• A. The web filtering database is downloaded locally on FortiGate.
• B. Antivirus signatures are downloaded locally on FortiGate.
• C. FortiGate downloads IPS updates using UDP port 53 or 8888.
• D. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates.

Answer: B

NEW QUESTION 23
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

• A. The interface has been configured for one-arm sniffer.
• B. The interface is a member of a virtual wire pair.
• C. The operation mode is transparent.
• D. The interface is a member of a zone.
• E. Captive portal is enabled in the interface.

Answer: ABC

NEW QUESTION 24
......