NEW QUESTION 1
You must create a high Availability deployment with two FortiWebs in Amazon Services (AWS): each on different Availability Zones(AZ) from the same region. At the same time, each FortiWeb should be able to deliver content from the Web server of both of the AZs. Which deployment would will this requirement?

• A. Configure the FortiWebs Active-Active Ha mode and use AWS Router 53 load Router balance the internal Web servers.
• B. Configure the FortiWebs in Active-Active HA mode and use AWS Elastic load Balancer (ELB) for the internal Web servers.
• C. Use AWS Router 53 to load balance FortiWebs in standone mode and use AWS Virtual private Cloud (VPC) peering to load balance the internal Web servers.
• D. Use AWS Elastic load Balancer (ELB) for both FortiWebs in standdone mode and the internal Webservers in an ELB sandwic

Answer: C

NEW QUESTION 2
Exhibit

Your company has two data center (DC) connected using a Layer 3 network. Service in farm A need to connect to server in farm B as though they all were in the same Layer 2 segment.

• A. Create an IPsec tunnel with transport mode encapsulation.
• B. Create an IPsec tunnel with Mode encapsulation.
• C. Create an IPsec tunnel with VXLAN encapsulation.
• D. Create an IPsec tunnel with VLAN encapsulatio

Answer: A

NEW QUESTION 3
An organization has one central site And three remote sites. A FotiSIEM has been drafted on the central site and now all devices across the remote sites need to be monitored by the FortiSlEM.
When action would reduce the WAN usage by the monitoring system?

• A. Deploy a single Supervisor on the central site and enable WAN optimize on the WAN gateways.
• B. Install local Collection remote site.
• C. Disable monitoring on the remote sites during the day.
• D. install a Supervisor and a Collector for each remote sit

Answer: C

NEW QUESTION 4
You have deployed a FortiGate In NAT/Route mode as a secure as a web gateway with a few P-base authentication firewall policies. Your customer reports that some users now have different browsing permission =s from what is expected. All these users are browsing using internet Explorer through Desktop Connection to a Terminal Server. When you took at the Fortigate logs the username for the Terminal Server IP is not consistent.
Which action will correct this problem?

• A. Make sure Terminal Service is using the correct DNS ever.
• B. Configure FSSO Advanced with LDAP integration
• C. Change the FSSO polling mode to windows NetAPI
• D. Install the TSCitrix on the terminal server

Answer: C

NEW QUESTION 5
Exhibit

Referring to the exhibit, what will happen if FortiSandbox categorizes an e-mail attachment submitted by FortiMarf as a high risk?

• A. The high-risk file will be discarded by attachment analysis.
• B. The high-risk tile will go to the system quarantine.
• C. The high-risk file will be received by the recipient.
• D. The high-risk file will be discarded by malware/virus outbreak protectio

Answer: C

NEW QUESTION 6
Exhibit

Your organization has a FortrGate cluster that is connected to two independent ISPs. You must configure the FortiGate failover for a single ISP failure to occur without disruption.
Referring to the exhibit, which two FortiGate BGP features would be used to accomplish this task' (Choose two.)

• A. Enable BFD
• B. Enable EBGP multipath
• C. Enable graceful restart
• D. Enable synchronization

Answer: BC

NEW QUESTION 7
Your client wants to use a central RADIUS server for management authentication when connecting to the FortiGate GUL and provide different levels of access for different types of employees.
Which three actions required providing the requested functionality? (Choose three.)

• A. Enable radius-vdom-override in the CLI.
• B. Create a wildcard administrator on the FortGate
• C. Enable occprofile-override in the CLI.
• D. Set the RADIUS authencation type to MS-CHApV2.
• E. Create multiple administrator profiles with matching RADIUS VSA

Answer: CDE

NEW QUESTION 8
Exhibit

You have configured an HA cluster with Two FortiGates You want to make sore that you are able to manage the individual duster members using ports3.
Referring to the exhibit, what are two ways to accomplish this task? (Choose two.)

• A. Disable the sync feature on porl3: then configure specific IPs for ports on both cluster members.
• B. Configure port3 to be a dedicated HA management interface, then configure specific IPs for port3 on both cluster members.
• C. Create a management VDOM and Disable the HA synchronization for this VDOM, assign ports to this VDOM, then configure specific IPs for ports on both cluster member.
• D. Allow administrative access in the HA heartbeat interface

Answer: BC

NEW QUESTION 9
Exhibit

You created an aggregate interface between your FortiGate and consisting of two 1 GBPs links in the exhibit. However, the maximum bandwidth never exceeds 1 Gbps and employees are complaining that the is slow. After troubleshooting, you notice only one member interface is being used. The configuration for the aggregation interface is shown in the exhibit.
In ths scenario, which command will solve this problem?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: A

NEW QUESTION 10
Exhibit

You have installed a FortiSandbox and configured it in your FortiMail. Referring to the exhibit, which two statements are correct? (Choose two.)

• A. FortiMail will cache the results for 30 minutes.
• B. FortiMail will wait for 30 minutes to obtain the scan results.
• C. If the FortiSandbox with IP 10.10 10 3 is not available, the e-mail will be checked by the FortiCloud Sandbox.
• D. If FortiMail is not able to obtain the results from the fortiGuard quene
• E. URls will not be checked by the FortiSandbox.

Answer: BD

NEW QUESTION 11
Exhibit

You need to apply the security feature below to the network shown in the exhibit.
-- high grade DDoS protection
-- Web security and load balacng for Server 1 and Server
-- Solution must be PCI DSS compliant'
-- enhanced security to DNS 1 and DNS 2 What are three solutio for the scenario?

• A. FortiWeb forVDOM-A
• B. FortDDoS between FG1 and FG2 and the Internet
• C. FortiADC for VDOM-A
• D. FortADC for VDoM-B
• E. FortiDDoS between FG1 and FG2 and VDOMs

Answer: D

NEW QUESTION 12
Exhibit

Referring to the exhibit, which two statements are true? (Choose two.)

• A. The IPv4 traffic for nse8user is filtered using the DNS profile.
• B. The IPv6 traffic for nse8user is filtered using the DNS profile.
• C. The IPv4 policy is allowing security profile groups.
• D. The Web traffic for nse8user is being filtered differently in IPv4 and IPv6.

Answer: BC

NEW QUESTION 13
Exhibit

A FortiGate configure for a dial IPsec VPN to allow multiple remote FortiGAte to connect to it. However, FortiGAte A and B have problems connecting to the VPN. Only one of them can be connected at a time. If site B tries to connect while site A is connected, site A disconnected. The IKE real time shows debug shoes the output in the exhibit when site A is disconnected.
Which of the following setting should be excluded in the dial-up configuration to allow both to be VPNs to be connected at the same time?

• A. set enforce-unique-id disable
• B. set add-router enable
• C. set single-source disable
• D. set router-overlap allow

Answer: A

NEW QUESTION 14
Exhibit

The exhibit shows a topology where a FortiGate is two VDOMS, root and vd-vlasn. The root VDCM provides SSL-VPN access, where the users authenticated by a FortiAuthenticatator.
The vd-lan VDOM provids internal access to a Web server. For the remote users to access the internal web server, there are a few requirements, which are shown below.
--At traffic must come from the SSI-VPN
--The vd-lan VDOM only allows authenticated traffic to the Web server.
-- Users must only authenticate once, using the SSL-VPN portal.
-- SSL-VPN uses RADIUS-based authentication.
referring to the exhibit, and the requirement describe above, which two statements are true? (Choose two.)

• A. vd-lan authentication messages from root using FSSO.
• B. vd-lan connects to Fort authenticator as a regular FSSO client.
• C. root is configured for FSSO while vd-lan is configuration for RSSO.
• D. root sends “RADIUS Accounting Messages" to FortiAuthenticato

Answer: AC

NEW QUESTION 15
Exhibit

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device. Which two statements are true about the traffic matching being inspection by this SPP? (Choose two.)

• A. Traffic that does match any spp policy will not be inspection by this spp.
• B. FortiDDos will not send a SYNACK if a SYN packet is coming from an IP address that is not the legtimate IP (LIP) address table.
• C. FortiDooS will start dropping packets as soon as the traffic executed the configured maintain threshold.
• D. SYN packets with payloads will be droope

Answer: AB

NEW QUESTION 16
You are building a FortiGala cluster which is stretched over two locations. The HA connections for the cluster are terminated on the data centers.
Once the FortiGates have booted, they do form a cluster.
The network operators inform you that CRC eoors are present on the switches where the FortiGAtes are connected. What would you do to solve this problem?

• A. Replace the caables where the CRC errors occur.
• B. Change the ethertype for the HA packets.
• C. Set the speedduplex setting to 1 Gbps /Full Duplex.
• D. Place the HA interfaces in dedicated VLAN

Answer: A

NEW QUESTION 17
You cannot the FortiGales default gateway 10.10.10 .1 from the FortiGate CLI. The FortiGate interface facing the default gateway is wan 1 and its IP address 10.10 .10 K74 During the troubleshooting, tests, you confirmed that you can plug other IP addresses in the 10.10.10. 0/24 subnet from the FortiGAte CLI without packets lost.
Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

• A. diagnose ip arp list
• B. diag aniffer packet wan1 'arp and host 10.10.1O.1'
• C. diagnose hardware deviceinfo nice wan1
• D. diagnose debug flow filter addt 10.10.10.1
• E. diagnose debug flow trace trace 10

Answer: AD

NEW QUESTION 18
Exhibit

Referring to the exhibit, which two statements are true? (Choose two.)

• A. port13 and port14 on FS448D-A should be connected to port13 and port14 on FS448D-B.
• B. LAG-1 and LAG 2 should be connected to a single 4-port 802 3ad interface on the FortiGate-A.
• C. LAG-3 on switches on FS448D-A and FS448D-B may be connected to a single 802 3ad trunk on another device.
• D. LAG-1 and LAG-2 should be connected to a 4-port single 802 3ad trunk on another devic

Answer: CD

NEW QUESTION 19
Exhibit

Referring to the exhibit, which two behaviors will the FortiClient endpoint has after receiving the profile update from the FortiClient EMS? (Choose two.)

• A. Files executed from a mapped network drive will not be inspected by the FortiCltent endpoint Antivirus engine.
• B. The user will not be able to access a Web downloaded file for at least 60 seconds when the FortiSandbox is reachable.
• C. The user will not be able to access a Web downloaded file for a maximum seconds if it is not a virus and the FortiSandbox s reachable.
• D. The user will not be able to access a Web downloaded file when the FortiSandbox is unreachabl

Answer: AD

NEW QUESTION 20
You are asked implement a single FortiGate 5000 chassis using Session-aware Load Balance Cluster (SLBC) with Active-passive for Controllers have the configuration shown below, with the rest of the configuration set to the default values.

Both FotiController show Master status. What is the problem in this scenario?

• A. The management interface of both FotiControllers was connected on the some network.
• B. The priority should be set higher for ForControllers on slot-1.
• C. The b1 interface the two FortiConrollers do not see each other.
• D. The chassis ID settings on FotiControllers on slot 2 should be set to 2.

Answer: A

NEW QUESTION 21
Exhibit

You log into FortiManager, look at the Device Manager window and notice that one of you managed devices is not in normal status.
Referring to the exhibit, which two statements correctly describe the affected device's status and result? (Choose two.)

• A. The device configuration was changed on the local FoitiGate side onl
• B. auto-update is disabled.
• C. The device configuration was changed on both the local FortiGate side and the FortiManager side, auto-update is disabled.
• D. The changed configuration on the FortiGate wrt remain the next time that the device configuration is pushed from ForbManager.
• E. The changed configuration on the FortiGate will be overwritten in favor of what is on the FortiMAnager the next time that the device configuration is pushed.

Answer: BD

NEW QUESTION 22
You have a customer experiencing problem with a legacy L3L4 firewall device and IPV6 SIP VoIP traffic. They devices is dropping SIP packets, consequently, it process SIP voice calls. Which solution would solve the customer's problem?

• A. Deploy a FortiVoice and enable IPv6 SIP.
• B. Replace their legacy device with a FortiGate and configure it to extract information from the body of the IPv6 packet.
• C. Deploy a FotiVoice and enable an IPv6 SIP session helper.
• D. Replace their legacy device with a FortiGate and deploy a FortiVoice to extract information from the body of the IPv6 SIP packet

Answer: A

NEW QUESTION 23
Exhibit

A FortiGate device is configured to authenticate SSL VPN users digital certificates. Part of the FortiGate configuration is shown in the exhibit.
Which two statements are true in this scenario?

• A. The authentication will fail if the OCSP server is down.
• B. OCSP is used to verify that the user-signed certificate has not expired.
• C. The authentication will fail if the certificate does not contain user principle name (UPN) information.
• D. The authentication will fail if the user certificate does not contain the CA_Cert string in the Faile

Answer: A

NEW QUESTION 24
In a FortiGate 5000 series, two FortiControllers are working as an SLBC cluster in a-p mode. The configuration shown below is applied.

When statement is true on how new TCP sessions are handled by the Distributor Processor (DP).
The new session added the DP session table is automatically deleted, if the traffic is denied by the processing worker.

• A. No new session is added is the DP session table until the processing worker accepts the traffic.
• B. A new session added m the DP session table remains in the table remain in the traffic is denied by the procession worker.
• C. A new session added in the OP session table remains is the table only if traffic is traffic is accepted by the processing worker.

Answer: C

NEW QUESTION 25
......