Q1. - (Topic 3) 

A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity. 

The following troubleshooting commands are executed from the CLI: 

user1 # get system interface 

== [ internal ] 

namE. internal modE. static ip: 10.0.1.254 255.255.255.128 status: up 

netbios-forwarD. disable typE. physical mtu-overridE. disable 

== [ vlan1 ] 

namE. vlan1 modE. static ip: 10.0.1.1 255.255.255.128 status: up netb 

ios-forwarD. disable typE. vlan mtu-overridE. disable 

user1 # get router info routing-table all 

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP 

O - OSPF, IA - OSPF inter area 

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 

E1 - OSPF external type 1, E2 - OSPF external type 2 

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area 

* - candidate default 

S 10.0.0.0/8 [10/0] is a summary, Null 

C 10.0.1.0/25 is directly connected, vlan1 

C 10.0.1.128/25 is directly connected, internal 

user1 # diagnose debug flow trace start 100 

user1 # diagnose debug ena 

user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1 

id=20085 trace_id=277 msg="vd-root received a packet(proto=6, 10.0.1.130 

:47922->10.0.1.1:443) from internal." 

id=20085 trace_id=277 msg="allocate a new session-00000b21" 

id=20085 trace_id=277 msg="iprope_in_check() check failed, drop" 

Based on the output from these commands, which of the following is a possible cause of the problem? 

A. The FortiGate unit has no route back to the PC. 

B. The PC has an IP address in the wrong subnet. 

C. The PC is using an incorrect default gateway IP address. 

D. There is no firewall policy allowing traffic from INTERNAL -> VLAN1. 

View Answer

Q2. - (Topic 1) 

The Idle Timeout setting on a FortiGate unit applies to which of the following? 

A. Web browsing 

B. FTP connections 

C. User authentication 

D. Administrator access 

E. Web filtering overrides. 

View Answer

Q3. - (Topic 3) 

An administrator wishes to generate a report showing Top Traffic by service type. They notice that web traffic overwhelms the pie chart and want to exclude the web traffic from the report. 

Which of the following statements best describes how to do this? 

A. In the Service field of the Data Filter, type 80/tcp and select the NOT checkbox. 

B. Add the following entry to the Generic Field section of the Data Filter: service="!web". 

C. When editing the chart, uncheck wlog to indicate that Web Filtering data is being excluded when generating the chart. 

D. When editing the chart, enter 'http' in the Exclude Service field. 

View Answer

Q4. - (Topic 2) 

Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it. 

config router static 

edit 1 

set dst 172.20.168.0 255.255.255.0 

set distance 20 

set priority 10 

set device port1 

next 

edit 2 

set dst 172.20.168.0 255.255.255.0 

set distance 20 

set priority 20 

set device port2 

next 

end 

Which of the following statements correctly describes the static routing configuration provided above? 

A. The FortiGate unit will evenly share the traffic to 172.20.168.0/24 through both routes. 

B. The FortiGate unit will share the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic. 

C. The FortiGate unit will send all the traffic to 172.20.168.0/24 through port1. 

D. Only the route that is using port1 will show up in the routing table. 

View Answer

Q5. - (Topic 1) 

Which of the following products can be installed on a computer running Windows XP to provide personal firewall protection, antivirus protection, web and mail filtering, spam filtering, and VPN functionality? 

A. FortiGate 

B. FortiAnalyzer 

C. FortiClient 

D. FortiManager 

E. FortiReporter 

View Answer

Q6. - (Topic 3) 

Which of the following items is NOT a packet characteristic matched by a firewall service object? 

A. ICMP type and code 

B. TCP/UDP source and destination ports 

C. IP protocol number 

D. TCP sequence number 

View Answer

Q7. - (Topic 1) 

Which part of an email message exchange is NOT inspected by the POP3 and IMAP proxies? 

A. TCP connection 

B. File attachments 

C. Message headers 

D. Message body 

View Answer

Q8. - (Topic 3) 

Which of the following is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying the FortiGate unit? 

A. Packet encryption 

B. MIB-based report uploads 

C. SNMP access limits through access lists 

D. Running SNMP service on a non-standard port is possible 

View Answer

Q9. - (Topic 1) 

Which of the following antivirus and attack definition update options are supported by FortiGate units? (Select all that apply.) 

A. Manual update by downloading the signatures from the support site. 

B. Pull updates from the FortiGate device 

C. Push updates from the FortiGuard Distribution Network. 

D. ”update-AV/AS” command from the CLI 

View Answer

Q10. - (Topic 2) 

Which of the following represents the correct order of criteria used for the selection of a Master unit within a FortiGate High Availability (HA) cluster when master override is disabled? 

A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number 

B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number 

C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number 

D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number 

View Answer