NEW QUESTION 1

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

• A. It always authorizes the traffic without requiring authentication.
• B. It drops the traffic.
• C. It authenticates the traffic using the authentication scheme SCHEME2.
• D. It authenticates the traffic using the authentication scheme SCHEME1.

Answer: D

Explanation:
“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”

NEW QUESTION 2

Which two statements are true about the RPF check? (Choose two.)

• A. The RPF check is run on the first sent packet of any new session.
• B. The RPF check is run on the first reply packet of any new session.
• C. The RPF check is run on the first sent and reply packet of any new session.
• D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Answer: AD

Explanation:
Reference: https://www.programmersought.com/article/16383871634/

NEW QUESTION 3

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

• A. Implement a web filter category override for the specified website
• B. Implement a DNS filter for the specified website.
• C. Implement web filter quotas for the specified website
• D. Implement web filter authentication for the specified website.

Answer: D

NEW QUESTION 4

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

• A. Add the support of NTLM authentication.
• B. Add user accounts to Active Directory (AD).
• C. Add user accounts to the FortiGate group fitter.
• D. Add user accounts to the Ignore User List.

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

NEW QUESTION 5

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

• A. hard-timeout
• B. auth-on-demand
• C. soft-timeout
• D. new-session
• E. Idle-timeout

Answer: ADE

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

NEW QUESTION 6

Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

• A. Apple FaceTime belongs to the custom monitored filter.
• B. The category of Apple FaceTime is being monitored.
• C. Apple FaceTime belongs to the custom blocked filter.
• D. The category of Apple FaceTime is being blocked.

Answer: C

NEW QUESTION 7

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

• A. The session is in SYN_SENT state.
• B. The session is in FIN_ACK state.
• C. The session is in FTN_WAIT state.
• D. The session is in ESTABLISHED state.

Answer: A

Explanation:
Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NEW QUESTION 8

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser
does not report errors.
What is the reason for the certificate warning errors?

• A. The browser requires a software update.
• B. FortiGate does not support full SSL inspection when web filtering is enabled.
• C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
• D. There are network connectivity issues.

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41394

NEW QUESTION 9

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

• A. Full Content inspection
• B. Proxy-based inspection
• C. Certificate inspection
• D. Flow-based inspection

Answer: D

NEW QUESTION 10

Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

• A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• C. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
• D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer: D

NEW QUESTION 11

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

• A. Denial of Service
• B. Web application firewall
• C. Antivirus
• D. Application control

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortiweb/6.3.3/administration-guide/60895/introduction

NEW QUESTION 12

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

• A. The interface has been configured for one-arm sniffer.
• B. The interface is a member of a virtual wire pair.
• C. The operation mode is transparent.
• D. The interface is a member of a zone.
• E. Captive portal is enabled in the interface.

Answer: ABC

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

NEW QUESTION 13

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

• A. The strict RPF check is run on the first sent and reply packet of any new session.
• B. Strict RPF checks the best route back to the source using the incoming interface.
• C. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
• D. Strict RPF allows packets back to sources with all active routes.

Answer: B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION 14

In which two ways can RPF checking be disabled? (Choose two )

• A. Enable anti-replay in firewall policy.
• B. Disable the RPF check at the FortiGate interface level for the source check
• C. Enable asymmetric routing.
• D. Disable strict-arc-check under system settings.

Answer: CD

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION 15

Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. The IPS filter is missing the Protocol: HTTPS option.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. A DoS policy should be used, instead of an IPS sensor.
• E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 16

Which two statements are true about collector agent standard access mode? (Choose two.)

• A. Standard mode uses Windows convention-NetBios: Domain\Username.
• B. Standard mode security profiles apply to organizational units (OU).
• C. Standard mode security profiles apply to user groups.
• D. Standard access mode supports nested groups.

Answer: AC

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

NEW QUESTION 17
......