NEW QUESTION 1
Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

• A. The link health monitor (if configured) is up.
• B. There is no other route, to the same destination, with a higher distance.
• C. The outgoing interface is up.
• D. The next-hop IP address is up.

Answer: AC

NEW QUESTION 2
What is the purpose of an internal segmentation firewall (ISFW)?

• A. It inspects incoming traffic to protect services in the corporate DMZ.
• B. It is the first line of defense at the network perimeter.
• C. It splits the network into multiple security segments to minimize the impact of breaches.
• D. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

Answer: C

Explanation:
ISFW splits your network into multiple security segments. They serve as a breach containers from attacks that come from inside.

NEW QUESTION 3
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

• A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.
• B. Redirection of HTTP to HTTPS administrative access is disabled.
• C. HTTP administrative access is configured with a port number different than 80.
• D. The packet is denied because of reverse path forwarding check.

Answer: AC

NEW QUESTION 4
View the exhibit, which contains the output of diagnose sys session list, and then answer the question below.

If the HA ID for the primary unit is zero (0), which statement is correct regarding the output?

• A. This session is for HA heartbeat traffic.
• B. This session is synced with the slave unit.
• C. The inspection of this session has been offloaded to the slave unit.
• D. This session cannot be synced with the slave unit.

Answer: B

NEW QUESTION 5
View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

• A. For the peer 10.125.0.60, the BGP state of is Established.
• B. The local BGP peer has received a total of three BGP prefixes.
• C. Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.
• D. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

Answer: AD

NEW QUESTION 6
View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

• A. Its initial value is calculated based on the round trip delay (RTT).
• B. Its initial value is statically set to 10.
• C. Its value is incremented with each packet lost.
• D. It determines which FortiGuard server is used for license validation.

Answer: C

NEW QUESTION 7
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.

Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?

• A. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP prefix yet.
• B. The TCP session for the BGP connection to 10.200.3.1 is down.
• C. The local peer has received the BGP prefixed from the remote peer.
• D. The local peer is receiving the BGP keepalives from the remote peer but it has not received the OpenConfirm yet.

Answer: B

Explanation:
http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

NEW QUESTION 8
View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

• A. FortiGate will exempt the connection based on the Web Content Filter configuration.
• B. FortiGate will block the connection based on the URL Filter configuration.
• C. FortiGate will allow the connection based on the FortiGuard category based filter configuration.
• D. FortiGate will block the connection as an invalid URL.

Answer: B

Explanation:
fortigate does it in order Static URL -> FortiGuard – > Content -> Advanced (java, cookie removal..)so block it in first step

NEW QUESTION 9
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

• A. Neighbor range
• B. Route reflector
• C. Next-hop-self
• D. Neighbor group

Answer: B

Explanation:
Route reflectors help to reduce the number of IBGP sessions inside an AS. A route reflector forwards the routers learned from one peer to the other peers. If you configure route reflectors, you dont’ need to create a full mesh IBGP network. All clients in a cluster only talck to route reflector to get sync routing updates. Route reflectors pass the routing updates to other route reflectors and border routers within the AS.

NEW QUESTION 10
The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

• A. Determines the optimal number of IPS engines required based on system load.
• B. Downloads signatures on demand from FDS based on scanning requirements.
• C. Determines when it is secure enough to stop scanning session traffic.
• D. Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer: C

Explanation:
Configuring IPS intelligenceStarting with FortiOS 5.2, intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte. config ips globalset intelligent-mode {enable|disable}end

NEW QUESTION 11
Which two statements about FortiManager is true when it is deployed as a local FDS? (Choose two.)

• A. It caches available firmware updates for unmanaged devices.
• B. It can be configured as an update server, or a rating server, but not both.
• C. It supports rating requests from both managed and unmanaged devices.
• D. It provides VM license validation services.

Answer: AD

NEW QUESTION 12
What conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

• A. IP addresses are in the same subnet.
• B. Hello and dead intervals match.
• C. OSPF IP MTUs match.
• D. OSPF peer IDs match.
• E. OSPF costs match.

Answer: ABC

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_OSPF/OSPF_Bac

NEW QUESTION 13
An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.

Based on the output in the exhibit, what can cause this authentication problem?

• A. User student is not found in the LDAP server.
• B. User student is using a wrong password.
• C. The FortiGate has been configured with the wrong password for the LDAP administrator.
• D. The FortiGate has been configured with the wrong authentication schema.

Answer: A

NEW QUESTION 14
Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

• A. Preview pending configuration changes for managed devices.
• B. Add devices to FortiManager.
• C. Import policy packages from managed devices.
• D. Install configuration changes to managed devices.
• E. Import interface mappings from managed devices.

Answer: AD

Explanation:
https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/1200_ins
There are 4 main wizards:Add Device: is used to add devices to central management and import their configurations.
Install: is used to install configuration changes from Device Manager or Policies & Objects to the managed devices. It allows you to preview the changes and, if the administrator doesn’t agree with the changes, cancel and modify them.
Import policy: is used to import interface mapping, policy database, and objects associated with the managed devices into a policy package under the Policy & Object tab. It runs with the Add Device wizard by default and may be run at any time from the managed device list.
Re-install policy: is used to perform a quick install of the policy package. It doesn’t give the ability to preview the changes that will be installed to the managed device.

NEW QUESTION 15
Examine the following partial output from a sniffer command; then answer the question below.

What is the meaning of the packets dropped counter at the end of the sniffer?

• A. Number of packets that didn’t match the sniffer filter.
• B. Number of total packets dropped by the FortiGate.
• C. Number of packets that matched the sniffer filter and were dropped by the FortiGate.
• D. Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=11655

NEW QUESTION 16
View the exhibit, which contains the output of a debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

• A. In the network on port4, two OSPF routers are down.
• B. Port4 is connected to the OSPF backbone area.
• C. The local FortiGate’s OSPF router ID is 0.0.0.4
• D. The local FortiGate has been elected as the OSPF backup designated router.

Answer: BC

NEW QUESTION 17
An administrator has enabled HA session synchronization in a HA cluster with two members. Which flag is added to a primary unit’s session to indicate that it has been synchronized to the secondary unit?

• A. redir.
• B. dirty.
• C. synced
• D. nds.

Answer: C

Explanation:
The synced sessions have the ‘synced’ flag. The command ‘diag sys session list’ can be used to see the sessions on the member, with the associated flags.

NEW QUESTION 18
......