Question 1Correct

Refer to the exhibit.

Which route will be selected when trying to reach 10.20.30.254?

Your answer is correct

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]

C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]

Overall explanation

The correct route to reach 10.20.30.254 would be:

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and
10.30.20.0/24) and would therefore be selected as the best match.

Question 2Correct

Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social
networking sites except Twitter. However, when users try to access twitter.com, they are redirected to
a FortiGuard web filtering block page.
Based on the exhibit, which configuration change can the administrator make to allow Twitter while
blocking all other social networking sites?

A. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.

B. On the Static URL Filter configuration, set Type to Simple.

Your answer is correct

C. On the Static URL Filter configuration, set Action to Exempt.

D. On the Static URL Filter configuration, set Action to Monitor.

Overall explanation

Correct answer: C

C. On the Static URL Filter configuration, set Action to Exempt.

Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block
access to all social networking sites, and has also configured a Static URL Filter to block access to
twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com.

To allow users to access twitter.com while blocking all other social networking sites, the administrator
can make the following configuration change:

On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the
administrator can override the block on twitter.com that was specified in the FortiGuard Category Based
Filter. This will allow users to access twitter.com, while all other social networking sites will still be
blocked.
Note:

Tested this in a lab environment and to make this work as stated in the question the Exempt action is the
only way to go, and also *.twimg.com will has to be added to the URL Filter with an Exempt action for
this situation to really work!

Allow: Access is permitted. Traffic is passed to remaining operations, including FortiGuard web filter, web
content filter, web script filters, and antivirus scanning.

Exempt: Allows traffic from trusted sources to bypass all security inspections.

Question 3Correct

Which three statements explain a flow-based antivirus profile? (Choose three.)

Your selection is correct

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B. If a virus is detected, the last packet is delivered to the client.

C. The IPS engine handles the process as a standalone.

Your selection is correct

D. FortiGate buffers the whole file but transmits to the client at the same time.

Your selection is correct

E. Flow-based inspection optimizes performance compared to proxy-based inspection.

Overall explanation

Correct answer: ADE

A: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection.

D: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the
receiver at the same time. some operations can be offloaded to SPUs to improve performance (not C).

E: If performance is your top priority, then flow inspection mode is more appropriate.

Extra explanation:

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

 Flow-based inspection combines aspects of both proxy-based and flow-based inspection

methods to optimize performance and scanning effectiveness.
D. FortiGate buffers the whole file but transmits to the client at the same time.

 In flow-based inspection, FortiGate buffers the entire file for scanning before transmitting it to
the client. This allows for comprehensive scanning without delaying the transmission to the
client.

E. Flow-based inspection optimizes performance compared to proxy-based inspection.

 Flow-based inspection is generally more efficient than proxy-based inspection, especially in high-
traffic environments, as it does not require the buffering of entire files before delivery.

Question 4Correct

Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)

Your selection is correct

A. Services defined in the firewall policy

B. Highest to lowest priority defined in the firewall policy

Your selection is correct

C. Destination defined as Internet Services in the firewall policy

D. Lowest to highest policy ID number

Your selection is correct

E. Source defined as Internet Services in the firewall policy

Overall explanation

Correct answer: ACE

A. Services defined in the firewall policy

C. Destination defined as Internet Services in the firewall policy

E. Source defined as Internet Services in the firewall policy

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which
you can define using the following objects:

• Incoming Interface.

• Outgoing Interface.

• Source: IP address, user, internet services.

• Destination: IP address or internet services.

• Service: IP protocol and port number.

• Schedule: Specific times to apply policy.

Question 5Correct

What are two functions of ZTNA? (Choose two.)

A. ZTNA manages access through the client only.

B. ZTNA manages access for remote users only.

Your selection is correct

C. ZTNA provides a security posture check.

Your selection is correct

D. ZTNA provides role-based access.

Overall explanation

Correct answer: CD

C. ZTNA provides a security posture check.

D. ZTNA provides role-based access.

ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to
network resources for users, devices, and applications. It is based on the principle of "never trust, always
verify," which means that all access to network resources is subject to strict verification and
authentication.

Two functions of ZTNA are:

ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are
attempting to access network resources. This can include checks on the device's software and hardware
configurations, security settings, and the presence of malware.

ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the
user or device. Users and devices are granted access to only those resources that are necessary for their
role, and all other access is denied. This helps to prevent unauthorized access and minimize the risk of
data breaches.

A. ZTNA manages access through the client only. (client or browser)

B. ZTNA manages access for remote users only. (not just remote)

C. ZTNA provides a security posture check.

D. ZTNA provides role-based access.

ZTNA is an access control method that uses client device identification, authentication, and zero-trust
tags to provide role-based application access.

IP/MAC filtering uses ZTNA tags to provide an additional factor for identification, and a security posture
check to implement role-based zero-trust access.

Question 6Correct

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP
address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN
tunnel to work?

A. Pre-shared key

Your answer is correct

B. Dialup user

C. Dynamic DNS

D. Static IP address

Overall explanation

Correct answer: B

In a scenario where the remote peer IP address is dynamic, and the remote peer does not support a
dynamic DNS update service, the appropriate choice for configuring the remote gateway on FortiGate is:

B. Dialup user

Configuring the remote gateway as a dialup user allows flexibility for dynamic remote peer IP addresses
without relying on dynamic DNS. Dialup user configurations are suitable for scenarios where the remote
peer's IP address may change dynamically, and it is not possible to use a static IP address or dynamic
DNS.

The peer IP is not static.

D cannot be correct as the remote peer has a dynamic address so this will not be known to the local side
as it may change.

The same goes for dynamic.

PSK is not an option, the answer is B.

Question 7Correct
Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Your answer is correct

A. SSL VPN idle-timeout

B. SSL VPN http-request-body-timeout

C. SSL VPN login-timeout

D. SSL VPN dtls-hello-timeout

Overall explanation

Correct answer: A

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is
terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or
disconnects from the network), the session timer begins to count down. If the timer reaches the idle-
timeout value before the user reconnects or sends any new traffic, the session will be terminated and
the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this
timeout using the Idle Logout setting on the GUI.

Question 8Correct

Which statement is correct regarding the use of application control for inspecting web applications?

Your answer is correct

A. Application control can identify child and parent applications, and perform different actions on
them.

B. Application control signatures are organized in a nonhierarchical structure.

C. Application control does not require SSL inspection to identify web applications.

D. Application control does not display a replacement message for a blocked web application.

Overall explanation

Correct answer: A

Application control in FortiGate can identify both parent and child applications within web applications.
This allows for granular control and the ability to perform different actions based on the specific
application detected.

Application control is a feature that allows FortiGate to inspect and control the use of specific web
applications on the network. When application control is enabled, FortiGate can identify child and parent
applications, and can perform different actions on them based on the configuration.
The FortiGuard application control signature database is organized in a hierarchical structure. This gives
you the ability to inspect the traffic with more granularity. You can block Facebook applications while
allowing users to collaborate using Facebook chat.

Question 9Incorrect

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.
When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file.
When downloading the same file through HTTPS, FortiGate does not detect the virus and does not
block the file, allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)

Your selection is correct

A. The website is exempted from SSL inspection.

B. The EICAR test file exceeds the protocol options oversize limit.

Correct selection

C. The selected SSL inspection profile has certificate inspection enabled.

Your selection is incorrect

D. The browser does not trust the FortiGate self-signed CA certificate.

Overall explanation

Correct answer: AC
Two possible explanations for FortiGate's failure to detect the virus are:

A. The website is exempted from SSL inspection: If the website hosting the EICAR test file is exempt from
SSL inspection, FortiGate will not be able to inspect the encrypted traffic, leading to the virus going
undetected.

C. The selected SSL inspection profile has certificate inspection enabled: If the SSL inspection profile used
by FortiGate has certificate inspection enabled, it may cause issues with SSL/TLS connections, potentially
leading to the failure to detect the virus in HTTPS traffic.

Deep inspection need to be enabled.

We're not talking about certificate trust warnings. The file was not decrypted, thus the antivur engine
could not recognize the payload as a virus.

While offering some level of security, certificate inspection does not permit the inspection of encrypted
data. p. 333 Deep-Inspection is required in stead of Certificate-based to ensure content inspection.
Question 10Correct

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.
Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true?
(Choose two.)

Your selection is correct

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the
virtual MAC address of port2 as source.

B. The traffic sourced from the client and destined to the server is sent to FGT-1.

C. The cluster can load balance ICMP connections to the secondary.

Your selection is correct

D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them
to the secondary.

Overall explanation

Correct answer: AD

A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode

D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source
MAC address of the packet is changed to the physical MAC address of port1 on the primary and the
destination MAC address to the physical MAC address of port1 on the secondary. This is also known as
MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type
0x8891. The encapsulation is done only for the first packet of a load balanced session

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual
MAC address of port2 as source.

D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to
the secondary.

Incorrect:

B. The traffic sourced from the client and destined to the server is sent to FGT-1. (not primary)

C. The cluster can load balance ICMP connections to the secondary. (not enabled)

To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses.

The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address
rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The
encapsulation is done only for the first packet of a load balanced session. The encapsulated packet
includes the original packet plus session information that the secondary requires to process the traffic.
Question 11Correct

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL
inspection? (Choose two.)

Your selection is correct

A. The keyUsage extension must be set to keyCertSign.

Your selection is correct

B. The CA extension must be set to TRUE.

C. The issuer must be a public CA.

D. The common name on the subject field must use a wildcard name.

Overall explanation

Correct answer: AB

Full SSL inspection - Certificate requirements:

FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate
must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to
keyCertSign.

The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value
indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280
section 4.2.1.9 basic Constraints.

Although it appears as though the user browser is connected to the web server, the browser is
connected to FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these
roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the
keyUsage extension set to keyCertSign.

Question 12Incorrect

Which two configuration settings are global settings? (Choose two.)

Your selection is incorrect

A. User & Device settings

B. Firewall policies

Your selection is correct

C. HA settings

Correct selection
D. FortiGuard settings

Overall explanation

The two configuration settings that are global settings are:

C. HA settings - High Availability settings are typically configured globally to manage failover and
redundancy.

D. FortiGuard settings - FortiGuard settings for security services and updates are also configured globally
to ensure consistent protection across the network.

HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or

instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of
memory. With HA, your data continues to be available to client applications.

FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system's
built-in FDS as an FDN override server.

Question 13Correct

Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing
when SD-WAN is enabled?

Your answer is correct

A. Volume based

B. Source-destination IP based

C. Source IP based

D. Weight based

Overall explanation

Correct answer: A

Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-
WAN is enabled.

What is load balancing method?

Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an
incoming server request or traffic in the midst or among servers that is from the server pool.
Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing
when SD-WAN is enabled as that is its role.

Question 14Correct

FortiGuard categories can be overridden and defined in different categories. To create a web rating
override for the example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

Your selection is correct

A. www.example.com

B. www.example.com/index.html

C. www.example.com:443

Your selection is correct

D. example.com

Overall explanation

Correct answer: AD

A. www.example.com

D. example.com

To create a web rating override for the home page of the example.com domain, the administrator must
use one of the following syntaxes:

www.example.com: This syntax specifies the fully qualified domain name (FQDN) of the website,
including the www subdomain. This syntax will apply the web rating override to all pages on the website,
including the home page.

example.com: This syntax specifies the root domain of the website, without the www subdomain. This
syntax will also apply the web rating override to all pages on the website, including the home page.

Question 15Correct

Which two statements correctly describe the differences between IPsec main mode and IPsec
aggressive mode? (Choose two.)

Your selection is correct

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.

B. Main mode cannot be used for dialup VPNs, while aggressive mode can.

C. Aggressive mode supports XAuth, while main mode does not.

Your selection is correct

D. Six packets are usually exchanged during main mode, while only three packets are exchanged
during aggressive mode.

Overall explanation

Correct answer: AD

The correct statements describing the differences between IPsec main mode and IPsec aggressive mode
are:

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.

 In aggressive mode, the first packet contains identification information (such as the peer ID),
whereas in main mode, the first packet does not contain such details, providing a higher level of
security.

D. Six packets are usually exchanged during main mode, while only three packets are exchanged
during aggressive mode.

 Main mode typically involves the exchange of six packets to establish the IPsec tunnel, whereas
aggressive mode streamlines the process with a reduced exchange of three packets.

The other statements (B and C) are not accurate:

 B is incorrect because main mode can be used for dialup VPNs, and it is commonly used in such
scenarios.

 C is incorrect because both aggressive mode and main mode support Extended Authentication
(XAuth), and XAuth is not exclusive to aggressive mode.

Question 16Correct

What does the command diagnose debug fsso-polling refresh-user do?

Your answer is correct

A. It refreshes all users learned through agentless polling.

B. It displays status information and some statistics related to the polls done by FortiGate on each DC.

C. It refreshes user group information from any servers connected to FortiGate using a collector agent.

D. It enables agentless polling mode real-time debug.

Overall explanation

Correct answer: A

It refreshes all users learned through agentless polling.

The command diagnose debug fsso-polling refresh-user is used in Fortinet's FortiGate firewall to refresh
all users learned through agentless polling. This means it updates the list of users that have been
identified through agentless polling methods, which may include methods such as monitoring network
traffic to detect user activity. This command helps ensure that the firewall has the most up-to-date
information about users on the network for security and access control purposes.

Question 17Correct

View the exhibit.

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The
subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and
VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.

Which two static routes are required in the FortiGate configuration, to route traffic between both
subnets through an inter-VDOM link? (Choose two.)

A. A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-
VDOM link

Your selection is correct

B. A static route in VDOM2 for the destination subnet 10.0.1.0/24

Your selection is correct

C. A static route in VDOM1 for the destination subnet 10.0.2.0/24

D. A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-
VDOM link

Overall explanation
The two static routes required in the FortiGate configuration to route traffic between both subnets
through an inter-VDOM link are:

B. A static route in VDOM2 for the destination subnet 10.0.1.0/24

C. A static route in VDOM1 for the destination subnet 10.0.2.0/24

Explanation:

 In VDOM1, a static route for the destination subnet 10.0.2.0/24 is needed to route traffic
destined for VDOM2's subnet through the inter-VDOM link.

 In VDOM2, a static route for the destination subnet 10.0.1.0/24 is needed to route traffic
destined for VDOM1's subnet through the inter-VDOM link.

Question 18Correct

An administrator configured the antivirus profile in a firewall policy set to flow-based inspection
mode. While testing the configuration, the administrator noticed that eicar.com test files can be
downloaded using HTTPS protocol only. What is causing this issue?

A. Hardware acceleration is in use.

B. The test file is larger than the oversize limit.

C. HTTPS protocol is not enabled under Inspected Protocols.

Your answer is correct

D. Full SSL inspection is disabled.

Overall explanation

Correct answer: D
The issue is likely caused by:

D. Full SSL inspection is disabled.

In flow-based inspection mode, if full SSL inspection is disabled, the FortiGate device may not be
inspecting the contents of the HTTPS traffic, allowing the eicar.com test files to be downloaded without
being scanned for viruses. To address this, you would need to enable full SSL inspection to ensure that
the antivirus profile can inspect the contents of encrypted traffic.

Question 19Correct

An administrator wants to monitor their network for any probing attempts aimed to exploit existing
vulnerabilities in their servers.
Which two items must they configure on their FortiGate to accomplish this? (Choose two.)

A. A web application firewall profile to check protocol constraints

Your selection is correct

B. A DoS policy, and log all UDP and TCP scan attempts

Your selection is correct

C. An IPS sensor to monitor all signatures applicable to the server

D. An application control profile, and set all application signatures to monitor

Overall explanation

Correct answer: BC

B. Configure a DoS policy and log all UDP and TCP scan attempts.

 A Denial of Service (DoS) policy can help monitor and mitigate scan attempts. By logging UDP
and TCP scan attempts, the administrator can identify potential probing activities.

C. Configure an IPS sensor to monitor all signatures applicable to the server.

 An Intrusion Prevention System (IPS) sensor is crucial for monitoring and preventing various
types of attacks, including those targeting server vulnerabilities. Monitoring all relevant IPS
signatures enhances the detection capabilities.

So, the correct choices are indeed B and C.

Question 20Correct

Which three settings and protocols can be used to provide secure and restrictive administrative access
to FortiGate? (Choose three.)

Your selection is correct

A. SSH

B. FortiTelemetry

Your selection is correct

C. Trusted host

Your selection is correct

D. HTTPS

E. Trusted authentication

Overall explanation

Correct answer: ACD

To provide secure and restrictive administrative access to FortiGate, the following three settings and
protocols can be used:

A. SSH (Secure Shell)

  SSH is a secure protocol that allows secure remote access to the FortiGate command-line
interface (CLI).

C. Trusted host

 Configuring trusted hosts allows you to restrict administrative access to specified IP addresses,
providing an additional layer of security.

D. HTTPS (Hypertext Transfer Protocol Secure)

 HTTPS is a secure protocol that enables secure access to the FortiGate web-based graphical user
interface (GUI).

So, the correct choices are A, C, and D.

Question 21Correct

Which statement about firewall policy NAT is true?

A. DNAT is not supported.

B. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.

Your answer is correct

C. You must configure SNAT for each firewall policy.

D. SNAT can automatically apply to multiple firewall policies, based on SNAT rules.

Overall explanation

C. You must configure SNAT for each firewall policy.

The correct statement about firewall policy Nat (Network Address Translation) is: You must configure
SNAT for each firewall policy.

SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are
important components of a firewall's policy.

Question 22Correct

Which statement about traffic flow in an active-active HA cluster is true?

Your answer is correct

A. The SYN packet from the client always arrives at the primary device first.

B. The secondary device responds to the primary device with a SYN/ACK, and then the primary device
forwards the SYN/ACK to the client.

C. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces
to redistribute to the sessions.

D. The ACK from the client is received on the physical MAC address of the primary device.
Overall explanation

Correct answer: A

The correct statement about traffic flow in an active-active High Availability (HA) cluster is:

A. The SYN packet from the client always arrives at the primary device first.

In an active-active HA cluster, the primary device typically handles the initial SYN packet from the client.
The primary device then determines how to distribute the traffic among the cluster members.

The other statements are not accurate:

 B is incorrect because the secondary device does not respond to the primary device with a
SYN/ACK. The response is usually handled by the primary device.

 C is incorrect because in an active-active HA cluster, each FortiGate device has its own unique
virtual MAC addresses for the HA heartbeat interfaces.

 D is incorrect because the ACK from the client is generally processed by the same device that
received the initial SYN packet, which is typically the primary device.

So, the correct choice is A.

Question 23Incorrect

Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose
two.)

A. Only the "any" interface can be chosen as an incoming interface.

Your selection is incorrect

B. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.

Your selection is correct

C. Multiple interfaces can be selected as incoming and outgoing interfaces.

Correct selection

D. A zone can be chosen as the outgoing interface.

Overall explanation

Correct answer: CD

C. Multiple interfaces can be selected as incoming and outgoing interfaces.

 This statement is correct. You can specify multiple interfaces as both incoming and outgoing
interfaces in a firewall policy.

D. A zone can be chosen as the outgoing interface.

  This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing
interface in a firewall policy, providing a convenient way to apply policies to multiple physical or
logical interfaces grouped under the same zone.

So, the correct choices are C and D.

Question 24Correct

View the exhibit.

date=2022-06-14 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow
level=notice vd="root" policyid=2 identidx=1 sessionid=31232959 user="anonymous"
group="ldap_users" srcip=192.168.1.24 srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80
dstintf="port1" service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile"
profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304 rcvdbyte=60135
msg="URL belongs to an allowed category in policy" method=domain class=0 cat=140
catdesc="custom1"
What two things does this raw log indicate? (Choose two.)

Your selection is correct

A. FortiGate allowed the traffic to pass.

B. 192.168.1.24 is the IP address for www.fortinet.com.

Your selection is correct

C. The traffic matches the webfilter profile on firewall policy ID 2.

D. The traffic originated from 66.171.121.44.

Overall explanation

Correct answer: AC

The raw log indicates the following:

A. FortiGate allowed the traffic to pass.

 The "status" field is set to "passthrough," which means the traffic was allowed to pass.

C. The traffic matches the webfilter profile on firewall policy ID 2.

 The "policyid" field is set to 2, indicating that the traffic matches the firewall policy with ID 2. The
"profiletype" and "profile" fields specify that the traffic matches the Webfilter profile named
"default."

The other options are not supported by the information in the raw log:

 B is incorrect because the log does not provide information about the IP address of
www.fortinet.com; it indicates the destination IP address as 66.171.121.44.

 D is incorrect because the log indicates that the traffic originated from 192.168.1.24, not
66.171.121.44.
So, the correct choices are A and C.

Question 25Correct

FortiGate is configured for firewall authentication. When attempting to access an external website, the
user is not presented with a login prompt. What is the most likely reason for this situation?

A. No matching user account exists for this user.

B. The user is using a guest account profile.

Your answer is correct

C. The user was authenticated using passive authentication.

D. The user is using a super admin account.

Overall explanation

Correct answer: C

The most likely reason for a user not being presented with a login prompt when attempting to access an
external website in a FortiGate firewall authentication scenario is:

C. The user was authenticated using passive authentication.

Passive authentication allows the FortiGate to authenticate users transparently without presenting them
with a login prompt. This often involves the use of authentication methods such as Captive Portal or
single sign-on (SSO) techniques where users are authenticated based on their network activity without
actively entering credentials.

Options A, B, and D are less likely to cause the absence of a login prompt in this context:

 A is less likely because if there was no matching user account, it would typically result in an
authentication prompt.

 B is less likely unless the guest account profile specifically has a passive authentication
mechanism.

 D is less likely because super admin accounts are typically not subject to transparent or passive
authentication mechanisms.

So, the most likely reason is C.

Question 26Correct

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

A. Force access to Facebook using the HTTP service.

Your answer is correct

B. Make the SSL inspection a deep content inspection.

C. Add Facebook in the URL category in the security policy.

D. Get the additional application signatures required to add to the security policy.
Overall explanation

Correct answer: B

Needs SSL full inspection.

They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos
or other types of posts.

This indicate that the rule are partially working as they can watch video but can't react, i.e. liking the
content. So, must be an issue with the SSL inspection rather then adding an app rule.

The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required. All other
Application Signatures Facebook and Facebook_Video.Play does not require SSL inspection. Hence that
the users can play video content. If you look up the Application Signature for Facebook_like.Button it will
say "Requires SSL Deep Inspection".

FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect
encrypted traffic.

Question 27Correct

Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

Your selection is correct

A. Port block allocation

Your selection is correct

B. Fixed port range

C. One-to-one

D. Overload

Overall explanation

The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments are:

A. Port block allocation

B. Fixed port range

Explanation: A. Port block allocation: In this method, a range of ports is allocated to each internal IP
address. This allows multiple internal devices to share the same public IP address but use different port
ranges, enabling more efficient use of IP addresses.

B. Fixed port range: This method allocates a fixed range of ports to each internal IP address. It is similar
to port block allocation but restricts the port range to a fixed set of ports for each internal IP address,
which can be useful for certain applications or scenarios.
Both port block allocation and fixed port range allocation are commonly used in CGNAT deployments to
manage the mapping of internal private IP addresses to public IP addresses and ports, allowing for
efficient use of limited IPv4 addresses.

Question 28Correct

What is eXtended Authentication (XAuth)?

A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.

Your answer is correct

B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials
(username and password).

C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.

D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.

Overall explanation

The correct answer is:

B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username
and password).

Explanation: eXtended Authentication (XAuth) is an IPsec extension that adds additional authentication
for remote VPN users after the initial IPsec phase 1 and phase 2 negotiations. XAuth requires users to
provide their credentials (username and password) in addition to the standard IPsec authentication,
enhancing the security of the VPN connection.

Question 29Correct

What must you configure to enable proxy-based TCP session failover?

A. You must configure ha-configuration-sync under configure system ha.

B. You do not need to configure anything because all TCP sessions are automatically failed over.

Your answer is correct

C. You must configure session-pickup-enable under configure system ha.

D. You must configure session-pickup-connectionless enable under configure system ha.

Overall explanation

The correct answer is:

C. You must configure session-pickup-enable under configure system ha.

Explanation: To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must
configure the session-pickup-enable setting under the high availability (HA) configuration. This setting
allows the firewall to pick up and maintain TCP sessions after a failover event, ensuring continuity of
service for established connections.

Question 30Correct

An administrator needs to inspect all web traffic (including Internet web traffic) coming from users
connecting to the SSL-VPN. How can this be achieved?

A. Assigning public IP addresses to SSL-VPN users

B. Configuring web bookmarks

Your answer is correct

C. Disabling split tunneling

D. Using web-only mode

Overall explanation

The correct answer is:

C. Disabling split tunneling

Explanation: Split tunneling allows VPN users to access both local and remote networks simultaneously.
However, if you want to inspect all web traffic, including Internet traffic, coming from users connecting to
the SSL-VPN, you should disable split tunneling. Disabling split tunneling forces all user traffic through
the VPN tunnel, allowing you to inspect and control the traffic more effectively.

Question 31Correct

Which NAT method translates the source IP address in a packet to another IP address?

A. DNAT

Your answer is correct

B. SNAT

C. VIP

D. IPPOOL

Overall explanation

The correct answer is:

B. SNAT

Explanation: SNAT (Source Network Address Translation), also known as MASQUERADE in iptables,
translates the source IP address in a packet to another IP address. It is commonly used in scenarios
where internal private IP addresses need to be translated to a single public IP address when accessing
the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP
address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that
represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a
range of IP addresses that can be dynamically assigned to clients, such as in DHCP.

Question 32Correct

What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?

A. Both can be enabled at the same time.

B. Both support volume algorithms.

Your answer is correct

C. Both control ECMP algorithms.

D. Both use the same physical interface load balancing settings.

Overall explanation

The correct answer is:

C. Both control ECMP algorithms.

Explanation: In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-
Path) algorithms are used to determine the path packets should take through the network. Both IPv4
and SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination.
While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at a
higher level, typically involving application-aware routing and more advanced traffic steering capabilities.

Question 33Correct

Refer to the exhibit.

Which statement about the configuration settings is true?

A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.

Your answer is correct

B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.

D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same
port.

Overall explanation

B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

Explanation: In this scenario, the remote user is accessing the FortiGate device using HTTPS (port 443),
which is typically used for SSL-VPN access. Therefore, when accessing the device at that address and
port, the SSL-VPN login page should open for the user to authenticate and establish a VPN connection.

Question 34Correct
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

Your answer is correct

A. It limits the scanning of application traffic to the browser-based technology category only.

B. It limits the scanning of application traffic to the DNS protocol only.

C. It limits the scanning of application traffic to use parent signatures only.

D. It limits the scanning of application traffic to the application category only.

Overall explanation

A. It limits the scanning of application traffic to the browser-based technology category only.

You can configure the URL Category within the same security policy; however, adding a URL filter causes
application control to scan applications in only the browser-based technology category, for example,
Facebook Messenger on the Facebook website.

Question 35Correct

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the
exhibit.
Which policy will be highlighted, based on the input criteria?

A. Policy with ID 4.

Your answer is correct

B. Policy with ID 5.

C. Policies with ID 2 and 3.

D. Policy with ID 1.

Overall explanation

Correct answer: B. Policy with ID 5.

It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http
and https traffic (80, 443).

There are 3 rules related to port3

and two rules source LOCAL_CLIENT

this would leave us with Rule 1 & 5

Rule one Service is = ULL_UDP

Rule five = Internet Services

Destination port we are looking for is 443 (usually this is TCP)

So it had to be PID5

We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP
address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies
that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to
bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are
not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.

Question 36Correct

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added
to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)

A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same
subnet.

Your selection is correct

B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

Your selection is correct

C. The two VLAN subinterfaces must have different VLAN IDs.

D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different
subnets.

Overall explanation

B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C. The two VLAN subinterfaces must have different VLAN IDs.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-
VLAN/ta-p/192843?externalID=FD43883

Each interface (physical or VLAN) can belong to only one VDOM.

Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as
long as they are not assign to the same VDOM.
VLAN

https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-
interface/ta-p/197640

* VLANs can be created on any physical or aggregate (802.3ad) interfaces

- The same VLAN number cannot be configured twice on the same physical interface

- The same VLAN number can be used on different physical interfaces

- The usable VLAN ID range is from 1 to 4094

* VDOM interface assignment

- Two VDOMs cannot share the same interface or VLAN

- A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.

Question 37Correct

An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

A. Strict RPF allows packets back to sources with all active routes.

Your answer is correct

B. Strict RPF checks the best route back to the source using the incoming interface.

C. Strict RPF checks only for the existence of at least one active route back to the source using the
incoming interface.

D. Strict RPF check is run on the first sent and reply packet of any new session.

Overall explanation

Correct answer: B

B. Strict RPF checks the best route back to the source using the incoming interface.

Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table.
That is, if the route in table contains a matching route for the source address and the incoming interface,
but there is a better route for the source address through another interface the RPF check fails.

The Strict Reverse Path Forwarding (RPF) check is a security feature that helps prevent source IP address
spoofing. When enabled, the FortiGate unit checks the source IP address of each incoming packet and
compares it to the routing table to ensure that the packet arrives on the expected interface.
Here's an explanation of the statement:

B. Strict RPF checks the best route back to the source using the incoming interface.

When the FortiGate unit receives a packet, it checks the source IP address and verifies that the packet
arrives on the expected interface based on the routing table. The "best route back to the source" refers
to the route in the routing table that would be used to send packets back to the source IP address. If the
incoming interface matches the expected interface based on the routing table, the check passes. If not,
the packet may be considered as potentially spoofed, and it might be dropped or subjected to further
security measures.

This strict RPF check helps in preventing IP address spoofing, which is a common technique used in
various network attacks.

Loose RPF checks for any route and Strict RPF check for best route

Question 38Correct

An administrator has configured the following settings:

1. config system settings

2. set ses-denied-traffic enable

3. end

4. config system global

5. set block-session-timer 30

6. end

What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 seconds.

B. Denied users are blocked for 30 seconds.

Your selection is correct

C. The number of logs generated by denied traffic is reduced.

Your selection is correct

D. A session for denied traffic is created.

Overall explanation

Correct answer: CD

The timer config any way is by seconds.

ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer
Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).

C. The number of logs generated by denied traffic is reduced.

D. A session for denied traffic is created.

During the session, if a security profile detects a violation, FortiGate records the attack log immediately.
To reduce the number of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This creates the denied session in the session table and, if the session is
denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a
policy lookup for each new packet matching the denied session, which reduces CPU usage and log
generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for
block sessions. This determines how long a session will be kept in the session table by setting block-
sessiontimer in the CLI. By default, it is set to 30 seconds.

Reference and download study guide:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-
into-the/ta-p/195478

Question 39Correct

Which of the following is a key advantage of configuring an SD-WAN on a FortiGate device?

A. It simplifies the configuration of SSL VPNs across the network.

Your answer is correct

B. It allows traffic to be routed dynamically based on the most effective WAN link, enhancing
performance and reliability.

C. It enables the automatic configuration of firewall policies across multiple FortiGates.

D. It allows for the implementation of a full mesh IPsec VPN topology without additional
configurations.

Overall explanation

B. It allows traffic to be routed dynamically based on the most effective WAN link, enhancing
performance and reliability.

Explanation:

Configuring SD-WAN on a FortiGate device allows for dynamic routing of traffic based on the most
effective WAN link, improving network performance and reliability. This helps in load balancing and
ensuring optimal use of available WAN resources, which is critical in maintaining a stable and efficient
network. The other options do not accurately describe the primary benefit of SD-WAN in this context.

Question 40Correct

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security
fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

A. Change the csf setting on ISFW (downstream) to set configuration-sync local.

B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

Your answer is correct

C. Change the csf setting on both devices to set downstream-access enable.

D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Overall explanation

Correct answer: C

C is correct because D is already set to default (Global CMDB objects will be synchronized in Security
Fabric.)

The root device has downstream access disabled, so it needs to be enabled to sync the object.

downstream-access - Enable/disable downstream device access to this device's configuration and data.

disable - Disable downstream device access to this device's configuration and data.

The CLI command "set fabric-object-unification" is only available on the root FortiGate.

Question 41Correct

Refer to the exhibits.

Exhibit A shows system performance output.

Exhibit B shows a FortiGate configured with the default configuration of high memory usage
thresholds.
Based on the system performance output, which two results are correct? (Choose two.)

A. FortiGate will start sending all files to FortiSandbox for inspection.

Your selection is correct

B. FortiGate has entered conserve mode.

Your selection is correct

C. Administrators cannot change the configuration.

D. Administrators can access FortiGate only through the console port.

Overall explanation

Correct answer: BC

What actions does FortiGate take to preserve memory while in conserve mode?

• FortiGate does not accept configuration changes, because they might increase memory usage.

• FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.

• You can configure the fail-open setting under config ips global to control how the IPS engine behaves
when the IPS socket buffer is full.

Based on the system performance output, it appears that FortiGate has entered conserve mode and
administrators cannot change the configuration.

FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational
capacity in order to conserve resources and improve performance. This may be necessary if the system is
experiencing high levels of traffic or if there are issues with resource utilization.

Administrators cannot change the configuration: When the system is in conserve mode, administrators
may not be able to change the configuration. This is because the system is prioritizing resource
conservation over other activities, and making changes to the configuration may require additional
resources that are not available.
It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and
administrators may still be able to access FortiGate through other means besides the console port.

"If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters
conserve mode."

"FortiGate does not accept configuration changes, because they might increase memory usage."

Reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/
198580

Question 42Correct

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

Your selection is correct

A. The debug flow is for ICMP traffic.

B. The default route is required to receive a reply.

Your selection is correct

C. A new traffic session was created.

D. A firewall policy allowed the connection.

Overall explanation

Correct answer: AC

ICMP proto = 1

New session

As protocol=1 thats why its ICMP.

Reference:

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Question 43Correct

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in
both sites has been configured as Static IP Address. For site A, the local quick mode selector is
192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

Your answer is correct

A. 192.168.2.0/24

B. 192.168.0.0/8

C. 192.168.1.0/24

D. 192.168.3.0/24

Overall explanation

Correct answer: A

A. 192.168.2.0/24

For the IPsec VPN between site A and site B, the local quick mode selector for site B should match the
remote quick mode selector for site A, which is 192.168.2.0/24.

Quick mode selectors need to be mirrored on both side, so the remote network on site A is the local
network on site B.

For an IPsec VPN between site A and site B, the administrator has configured the local quick mode
selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means
that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the
192.168.2.0/24 subnet at site B.

To complete the configuration, the administrator must configure the local quick mode selector for site B.
To do this, the administrator must use the same subnet as the remote quick mode selector for site A,
which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach
the 192.168.1.0/24 subnet at site A.

Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.

Question 44Correct
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose
two.)

A. The client FortiGate requires a manually added route to remote subnets.

B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

Your selection is correct

C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Your selection is correct

D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.

Overall explanation

Correct answer: CD

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.

The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA
that signed the certificate.

C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate:

 When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA
(Certificate Authority) certificate to verify the client FortiGate's certificate. This ensures that the
client connecting to the VPN is authenticated and trusted.

D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:

 For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type
configured. This interface type is specifically designed for SSL VPN connections, allowing the
client FortiGate to establish the VPN tunnel with the server FortiGate.

These two settings together ensure that the SSL VPN connection between the two FortiGate devices is
properly authenticated and established, allowing secure communication between them.

Question 45Correct

Which statement correctly describes the use of reliable logging on FortiGate?

A. Reliable logging is enabled by default in all configuration scenarios.

B. Reliable logging is required to encrypt the transmission of logs.

C. Reliable logging can be configured only using the CLI.

Your answer is correct

D. Reliable logging prevents the loss of logs when the local disk is full.
Overall explanation

Correct answer: D. Reliable logging prevents the loss of logs when the local disk is full.

On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when
the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer
until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full
disk, allowing administrators to maintain an accurate record of activity on the network.

Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the
transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to
enable in order to maintain a comprehensive record of activity on the network and help with
troubleshooting and security analysis.

Reliable logging on FortiGate is used to prevent the loss of logs when the connection between FortiOS
and FortiAnalyzer is disrupted. When reliable mode is enabled, logs are cached in a FortiOS memory
queue. FortiOS sends logs to FortiAnalyzer, and FortiAnalyzer uses seq_no to track received logs.

The other statements are incorrect:

Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly.

Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured
separately.

Reliable logging can be configured using the CLI or the FortiGate web interface.

The question is asking what describes the correct use meaning what is the main function of reliable
logging wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D the
correct answer.

The question is asking what describes the correct use meaning what is the main function of reliable
logging wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D the
correct answer.

You can encrypt the logs if you are sending your logs to cloud, but the main purpose of reliable logging is
to make sure that all the logs you send are been received by the server.

You can encrypt the traffic, but it does not require, the most specific option is D.

Question 46Correct
Refer to the exhibits.
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration
information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation
with the IP address 10.0.1.10?

A. 10.200.1.1

B. 10.0.1.254

C. 10.200.1.10

Your answer is correct

D. 10.200.1.100

Overall explanation

Correct answer: D

From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100

Destination NAT, from WAN to LAN, will use the VIP

The question says SNAT, so the only correct answer here (looking at the IP Pool) is D.
(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all
egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT
enabled.

Note that you can override the behavior described in step 2 by using an IP pool.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

Question 47Correct

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and
VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet,
the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture
incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator
make to fix the connectivity issue?

A. Configure a loopback interface with address 203.0.113.2/32.

Your answer is correct

B. In the VIP configuration, enable arp-reply.

C. Enable port forwarding on the server to map the external service port to the internal service port.
D. In the firewall policy configuration, enable match-vip.

Overall explanation

Correct answer: B

In the routing table of the ISP we can see that the route is C (connected) which means that if there is no
ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.

The external interface address is different from the external address configured in the VIP. This is not a
problem as long as the upstream network has its routing properly set. You can also enable ARP reply on
the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.

Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent
devices contain the correct next hop information, so the networks are reachable. However, sometimes
the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you.
For this reason, it’s a best practice to keep ARP reply enabled.

Question 48Correct

Which two statements are true about the FGCP protocol? (Choose two.)

Your selection is correct

A. FGCP elects the primary FortiGate device.

B. FGCP is not used when FortiGate is in transparent mode.

Your selection is correct

C. FGCP runs only over the heartbeat links.

D. FGCP is used to discover FortiGate devices in different HA groups.

Overall explanation

Correct answer: AC

A. FGCP elects the primary FortiGate device.

C. FGCP runs only over the heartbeat links.

The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA)
clusters of FortiGate devices. It performs several functions, including the following:

FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate
device will be the primary device, responsible for handling traffic and making decisions about what to
allow or block. FGCP uses a variety of factors, such as the device's priority, to determine which device
should be the primary.

FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA
cluster using the heartbeat links. These are dedicated links that are used to exchange status and control
information between the devices. FGCP does not run over other types of links, such as data links.

FortiGate HA uses the Fortinet-proprietary FortiGate Clustering Protocol (FGCP) to discover members,
elect the primary FortiGate, synchronize data among members, and monitor the health of members.

To discover and monitor members, the members broadcast heartbeat packets over all configured
heartbeat interfaces.

Question 49Correct

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec
VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel
must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a
dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the
requirements? (Choose two.)

A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the
static route for the secondary tunnel.

Your selection is correct

B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.

C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Your selection is correct

D. Enable Dead Peer Detection.

Overall explanation

Correct answer: BD

To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the
administrator should make the following key configuration changes:

1. B. Configure a lower distance on the static route for the primary tunnel, and a higher distance
on the static route for the secondary tunnel.

 By configuring a lower administrative distance for the static route of the primary tunnel,
the FortiGate will prefer this route when both tunnels are up. If the primary tunnel goes
 down, the higher administrative distance on the static route for the secondary tunnel
will cause the FortiGate to use the secondary tunnel.

2. D. Enable Dead Peer Detection.

 Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If
the FortiGate detects that the primary tunnel is no longer responsive (dead), it can
trigger the failover to the secondary tunnel, ensuring a faster tunnel failover.

So, the correct choices are B and D.

Question 50Correct

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

Your selection is correct

A. FortiGate uses fewer resources.

B. FortiGate performs a more exhaustive inspection on traffic.

Your selection is correct

C. FortiGate adds less latency to traffic.

D. FortiGate allocates two sessions per connection.

Overall explanation

Correct answer: AC

A. FortiGate uses fewer resources.

C. FortiGate adds less latency to traffic.

Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including
FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than
proxy-based inspection, and it offers several benefits over this approach.

Two benefits of flow-based inspection compared to proxy-based inspection are:

FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based
inspection, which can help to improve the performance of the firewall device and reduce the impact on
overall system performance.

FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based
inspection, which can be important for real-time applications or other types of traffic that require low
latency.

A. Fewer resources since it does not need to keep much in memory.

C. Samples traffic while it goes by, and only does makes allow or deny decision with the last package. So
client does not have to wait on FortiGate to scan the bulk of the packtets.

Back to result overviewScroll back to top

Retake test

Continue