Page: 1
/ 4
Total 65 questions
Which two statements about an auxiliary session are true? (Choose two.)
- A. With the auxiliary session setting disabled, only auxiliary sessions are offloaded.
- B. With the auxiliary session setting enabled, two sessions are created in case of routing change.
- C. With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.
- D. With the auxiliary session setting disabled, for each traffic path, FortiGate uses the same auxiliary session.
Answer : BC
Which ADVPN configuration must be configured using a script on FortiManager, when using VPN Manager to manage FortiGate VPN tunnels?
- A. Set protected network to all
- B. Enable AD-VPN in IPsec phase 1
- C. Configure IP addresses on IPsec virtual interfaces
- D. Disable add-route on hub
Answer : C
Refer to the exhibit, which shows the output of a diagnose command
What can you conclude from the RTT value?
- A. Its value represents the time it takes to receive a response after a rating request is sent to a particular server.
- B. Its value is incremented with each packet lost.
- C. It determines which FortiGuard server is used for license validation.
- D. Its initial value is statically set to 10.
Answer : A
Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?
- A. FortiGate uses the CN information from the Subject field in the server certificate.
- B. FortiGate uses the first entry listed in the SAN field in the server certificate.
- C. FortiGate uses the SNI from the user's web browser.
- D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
Answer : D
Refer to the exhibit, which shows the output of a BGP debug command.
What can be concluded about the router in this scenario?
- A. The router 100.64.3.1 needs to update the local AS number in its BGP configuration in order to bring up the BGP session with the local router.
- B. The State/PfxRcd for neighbor 100.64.3.1 will not change until an administrator on the local router adjusts the inbound route filtering so that prefixes received can be added to the RIB.
- C. All of the neighbors displayed are part of a single BGP configuration on the local router with the neighbor-range set to a value of 4.
- D. The BGP session with peer 10.127.0.75 is up.
Answer : D
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)
- A. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
- B. When run on the Device Database, changes are applied directly to the managed FortiGate device.
- C. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
- D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device.
Answer : AD
Which two tasks are automated using the Import Configuration wizard on FortiManager? (Choose two.)
- A. Importing firewall address objects from managed devices
- B. Importing interface mappings from managed devices
- C. Importing static and dynamic route configurations from managed devices
- D. Importing devices to FortiManager
Answer : AC
Which statement about protocol options is true?
- A. Protocol options allows administrators a streamlined method to instruct FortiGate to block all sessions corresponding to disabled protocols.
- B. Protocol options allows administrators the ability to configure the Any setting for all enabled protocols which provides the most efficient use of system resources.
- C. Protocol options allow administrators to configure a maximum number of sessions for each configured protocol.
- D. Protocol options allows administrators to configure which Layer 4 port numbers map to upper-layer protocols, such as HTTP, SMTP, FTP, and so on.
Answer : D
An administrator has created a VPN community within VPN Manager on FortiManager. They also added gateways to the VPN community and are now trying to create firewall policies to permit traffic over the tunnel; however, the VPN interfaces are not listed as available options.
What step must the administrator take to resolve this issue?
- A. Install the VPN community and gateway configuration to the FortiGate devices, in order for the interfaces to be displayed within Policy & Objects on FortiManager
- B. Set up all of the phase 1 settings in the VPN community that they neglected to set up initially. The interfaces will be automatically generated after the administrator configures all of the required settings.
- C. Refresh the device status from the Device Manager so that FortiGate will populate the IPsec interfaces.
- D. Create interface mappings for the IPsec VPN interfaces, before they can be used in a policy.
Answer : D
Refer to the exhibit, which shows the output of a diagnose command.
What can be concluded about the debug output in this scenario?
- A. Servers with a negative TZ value are less preferred for rating requests.
- B. There is a natural correlation between the value in the Packets field and the value in the Weight field.
- C. FortiGate used 64.26.151.37 as the initial server to validate its contract.
- D. The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers, was 121.111.236.179.
Answer : D
Refer to the exhibit, which shows a session entry.
Which statement about this session is true?
- A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.
- B. Return traffic to the initiator is sent to 10.1.0.1.
- C. It is an ICMP session from 10.1.10.1 to 10.200.5.1.
- D. Return traffic to the initiator is sent to 10.200.1.254.
Answer : B
Refer to the exhibit, which shows a central management configuration.
Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?
- A. Public FortiGuard servers
- B. 10.0.1.243
- C. 10.0.1.242
- D. 10.0.1.244
Answer : A
Refer to the exhibit, which shows the output of diagnose sys session list.
If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?
- A. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.
- B. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.
- C. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.
- D. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.
Answer : A
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Why did the tunnel not come up?
- A. The local gateway has configured less secure encryption and hashing algorithms compared to the remote gateway.
- B. The Diffie-Hellman group does not match on the local and remote gateways.
- C. The proposal ID does not match between local and remote gateways.
- D. The encapsulation method for phase 2 is set to none on local and remote gateways.
Answer : B
Refer to the exhibit, which shows the output of diagnose sys session stat.
Which statement about the output shown in the exhibit is correct?
- A. There are two sessions that have not been removed in case of any out-of-order packets that arrive.
- B. There are 166 TCP sessions waiting to complete the three-way handshake.
- C. 162 sessions have been deleted because of memory page exhaustion.
- D. All the sessions in the session table are TCP sessions.
Answer : B
30 days access 