Green Answers is right
Which two statements about incoming and outgoing interfaces in
firewall policies are true? (Choose two.)
Select one or more:
Only the any interface
can be chosen as an incoming interface.
Multiple
interfaces can be selected as incoming and outgoing interfaces.
A zone can be chosen as the outgoing
interface.
Which
three methods can you use to deliver the token code to a user who is configured
to use two-factor authentication? (Choose three.)
Select one or more:
Email
SMS
text message
Instant message app
FortiToken
Mobile
Which two statements correctly describe the differences between
IPsec main mode and IPsec aggressive mode? (Choose two.)
Select one or more:
The
first packet of aggressive mode contains the peer ID, while the first packet of
main mode does not.
Aggressive mode
supports XAuth, while main mode does not.
Main mode cannot be
used for dialup VPNs, while aggressive mode can.
Six packets are usually
exchanged during main mode, while only three packets are exchanged during
aggressive mode.
Which two statements about advanced AD access mode for the FSSO
collector agent are true? (Choose two.)
Select one or more:
It uses the Windows
convention for naming; that is, Domain\Username.
FortiGate
can act as an LDAP client to configure the group filters.
It
supports monitoring of nested groups.
It is only supported if DC agents are
deployed.
A user at 192.168.32.15 is
trying to access the web server at 172.16.32.254.
Which two statements best describe how the FortiGate will perform reverse path
forwarding (RPF) checks on this traffic? (Choose two.)
Select one or more:
Loose RPF check will
deny the traffic.
Strict
RPF check will allow the traffic.
Loose RPF check will allow the traffic.
Which
three settings and protocols can be used to provide secure and restrictive
administrative access to FortiGate? (Choose three.)
Select one or more:
SSH
Trusted authentication
HTTPS
Trusted
host
Which two IP pool types are useful for carrier-grade NAT
deployments? (Choose two.)
Select one or more:
Port
block allocation
Overload
One-to-one
Fixed port range
Which NAT method translates the source IP address in a packet to
another IP address?
Select one:
VIP
SNAT
IPPOOL
DNAT
What is eXtended Authentication (XAuth)?
Select one:
It is an IPsec
extension that authenticates remote VPN peers using digital certificates.
It is an IPsec
extension that forces remote VPN users to authenticate using their local ID.
It is an IPsec
extension that authenticates remote VPN peers using a pre-shared key.
It is an IPsec
extension that forces remote VPN users to authenticate using their credentials
(username and password).
Which statement about the HA override setting in FortiGate HA
clusters is true?
Select one:
It synchronizes device
priority on all cluster members.
You
must configure override settings manually and separately for each cluster
member.
It enables monitored
ports.
It reboots FortiGate.
What must you configure to enable proxy-based TCP session
failover?
Select one:
You must
configure session-pickup-connectionless enable under configure system ha.
You must
configure ha-configuration-sync under configure system ha.
You do not need to
configure anything because all TCP sessions are automatically failed over.
You must
configure session-pickup-enable under configure
system ha.
Which statement about the configuration settings is true?
Select one:
When a remote user
accesses https://10.200.1.1:443, the FortiGate login page opens.
When a remote user
accesses http://10.200.1.1:443, the SSL-VPN login page opens.
When
a remote user accesses https://10.200.1.1:443, the SSL-VPN login
page opens.
The settings are invalid. The administrator
settings and the SSL-VPN settings cannot use the same port.
A user at 192.168.32.15 is
trying to access the web server at 172.16.32.254.
Which two statements best describe how the FortiGate will perform reverse path
forwarding (RPF) checks on this traffic? (Choose two.)
Select one or more:
Loose RPF check will
allow the traffic.
Loose RPF check will
deny the traffic.
Strict
RPF check will allow the traffic.
Strict RPF check will
deny the traffic.
Which route will be selected when trying to reach 10.20.30.254?
Select one:
0.0.0.0/0
[10/0] via 172.20.121.2, port1, [1/0]
10.20.30.0/26
[10/0] via 172.20.168.254, port2, [1/0]
10.30.20.0/24
[10/0] via 172.20.121.2, port1, [1/0]
10.20.30.0/24
[10/0] via 172.20.167.254, port3, [1/0]
An administrator needs to create a tunnel mode SSL-VPN to access
an internal web server from the internet. The web server is connected to port1.
The internet is connected to port2. Both interfaces belong to the VDOM named
Corporation.
What interface must the administrator use as the source for the firewall policy
that will allow this traffic?
Select one:
port2
ssl.root
port1
ssl.Corporation
Which type of traffic inspection requires FortiGate to act as a
CA?
Select one:
SSL
traffic inspection when protecting multiple clients connecting to multiple
servers.
SSL traffic inspection
when protecting a local SSL server.
SSL certificate
inspection when protecting a local SSL server.
SSL certificate inspection when protecting
multiple clients connecting to multiple servers.
What is the common feature shared between IPv4 and SD-WAN ECMP
algorithms?
Select one:
Both can be enabled at
the same time.
Both use the same
physical interface load balancing settings.
Both
control ECMP algorithms.
Both support volume algorithms.
Which route will be selected when trying to reach 10.20.30.254?
Select one:
10.20.30.0/26
[10/0] via 172.20.168.254, port2, [1/0]
10.30.20.0/24
[10/0] via 172.20.121.2, port1, [1/0]
10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
0.0.0.0/0 [10/0] via
172.20.121.2, port1, [1/0]
Which two behaviours result from this full SSL configuration?
(Choose two.)
Select one or more:
The browser bypasses
all certificate warnings and allows the connection.
A
temporary untrusted FortiGate certificate replaces the server certificate when
the server certificate is untrusted.
A
temporary trusted FortiGate certificate replaces the server certificate when
the server certificate is trusted.
A temporary trusted FortiGate certificate
replaces the server certificate, even when the server certificate is untrusted.
Which two statements about advanced AD access mode for the FSSO
collector agent are true? (Choose two.)
Select one or more:
FortiGate
can act as an LDAP client to configure the group filters.
It is only supported
if DC agents are deployed.
It
supports monitoring of nested groups.
It uses the Windows convention for naming;
that is, Domain\Username.
Which two behaviours result from this full SSL configuration?
(Choose two.)
Select one or more:
A temporary untrusted
FortiGate certificate replaces the server certificate when the server
certificate is untrusted.
A temporary trusted
FortiGate certificate replaces the server certificate when the server
certificate is trusted.
The browser bypasses
all certificate warnings and allows the connection.
A temporary trusted FortiGate certificate
replaces the server certificate, even when the server certificate is untrusted.
An administrator needs to inspect all web traffic (including
Internet web traffic) coming from users connecting to the SSL-VPN.
How can this be achieved?
Select one:
Using web-only mode
Configuring web
bookmarks
Disabling
split tunneling
Assigning public IP addresses to SSL-VPN users
Which
two settings must you configure when FortiGate is being deployed as a root
FortiGate in a Security Fabric topology? (Choose two.)
Select one or more:
FortiAnalyzer IP address
FortiManager IP address
Fabric
name
Which statement about firewall policy NAT is true?
Select one:
You
must configure SNAT for each firewall policy.
DNAT is not supported.
SNAT can automatically
apply to multiple firewall policies, based on SNAT policies.
DNAT can automatically apply to multiple
firewall policies, based on DNAT rules.
FortiGate is configured for firewall authentication. When
attempting to access an external website, the user is not presented with a
login prompt.
What is the most likely reason for this situation?
Select one:
The
user was authenticated using passive authentication.
The user is using a
super admin account.
No matching user
account exists for this user.
The user is using a guest account profile.
