NEW QUESTION 1

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

• A. NGFW policy-based mode does not require the use of central source NAT policy
• B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
• C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
• D. NGFW policy-based mode policies support only flow inspection

Answer: CD

NEW QUESTION 2

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

• A. Root VDOM
• B. FG-traffic VDOM
• C. Customer VDOM
• D. Global VDOM

Answer: A

NEW QUESTION 3

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

• A. FortiGate SN FGVM010000065036 HA uptime has been reset.
• B. FortiGate devices are not in sync because one device is down.
• C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
• D. FortiGate SN FGVM010000064692 has the higher HA priority.

Answer: AD

Explanation:
* 1. Override is disable by default - OK
* 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

NEW QUESTION 4

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces must have different VLAN IDs.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Answer: B

Explanation:
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf –> page 147
“Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID”

NEW QUESTION 5

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

• A. This is known as many-to-one NAT.
• B. Source IP is translated to the outgoing interface IP.
• C. Connections are tracked using source port and source MAC address.
• D. Port address translation is not used.

Answer: BD

NEW QUESTION 6

What is the primary FortiGate election process when the HA override setting is disabled?

• A. Connected monitored ports > System uptime > Priority > FortiGate Serial number
• B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
• C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
• D. Connected monitored ports > Priority > System uptime > FortiGate Serial number

Answer: B

Explanation:
Reference: http://myitmicroblog.blogspot.com/2018/11/what-should-you-know-about-ha-override.html

NEW QUESTION 7

View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

• A. Addicting.Games is allowed based on the Application Overrides configuration.
• B. Addicting.Games is blocked on the Filter Overrides configuration.
• C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
• D. Addcting.Games is allowed based on the Categories configuration.

Answer: A

NEW QUESTION 8

Refer to the exhibit.



The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

• A. Disable match-vip in the Deny policy.
• B. Set the Destination address as Deny_IP in the Allow-access policy.
• C. Enable match vip in the Deny policy.
• D. Set the Destination address as Web_server in the Deny policy.

Answer: CD

NEW QUESTION 9

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

• A. IP address
• B. Once Internet Service is selected, no other object can be added
• C. User or User Group
• D. FQDN address

Answer: B

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy

NEW QUESTION 10

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

• A. Web filter in flow-based inspection
• B. Antivirus in flow-based inspection
• C. DNS filter
• D. Web application firewall
• E. Application control

Answer: ABE

NEW QUESTION 11

Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

• A. It is allowed, but with no inspection
• B. It is allowed and inspected as long as the inspection is flow based
• C. It is dropped.
• D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: C

NEW QUESTION 12

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

• A. To detect intermediary NAT devices in the tunnel path.
• B. To dynamically change phase 1 negotiation mode aggressive mode.
• C. To encapsulation ESP packets in UDP packets using port 4500.
• D. To force a new DH exchange with each phase 2 rekey.

Answer: AC

NEW QUESTION 13

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

• A. System event logs
• B. Forward traffic logs
• C. Local traffic logs
• D. Security logs

Answer: C

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970

NEW QUESTION 14

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scope of application control to the browser-based technology category only.
• B. It limits the scope of application control to scan application traffic based on application category only.
• C. It limits the scope of application control to scan application traffic using parent signatures only
• D. It limits the scope of application control to scan application traffic on DNS protocol only.

Answer: B

NEW QUESTION 15

Which of the following statements about central NAT are true? (Choose two.)

• A. IP tool references must be removed from existing firewall policies before enabling central NAT.
• B. Central NAT can be enabled or disabled from the CLI only.
• C. Source NAT, using central NAT, requires at least one central SNAT policy.
• D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Answer: AB

NEW QUESTION 16

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

• A. IPS engine handles the process as a standalone.
• B. FortiGate buffers the whole file but transmits to the client simultaneously.
• C. If the virus is detected, the last packet is delivered to the client.
• D. Optimized performance compared to proxy-based inspection.
• E. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

Answer: BDE

Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=192309

NEW QUESTION 17
......