Question 1Skipped

An administrator wants to configure timeouts for users. Regardless of the user's behavior, the timer
should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

A. auth-on-demand

B. soft-timeout

C. idle-timeout

D. new-session

Correct answer

E. hard-timeout

Overall explanation

Correct answer: E

For the described scenario, where the administrator wants the timer to start as soon as the user
authenticates and expire after the configured value, the appropriate timeout option to configure on
FortiGate is:

E. hard-timeout

The "hard-timeout" option sets the maximum time a user is allowed to remain logged in. The timer
starts as soon as the user authenticates, and the session expires after the configured time, regardless of
the user's activity or behavior.

Hard: time is an absolute value. Regardless of the user’s behavior, the timer starts as soon as the user
authenticates and expires after the configured value.

Question 2Skipped

Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the
IP address of Remote-FortiGate (10.200.3.1)?

A. 10.200.1.149

B. 10.200.1.1

C. 10.200.1.49

Correct answer

D. 10.200.1.99

Overall explanation

Correct answer: D

It's D because of the protocol number.

Ping is ICMP protocol - protocol number = 1

=> SNAT policy ID 1 is policy that used.

=> Translated address is "SNAT-Remote1" that 10.200.1.99

Question 3Skipped

An administrator is running the following sniffer command:

diagnose sniffer packet any "host 10.0.2.10" 3
What information will be included in the sniffer output? (Choose three.)

Correct selection

A. IP header

Correct selection

B. Ethernet header

Correct selection

C. Packet payload

D. Application header

E. Interface name

Overall explanation

Correct answer: ABC

It really depends on the Verbosity Level. This specific question for Verbosity level 3 is ABC.
C is correct:

Verbose levels in detail:

1: print header of packets.

2: print header and data from IP of packets.

3: print header and data from Ethernet of packets.

4: print header of packets with interface name.

5: print header and data from IP of packets with interface name.

6: print header and data from Ethernet of packets with interface name.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=11186

Question 4Skipped

Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication
scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with
a form-based authentication scheme for the FortiGate local user database. Users will be prompted for
authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source
IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose three.)

A. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.
Correct selection

B. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

Correct selection

C. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

Correct selection

D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be
allowed.

E. If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

Overall explanation

Correct answer: BCD

- Browser CAT2 & Local subnet & User B --> deny

- Browser CAT1 & Local subnet & User all --> accept

Above exhibits only users from Chrome and IE are allowed.

Chrome and IE use the same system proxy setting. Proxy rule is accept for all users with these two
browsers.

C: hit the 3rd rule.

Question 5Skipped

Refer to the exhibit.

The exhibit shows a FortiGate configuration.

How does FortiGate handle web proxy traffic coming from the IP address 10.2.1.200, that requires
authorization?

A. It always authorizes the traffic without requiring authentication.

B. It drops the traffic

C. It authenticates the traffic using the authentication scheme SCHEME2.

Correct answer

D. It authenticates the traffic using the authentication scheme SCHEME1.

Overall explanation

Correct answer: D. It authenticates the traffic using the authentication scheme SCHEME1.

What happens to traffic that requires authorization, but does not match any authentication rule? The
active and passive SSO schemes to use for those cases is defined under config authentication setting.

Question 6Skipped

Which two policies must be configured to allow traffic on a policy-based next-generation firewall
(NGFW) FortiGate? (Choose two.)

A. Firewall policy

B. Policy rule

Correct selection

C. Security policy

Correct selection

D. SSL inspection and authentication policy

Overall explanation

Correct answer: CD

NGFW policy based mode, you must configure a few policies to allow traffic:

SSL inspection & Authentication, Security policy.

Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic
from a specific user or user group, both Security and SSL Inspection & Authentication policies must be
configured.

If you are using Policy Based Mode, SSL Inspection & Authentication (consolidated) and Security Policy
are required to allow traffic.

Question 7Skipped

Which Security rating scorecard helps identify configuration weakness and best practice violations in
your network?

A. Fabric Coverage

B. Automated Response
Correct answer

C. Security Posture

D. Optimization

Overall explanation

Correct answer: C. Security Posture

Description of the three major scorecards is seen in Security fabric > Security rating>Security posture.

Security Posture

Identify configuration weaknesses and best practice violations in your deployment.

Fabric Coverage

Identify in your overall network, where Security Fabric can enhance visibility and control.

Optimization

Optimize your fabric deployment.

The Security Posture scorecard is designed to identify configuration weaknesses and best practice
violations in a network. It assesses the overall security stance of an organization's network infrastructure
by evaluating how well it adheres to established security practices and configurations.

When using the Security Posture scorecard, the goal is to identify areas where the network configuration
may be vulnerable or where best practices are not being followed. It helps organizations assess and
improve their security posture by highlighting potential weaknesses and areas that require attention.

In contrast, the other options:

A. Fabric Coverage: Typically relates to the extent of coverage provided by a security fabric across an
organization's network.

B. Automated Response: Focuses on the ability of the security system to automatically respond to
security events or incidents.

D. Optimization: Generally refers to the efficiency and effectiveness of security measures in place.

Therefore, for identifying configuration weaknesses and best practice violations, the Security Posture
scorecard is the most relevant option.

Reference:

https://www.fortinet.com/content/dam/fortinet/assets/support/fortinet-recommended-security-best-
practices.pdf

Question 8Skipped
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Correct selection

A. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Correct selection

B. Virtual IP addresses are used to distinguish between cluster members.

C. Heartbeat interfaces have virtual IP addresses that are manually assigned.

D. The primary device in the cluster is always assigned IP address 169.254.0.1.

Overall explanation

Correct answer: AB

A. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster:

When a FortiGate device joins or leaves the High Availability (HA) cluster, there can be a change in the
virtual IP address. The virtual IP address is typically associated with the primary unit in the cluster, and if
there's a change in the cluster composition, the virtual IP may be reassigned to the new primary unit.

B. Virtual IP addresses are used to distinguish between cluster members:

Virtual IP addresses are indeed used to distinguish between cluster members. In an HA cluster, there is a
virtual IP address that is associated with the primary unit. This virtual IP address serves as the gateway
for devices on the network, and it helps ensure seamless failover in the event of a primary unit failure.

The other statements (C and D) are not accurate:

C. Heartbeat interfaces have virtual IP addresses that are manually assigned:

This statement is not correct. Heartbeat interfaces are used for communication between cluster
members to monitor each other's status. Virtual IP addresses are typically associated with the cluster
and are automatically assigned or reassigned based on the cluster configuration.

D. The primary device in the cluster is always assigned IP address 169.254.0.1:

This statement is not correct. The primary device in the cluster is assigned the virtual IP address
associated with the cluster. The IP address 169.254.0.1 is typically reserved for certain link-local purposes
and is not a standard IP address for the primary device in an HA cluster.

The correct statements regarding FortiGate HA cluster virtual IP addresses are:

A. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

B. Virtual IP addresses are used to distinguish between cluster members.

Extra Explanation:

A. When a FortiGate device joins or leaves the cluster, the virtual IP address associated with the cluster
may change. The virtual IP address is assigned to the primary device in the cluster, and if that device
fails, the virtual IP address will failover to the secondary device.

B. Virtual IP addresses are used to distinguish between cluster members. Each device in the cluster has a
unique physical IP address, but they share a virtual IP address that is used by clients to communicate
with the cluster as a whole. The virtual IP address is used to identify the cluster, and clients use it to
connect to the cluster rather than connecting to a specific device.

A change in the heartbeat ip addresses might happend when a fortigate device joins or leaves the
cluster. In those cases, the cluster renegotiates the heartsbeat ip address assignment, this time taking
into account the serial number of any new device, o r removing the serial number of any device that left
the cluster & cluster uses these virtual ip addressesto: Distinguish the cluster member

Question 9Skipped

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?

A. remote user's public IP address

B. The public IP address of the FortiGate device.

C. The remote user's virtual IP address.

Correct answer

D. The internal IP address of the FortiGate device.

Overall explanation

Correct answer: D. The internal IP address of the FortiGate device.

The SSL VPN portal enables remote users to access internal network resources through a secure channel
using a web browser. The portal, bookmarks are used as links to internal network resources.

Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP address.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36530

Question 10Skipped

How do you format the FortiGate flash disk?

A. Load the hardware test (HQIP) image.

Correct answer

B. Select the format boot device option from the BIOS menu.

C. Load a debug FortiOS image.

D. Execute the CLI command execute formatlogdisk.

Overall explanation

Correct answer: B. Select the format boot device option from the BIOS menu.

Selecting the format boot device option from the BIOS menu allows you to format the FortiGate flash
disk. This option is typically used when you need to reformat the flash disk to resolve issues or prepare it
for a fresh installation of the operating system. However, it's important to note that formatting the flash
disk will erase all data on it, so it should be done carefully.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582

https://kb.fortinet.com/kb/viewContent.do?externalId=10338

Question 11Skipped

When configuring a firewall virtual wire pair policy, which following statement is true?

A. Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B. Only a single virtual wire pair can be included in each policy.

Correct answer

C. Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic
direction settings.

D. Exactly two virtual wire pairs need to be included in each policy.

Overall explanation

Correct answer: C. Any number of virtual wire pairs can be included in each policy, regardless of the
policy traffic direction settings.

Firewall virtual wire pair policies can include more than a single virtual wire pair. This capability can
streamline the policy management process by eliminating the need to create multiple, similiar policies
for each virtual wire pair. When creating or modifiying a policy, you can select the traffic direction for
each VWP included in the policy.

Note: We tested to create a policy. We can use any number of virtual wire pairs. We can select 3 options
in traffic direction: in/out/both.
Question 12Skipped

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A. NetAPI polling can increase bandwidth usage in large networks.

Correct answer

B. The NetSessionEnum function is used to track user logouts.

C. The collector agent must search security event logs.

D. The collector agent uses a Windows API to query DCs for user logins.

Overall explanation

Correct answer: B. The NetSessionEnum function is used to track user logouts.

Study Guide – FSSO – FSSO with Windows Active Directory – Collector Agent-Based Polling Mode
Options.

Collector agent-based polling mode has three methods (or options) for collecting logon info: NetAPI,
WinSecLog and WMI.

NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls the
NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can
miss some logon events if a DC is under heavy system load. This is because sessions can be quickly
created and purged form RAM, before the agent has a chance to poll and notify FG.

NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the
NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can
miss some login events if a DC is under heavy system load. This is because sessions can be quickly
created and purged from RAM, before the agent has a chance to poll and notify FortiGate.

Incorrect:

A. NetAPI polling can increase bandwidth usage in large networks. (WinSecLog)

C. The collector agent must search security event logs. (WinSecLog)

D. The collector agent uses a Windows API to query DCs for user logins. (WMI)

- WinSecLog: polis all the security event logs from the DC. It doesn't miss any login events that have been
recorded by the DC because events are not normally deleted from the logs. There can be some delay in
FortiGate receiving events if the network is large and, therefore, writing to the logs is slow. It also
requires that the audit success of specific event IDs is recorded in the Windows security logs. For a full
list of supported event IDs, visit the Fortinet Knowledge Base (http://kb.fortinet.com).

- NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the
NetSessionEnum function on Windows. It's faster than the WinSec and WMI methods; however, it can
miss some login events if a DC is under heavy system load. This is because sessions can be quickly
created and purged from RAM, before the agent has a chance to poll and notify FortiGate.

Question 13Skipped

An administrator has configured outgoing interface any in a firewall policy.

Which statement is true about the policy list view?

Correct answer

A. Interface Pair view will be disabled.

B. Search option will be disabled.

C. Policy lookup will be disabled.

D. By Sequence view will be disabled.

Overall explanation

Correct answer: A. Interface Pair view will be disabled.

Study Guide – FW Policies – Managing FW Policies – Policy List – Interface Pair View and By Sequence.

FW policies appear in an organized list. The list is organized either in Interface Pair View or By Sequence.

Usually, the list will appear in Interface Pair View. Each section contains policies for that ingress-egress
pair. Alternatively, you can view your policies as a single, comprehensive list by selecting By Sequence at
the top of the page.

In some cases, you won’t have a choice of which view is used.

If you use multiple source or destination interfaces, or the any interface, in a FW policy, policies cannot
be separated into sections by interface pairs – some would be triplets or more. So instead, policies are
then always displayed in a single list (By Sequence).

Interface Pair view will be disabled.

Question 14Skipped

An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?
A. Enable asymmetric routing, so the RPF check will be bypassed.

Correct answer

B. Disable the RPF check at the FortiGate interface level for the source check.

C. Disable the RPF check at the FortiGate interface level for the reply check.

D. Enable asymmetric routing at the interface level.

Overall explanation

Correct answer: B

"B" is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to disable
RFP. 1 Enable asymetric routing, which disables RPF checking system wide (but not at interface level is
through the CLI command config system settings) 2 Disable RPF checkking at the interface level (the only
way at the interface level in the CLI command). A incorrect. If you enable asymetric routing, RPF not will
be bypass because is disable. B Correct. You have to disable the RPF check an the interface level, for the
source. C Is incorrect is for the source D is incorrect: Asymetric routing is not enable at interface level.

RPF checking can be disabled in tho ways. If you enable asymmetric routing, it will disable RPF checking
system wide. However this reduces the security of you network greatly. Features such us ANTIVIRUS, and
IPS become non-effective. So, if you need to disable RPF checking, you can do so at the interface level
using the command:

config system interface

edit <interface>

set src-check [enable | disable]

end

Question 15Skipped

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Correct answer

A. Intrusion prevention system engine

B. Detection engine

C. Flow engine

D. Antivirus engine

Overall explanation

Correct Answer: A. Intrusion prevention system engine

IPS Engine is used by Application Control, AV, Web filter and Email filter.

Application control can be configured in proxy-based and flow-based firewall policies. However, because
application control uses the IPS engine, which uses flow-based inspection, inspection is always flow-
based.

It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is
using standard or non-standard protocols and ports.

Question 16Skipped

A team manager has decided that, while some members of the team need access to a particular
website, the majority of the team does not Which configuration option is the most effective way to
support this request?

A. Implement web filter quotas for the specified website

B. Implement a DNS filter for the specified website.

C. Implement a web filter category override for the specified website

Correct answer

D. Implement web filter authentication for the specified website.

Overall explanation

Correct answer: D. Implement web filter authentication for the specified website.

Only some members can authenticated by providing their credentials.

- DNS filter & Web Filter Category Overide = Nobody can reach the site

- Web Filter Quotas = Everybody can reach

A could be a solution if you set custom categories and specify a webfilter to the group with access.. but B
is the most efective and simple solution.

Since both C and D are working options, answer C needs one more Web filter profile - the one that will
allow access to the category in which resides website's domain name. In both cases a custom category is
needed and a rating override, which will assign the website to that category. The question is "Which
configuration option is the most effective way to support this request" in that case this is answer D

Question 17Skipped

Which three options are the remote log storage options you can configure on FortiGate? (Choose
three.)

A. FortiSandbox
Correct selection

B. FortiCloud

Correct selection

C. FortiSIEM

D. FortiCache

Correct selection

E. FortiAnalyzer

Overall explanation

Answer: BCE

B. FortiCloud

C. FortiSIEM

E. FortiAnalyzer

You can configure FortiGate to store logs on syslog servers, FortiCloud, FortiSIEM, FortiAnalyzer, or
FortiManager. These logging devices can also be used as a backup solution. Whenever possible, it is
preferred to store logs externally.

If storing logs locally does not fit your requirements, you can store logs externally. You can configure FG
to store logs on syslog servers, FortiCloud, FortiSIEM, FortiAnalyzer or FortiManager. These logging
devices can also be used as a backup solution.

Question 18Skipped

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

Correct selection

A. Browsers can be configured to retrieve this PAC file from the FortiGate.
B. Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

C. All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through
altproxy.corp.com: 8060.

Correct selection

D. Any web request fortinet.com is allowed to bypass the proxy.

Overall explanation

Correct answer: AD

The command direct bypass the proxy and it is a standard for pac files. And browsers can download de
pac file from any server/fortigate.

Question 19Skipped

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.
Instead of separate policies.

Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose
three.)

A. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources
and destinations.

B. The IP version of the sources and destinations in a firewall policy must be different.

Correct selection

C. The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both
IPv4 and IPv6.

Correct selection

D. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and
destinations.

Correct selection

E. The IP version of the sources and destinations in a policy must match.

Overall explanation

Correct answer: CDE

C. The Incoming Interface, Outgoing Interface, Schedule, and Service fields can be shared with both IPv4
and IPv6.

 This statement is true. In a consolidated IPv4 and IPv6 policy, these fields can be shared, making
it more efficient to manage and configure policies.
D. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and
destinations.

 This statement is true. In consolidated firewall policies, the policy table in the graphical user
interface (GUI) is consolidated to display policies with both IPv4 and IPv6 sources and
destinations.

E. The IP version of the sources and destinations in a policy must match.

 This statement is true. While certain fields can be shared, the IP version of the sources and
destinations in a policy must match. If it's an IPv4 policy, the sources and destinations must be
IPv4, and if it's an IPv6 policy, the sources and destinations must be IPv6.

So, statements C, D, and E are correct

Question 20Skipped

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Correct answer

A. SSL VPN idle-timeout

B. SSL VPN http-request-body-timeout

C. SSL VPN login-timeout

D. SSL VPN dtls-hello-timeout

Overall explanation

Correct answer: A. SSL VPN idle-timeout

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is
terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or
disconnects from the network), the session timer begins to count down. If the timer reaches the idle-
timeout value before the user reconnects or sends any new traffic, the session will be terminated and
the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this
timeout using the Idle Logout setting on the GUI.

Question 21Skipped

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate
management IP addresses?

A. Forward traffic logs

Correct answer

B. Local traffic logs

C. Security logs

D. System event logs

Overall explanation

Correct answer: B. Local traffic logs

Local traffic logs contain information about traffic directly to and from the FortiGate management IP
addresses. They also include connections to the GUI and FortiGuard queries.

Question 22Skipped

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the
physical layer nor the link layer? (Choose three.)

A. diagnose sys top

Correct selection

B. execute ping

Correct selection

C. execute traceroute

Correct selection

D. diagnose sniffer packet any

E. get system arp

Overall explanation

Correct answer: BCD

”dia sys top” is not for troubleshooting layer 3 issues rather for troubleshooting CPU and Memory issues

diagnose sys top - list of processes with most CPU

get system arp - show interface, IP, MAC (physical layer)

"If you suspect that there is an IP address conflict.....you may need to look at the ARP table" - get system
arp (ans. E), and two other answers, B and C - execute ping, execute traceroute.

B. execute ping: The ping command is a fundamental tool for checking the connectivity between two
devices. It sends ICMP Echo Request packets to the destination and waits for ICMP Echo Reply packets.
This can help you verify if there is connectivity at the IP layer.
C. execute traceroute: The traceroute command allows you to trace the route that packets take from the
source to the destination. It shows the IP addresses of routers in the path and can help identify where a
packet might be dropping or encountering issues.

D. diagnose sniffer packet any: The diagnose sniffer packet any command is used to capture and
analyze packets on the FortiGate device. This can be helpful in inspecting the actual packets flowing
through the device, allowing you to identify any anomalies or potential issues at the packet level.

These commands are valuable for troubleshooting Layer 3 issues and gaining insights into the network
behavior at the IP layer.

Question 23Skipped

An administrator has a requirement to keep an application session from timing out on port 80. What
two changes can the administrator make to resolve the issue without affecting any existing services
running through FortiGate? (Choose two.)

Correct selection

A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

Correct selection

B. Create a new service object for HTTP service and set the session TTL to never

C. Set the TTL value to never under config system-ttl

D. Set the session TTL on the HTTP policy to maximum

Overall explanation

The correct answers are:

A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

B. Create a new service object for HTTP service and set the session TTL to never.

Explanation:

A. By creating a new firewall policy with the new HTTP service and placing it above the existing HTTP
policy, the administrator can ensure that this policy takes precedence and keeps the application session
from timing out on port 80.

B. Creating a new service object for HTTP service and setting the session TTL to never ensures that the
application session on port 80 does not time out.

key is: without affecting any existing services.

So, define new service on TCP80 with no session-ttl expire. Make new FW policy and place above other
HTTP policy.
Reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-timeout-settings/ta-p/191228

Question 24Skipped

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Correct selection

A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B. ADVPN is only supported with IKEv2.

Correct selection

C. Tunnels are negotiated dynamically between spokes.

D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2
proposals are defined in advance.

Overall explanation

Correct answer: AC

A. "It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes."

 This statement is accurate. Auto Discovery VPN (ADVPN) often works in conjunction with
dynamic routing protocols to allow spokes to dynamically learn routes to other spokes. This
dynamic routing capability enhances the scalability and flexibility of the VPN.

C. "Tunnels are negotiated dynamically between spokes."

 This statement is also accurate. In ADVPN, the tunnels between spokes are negotiated
dynamically, meaning the VPN connections are established on-demand without requiring
manual configuration for each potential spoke.

Therefore, both statements A and C are correct, and they provide a comprehensive view of Auto
Discovery VPN (ADVPN) functionalities.

Question 25Skipped

Which security fabric feature causes an event trigger to monitor the network when a threat is
detected?

A. Security rating

B. Optimization

Correct answer

C. Automation stiches
D. Fabric connectors

Overall explanation

Correct answer: C. Automation stitches

In the context of the Fortinet Security Fabric, automation stitches are responsible for orchestrating
responses to security events. When a threat is detected, automation stitches can trigger events to
monitor the network, coordinate responses, and ensure a synchronized defense across the entire
security fabric. Therefore, option C is the correct answer.

Each automation stitch pairs an event trigger and one or more actions, it allows you to monitor your
network and take appropiate action when SecFabric detects a threat.

Question 26Skipped

Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.
What will happen to endpoint active ZTNA sessions?

A. They will be re-evaluated to match the endpoint policy.

B. They will be re-evaluated to match the firewall policy.

Correct answer

C. They will be re-evaluated to match the ZTNA policy.

D. They will be re-evaluated to match the security policy.

Overall explanation

C. They will be re-evaluated to match the ZTNA policy.

Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the
endpoint is no longer compliant with the ZTNA policy.

Question 27Skipped

What devices form the core of the security fabric?

A. Two FortiGate devices and one FortiManager device

B. One FortiGate device and one FortiManager device

Correct answer

C. Two FortiGate devices and one FortiAnalyzer device

D. One FortiGate device and one FortiAnalyzer device

Overall explanation

C. Two FortiGate devices and one FortiAnalyzer device.

These devices form the core of the Fortinet Security Fabric, providing firewall functionality, centralized
management, logging, and reporting capabilities.

In certain scenarios, especially when emphasizing visibility and analysis, having multiple FortiGate
devices and a FortiAnalyzer device can indeed form a core configuration within the Fortinet Security
Fabric. FortiAnalyzer is used for centralized logging, reporting, and analysis of data from multiple
FortiGate devices, enhancing the overall security posture.

Question 28Skipped

Which of the following methods can be used to configure FortiGate to perform source NAT (SNAT) for
outgoing traffic?

A. Configure a static route pointing to the external interface.

Correct answer

B. Enable the "Use Outgoing Interface Address" option in a firewall policy.

C. Create a virtual server with an external IP address.

D. Deploy an IPsec VPN tunnel with NAT enabled.

Overall explanation

B. Enable the "Use Outgoing Interface Address" option in a firewall policy.

Explanation:

Source NAT (SNAT) is typically used to translate the private IP addresses of outgoing traffic to a public IP
address. One common method to perform SNAT in FortiGate is by enabling the "Use Outgoing Interface
Address" option in the firewall policy. This setting automatically translates the source IP of outgoing
packets to the IP address of the interface from which the traffic is leaving the FortiGate.

Options A, C, and D are related to routing and other forms of NAT but do not directly configure source
NAT in the firewall policy context.

Question 29Skipped

Refer to the exhibit:

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A. The port3 default route has the lowest metric.

Correct selection

B. The port3 default route has the highest distance.

C. There will be eight routes active in the routing table.

Correct selection

D. The port1 and port2 default routes are active in the routing table.

Overall explanation

Correct answer: BD

*> mean active routes

first square bracked mean administrative distance

second bracket square mean priority (valid only on static routes)

metric applies only in multiroutes with same administrative distance.

Question 30Skipped
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

A. Access to the social networking web filter category was explicitly blocked to all users.

B. The action on firewall policy ID 1 is set to warning.

Correct answer

C. Social networking web filter category is configured with the action set to authenticate.

D. The name of the firewall policy is all_users_web.

Overall explanation

C is correct. We have two logs, first with action deny and second with passthrough.

A incorrect - second log shows: action="passthrough".

B incorrect - Firewall action can be allow or deny.

D incorrect - CLI don't show policy name, only ID.

Remember ... action="passthrough" mean that authentication has occurred/

At first attempt from the same IP source connection is blocked, but a warning message is displayed. At
the second attempt with the same IP source connection passtrough, so considering the first block and
the second pass, the user must authenticate to be granted with access.

Question 31Skipped

Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies.
What does the Administrator account need to access the FortiGate global settings?

A. Enable restrict access to trusted hosts

B. Change password

C. Enable two-factor authentication

Correct answer

D. Change Administrator profile

Overall explanation

Correct answer: D. Change Administrator profile

By default, there is a special profile named super_admin, which is used by the account named admin.
You can't change it. It provides full access to everything, making the admin account similar to a root
superuser account.The prof_admin is another default profile. It also provides full access, but unlike
super_admin, it applies only to its virtual domain—not the global settings of FortiGate. Also, you can
change its permissions.

Question 32Skipped

When configuring a firewall virtual wire pair policy, which following statement is true?

A. Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B. Only a single virtual wire pair can be included in each policy.

Correct answer

C. Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic
direction settings.

D. Exactly two virtual wire pairs need to be included in each policy.

Overall explanation

Correct answer: C. Any number of virtual wire pairs can be included in each policy, regardless of the
policy traffic direction settings.

We tested to create a policy. We can use any number of virtual wire pairs. We can select 3 options in
traffic direction: in/out/both.

Firewall virtual wire pair policies can include more than a single virtual wire pair. This capability can
streamline the policy management process by eliminating the need to create multiple, similar policies for
each virtual wire pair. When creating or modifying a policy, you can select the traffic direction for each
VWP included in the policy.

Question 33Skipped

Refer to the exhibit, which contains a session list output.

Based on the information shown in the exhibit, which statement is true?

A. Port block allocation IP pool is used in the firewall policy

B. Destination NAT is disabled in the firewall policy

C. Overload NAT IP pool is used in the firewall policy

Correct answer

D. One-to-one NAT IP pool is used in the firewall policy

Overall explanation

Correct answer: D. One-to-one NAT IP pool is used in the firewall policy.

In one-to-one, PAT is not required.

In the one-to-one pool type, an internal IP address is mapped with an external address on a first-come,
first-served basis.

There is a single mapping of an internal address to an external address. Mappings are not fixed and, if
there are no more addresses available, a connection will be refused.

Also, in one-to-one, PAT is not required. In the example on this slide, you can see the same source port is
shown for both the ingress and egress address.

Question 34Skipped

Which two statements are true about the FGCP protocol? (Choose two.)

A. Is used to discover FortiGate devices in different HA groups

B. Not used when FortiGate is in Transparent mode

Correct selection

C. Runs only over the heartbeat links

Correct selection

D. Elects the primary FortiGate device

Overall explanation

Correct answer: CD

C. Runs only over the heartbeat links: FGCP utilizes heartbeat links for exchanging heartbeat packets to
monitor the health of the cluster. While heartbeat links play a crucial role, other interfaces can also be
used for synchronization and communication within the cluster.

D. Elects the primary FortiGate device: FGCP is responsible for the election of the primary FortiGate
device in a high availability (HA) cluster. The primary FortiGate manages the traffic while the secondary
FortiGate stays in standby mode.
Question 35Skipped

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

A. The session is in TCP ESTABLISHED state.

Correct answer

B. The session is a bidirectional UDP connection.

C. The session is a UDP unidirectional state.

D. The session is a bidirectional TCP connection.

Overall explanation

Correct answer: B. The session is a bidirectional UDP connection.

B. Protocol 17 means UDP and proto_state=1 is bidirectional (proto_state=0 is unidirectional)

proto=17 -> UDP

proto_state=01 -> UDP Reply seen

A is wrong

Question 36Skipped

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

Correct selection

A. SSH

Correct selection

B. HTTPS
C. FTM

D. FortiTelemetry

Overall explanation

Correct answer: AB

The two protocols used to enable administrator access to a FortiGate device are:

A. SSH (Secure Shell)

SSH is a secure protocol used for accessing the command-line interface (CLI) of FortiGate devices.

B. HTTPS (Hypertext Transfer Protocol Secure)

HTTPS is a secure protocol used for accessing the web-based graphical user interface (GUI) of FortiGate
devices.

Question 37Skipped

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 minutes

B. Denied users are blocked for 30 minutes

Correct selection

C. A session for denied traffic is created

Correct selection

D. The number of logs generated by denied traffic is reduced

Overall explanation

Correct answer: CD

C. A session for denied traffic is created.

D. The number of logs generated by denied traffic is reduced.

During the session, if a security profile detects a violation, FortiGate records the attack log immediately.
To reduce the number of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This creates the denied session in the session table and, if the session is
denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a
policy lookup for each new packet matching the denied session, which reduces CPU usage and log
generation.

This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions.
This determines how long a session will be kept in the session table by setting block-sessiontimer in the
CLI. By default, it is set to 30 seconds.

Question 38Skipped

Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access
Webserver.
What is the cause of the problem and what is the solution for the problem?

A. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static
route to 10.0.4.0/24 through wan1.

B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static
route to 10.0.4.0/24 through wan1.

Correct answer

C. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static
route to 203.0.114.24/32 through port3.

D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static
route to 203.0.114.24/32 through port3.
Overall explanation

Correct answer: C. The first reply packet for Student failed the RPF check. This issue can be resolved by
adding a static route to 203.0.114.24/32 through port3.

Option C is the correct answer based on the provided information, let's analyze it:

Option C states: "The first reply packet for Student failed the RPF check. This issue can be resolved by
adding a static route to 203.0.114.24/32 through port3."

The issue is related to the first reply packet from the Student failing the Reverse Path Forwarding (RPF)
check and that adding a static route to 203.0.114.24/32 through "port3" will resolve the problem, then
you can go ahead with this solution.

In a typical RPF check scenario, it ensures that the incoming packet is arriving on the expected interface
based on the routing table. Adding a static route to 203.0.114.24/32 through "port3" may indeed resolve
the RPF issue if the routing is misconfigured.

Option C is the correct solution based on your network setup and further analysis, you can proceed with
implementing that static route to see if it resolves the issue. Additionally, it's a good practice to monitor
the network to ensure that the problem is indeed resolved after making the change.

Question 39Skipped

Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

A. There is at least one server that lost packets consecutively.

Correct selection
B. One server was contacted to retrieve the contract information.

C. A local FortiManager is one of the servers FortiGate communicates with.

Correct selection

D. FortiGate is using default FortiGuard communication settings.

Overall explanation

Correct answer: BD

B is correct, one server has the flag DI which means it was contacted to retrieve contract information.

A: no server has packets dropped

C: No local(ip) fortimanager can be seen

D: .... Anycast is enabled by default(as it says on the study guide) so its not using default settings. still, it
uses HTTPS(TCP) and port 443 under tcp so we can consider this a default setting.

"by default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with
FortiGuard or FortiManager"

We did check ourFortiGate and its configured the same.

Anycast is Enabled by default, but A and C are definitely incorrect.

Question 40Skipped

Refer to the exhibit.

A user located behind the FortiGate device is trying to go to http://www.addictinggames.com
(Addicting.Games). The exhibit shows the application detains and application control profile.
Based on this configuration, which statement is true?

A. Addicting.Games will be blocked, based on the Filter Overrides configuration.

B. Addicting.Games will be allowed only if the Filter Overrides action is set to Learn.

C. Addicting.Games will be allowed, based on the Categories configuration.

Correct answer
D. Addicting.Games will be allowed, based on the Application Overrides configuration.

Overall explanation

Correct answer: D. Addicting.Games will be allowed, based on the Application Overrides configuration.

Based on the Scan order. Application and Filter overrides>>Category.

Application and Filter overrides follows the same rules as firewall policy. Application override will be
considered first.

Question 41Skipped

Which two statements are true about the RPF check? (Choose two.)

Correct selection

A. The RPF check is run on the first sent packet of any new session.

B. The RPF check is run on the first reply packet of any new session.

C. The RPF check is run on the first sent and reply packet of any new session.

Correct selection

D. RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

Overall explanation

Correct answer: AD

RPF protect against IP spoofin attacks. The source IP address is checked against the routing table for a
return path. RPF is only carried out on: The first packet in the session, not on reply.

Question 42Skipped

Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-
user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose
two.)

A. Disable match-vip in the Deny policy.

B. Set the Destination address as Deny_IP in the Allow-access policy.

Correct selection

C. Enable match-vip in the Deny policy.

Correct selection

D. Set the Destination address as Web_server in the Deny policy.

Overall explanation

Correct answer: CD

By default does not match vip in deny policy for destination all. So 2 options we have:

1. Enable match vip in the Deny policy.

2. Add destination as webserver in deny policy.

It should set match-vip enable, nor disable it...

Reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-
LAN/ta-p/189641

Question 43Skipped

Which two statements are correct about a software switch on FortiGate? (Choose two.)

Correct selection

A. It can be configured only when FortiGate is operating in NAT mode

B. Can act as a Layer 2 switch as well as a Layer 3 router

Correct selection

C. All interfaces in the software switch share the same IP address

D. It can group only physical interfaces

Overall explanation
Correct answer: AC

A is correct: "Only supported in NAT mode"

C is correct: "The interfaces share the same IP address and belong to the same broadcast domain.

Incorrect options:

B is incorrect: "Acts Like a traditional Layer 2 switch".

D is incorrect: "Can group multiple physical and wireless interfaces into a single virtual switch Interface"

Can group physical and wireless.

Only works on NAT mode.

Acts like traditional layer 3 switch.

Interfaces share same IP and broadcast domain.

Question 44Skipped

Which of statement is true about SSL VPN web mode?

A. The external network application sends data through the VPN

B. It assigns a virtual IP address to the client

Correct answer

C. It supports a limited number of protocols

D. The tunnel is up while the client is connected

Overall explanation

C. It supports a limited number of protocols

SSL VPN web mode typically supports a limited number of protocols compared to the full SSL VPN tunnel
mode. This limitation is due to the nature of web-based applications and the restrictions of running
within a web browser.

Web mode requires only a web browser, but supports a limited number of protocols.

A is incorrect - External network applications running on the user’s PC cannot send data across the VPN.

C is correct - Web mode requires only a web browser, but supports a limited number of protocols.

Question 45Skipped
Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

Correct selection

A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the
remote peer to provide a username and password.

Correct selection

B. FortiGate supports pre-shared key and signature as authentication methods.

C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.

D. A certificate is not required on the remote peer when you set the signature as the authentication
method.

Overall explanation

Correct answer: AB

A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the
remote peer to provide a username and password.

B. FortiGate supports pre-shared key and signature as authentication methods.

Explanation: A. XAuth provides an additional layer of authentication by requiring the remote peer to
provide a username and password in addition to the pre-shared key or certificate. This enhances
security. B. FortiGate supports both pre-shared key and signature (using certificates) as authentication
methods for IPsec VPN connections, offering flexibility based on security requirements.

C. Enabling XAuth does not necessarily result in faster authentication because additional packets are
exchanged to complete the XAuth process. D. When using the signature as the authentication method, a
certificate is required on the remote peer for authentication, ensuring secure communication.

To authenticate each other, the peers use two methods: pre-shared key or digital signature. You can also
enable an additional authentication method, XAuth, to enhance authentication.

Question 46Skipped

Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

Correct answer

A. diagnose wad session list

B. diagnose wad session list | grep hook-pre&&hook-out

C. diagnose wad session list | grep hook=pre&&hook=out

D. diagnose wad session list | grep "hook=pre"&"hook=out"

Overall explanation

Correct answer: A. diagnose wad session list

Running the diagnose wad session list command will indeed display the sessions managed by the Web
Application Firewall (WAF) module, and you can review the information in the output to analyze traffic
from the client to the proxy and from the proxy to the servers.

Question 47Skipped

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard
servers.
Which CLI command causes FortiGate to use an unreliable protocol to communicate with FortiGuard
servers for live web filtering?

A. set webfilter-force-off disable

B. set webfilter-cache disable

C. set protocol tcp

Correct answer

D. set fortiguard-anycast disable

Overall explanation

The CLI command that causes FortiGate to use an unreliable protocol to communicate with FortiGuard
servers for live web filtering is: D. set fortiguard-anycast disable

Disabling FortiGuard Anycast will cause FortiGate to use a direct connection (unreliable protocol) instead
of the anycast-based connection for communication with FortiGuard servers. This may be necessary in
certain scenarios where anycast is causing issues, and a direct connection is preferred.

By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with
FortiGuard or FortiManager. Other ports and protocols are available by disabling the FortiGuard anycast
setting on the CLI.

Question 48Skipped

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA
cluster? (Choose two.)

A. FortiGuard web filter cache

B. FortiGate hostname

Correct selection

C. NTP
Correct selection

D. DNS

Overall explanation

Correct answer: CD

C. NTP

D. DNS

Not all the configuration settings are synchronized. There are a few that are not, such as:

• System interface settings of the HA reserved management interface and the HA default route for the
reserved management interface

• In-band HA management interface

• HA override

• HA device priority

• Virtual cluster priority

• FortiGate hostname

• HA priority setting for a ping server (or dead gateway detection) configuration

• All licenses except FortiToken licenses (serial numbers)

• Cache

Fortigate Hostname is not synchronized between cluster member.

Question 49Skipped

Refer to the exhibits.

Exhibit A.
Exhibit B.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security
fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

A. Change the csf setting on Local-FortiGate (root) to set configuration-sync local.

B. Change the csf setting on ISFW (downstream) to set configuration-sync local.

Correct answer

C. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

D. Change the csf setting on ISFW (downstream) to set fabric-object-unification default.

Overall explanation

Correct answer: C. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification
default.

The CLI command set fabric-object-unification is only available on the root FortiGate. When set to local,
global objects will not be synchronized to downstream devices in the Security Fabric. The default value is
default.

Option A will not synchronise global fabric objects downstream.

When both devices are configured with set downstream-access-disable (answer in C) then the newly
created address objects are still replicated. However, when I configure the root with set fabric-object-
unification local the address object is no longer replicated to the downstream FortiGates.

Question 50Skipped

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

A. NGFW policy-based mode does not require the use of central source NAT policy

B. NGFW policy-based mode can only be applied globally and not on individual VDOMs

Correct selection

C. NGFW policy-based mode supports creating applications and web filtering categories directly in a
firewall policy

Correct selection

D. NGFW policy-based mode policies support only flow inspection

Overall explanation

Correct answer: CD

C. NGFW policy-based mode supports creating applications and web filtering categories directly in a
firewall policy.

In NGFW policy-based mode, you can define applications and web filtering categories directly within the
firewall policy. This allows you to apply specific controls and restrictions based on the types of
applications and content, offering a more granular approach to managing network traffic.

D. NGFW policy-based mode policies support only flow inspection.

In NGFW (Next-Generation Firewall) policy-based mode, the emphasis is on flow inspection. Flow
inspection involves evaluating the traffic based on predefined rules and policies without deep packet
inspection of the content. This mode is optimized for efficiently processing large volumes of traffic by
analyzing the flow of data and making decisions based on factors such as source, destination, ports, and
protocol.

Back to result overviewScroll back to top

Continue

Retake test