1.

What is the limitation of using a URL list and application control on the same
firewall policy, in NGFW policy-based mode?

a. It limits the scanning of application traffic to the browser-based technology

category only.

b. It limits the scanning of application traffic to the DNS protocol only.

c. It limits the scanning of application traffic to use parent signatures only.

d. It limits the scanning of application traffic to the application category only.

2. Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search
criteria shown in the exhibit.
Which policy will be highlighted, based on the input criteria?

a. Policy with ID 4.

b. Policy with ID 5.

c. Policies with ID 2 and 3.

d. Policy with ID 4.

3. FortiGate is operating in NAT mode and is configured with two virtual LAN
(VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)

a. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP
addresses in the same subnet.

b. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to
different VDOMs.

c. The two VLAN subinterfaces must have different VLAN IDs.

d. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP
addresses in different subnets.
4. An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?

a. Strict RPF allows packets back to sources with all active routes.

b. Strict RPF checks the best route back to the source using the incoming interface.

c. Strict RPF checks only for the existence of at least one active route back to the
source using the incoming interface.

d. Strict RPF check is run on the first sent and reply packet of any new session.

5. An administrator has configured the following settings:

config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 minutes.

B. Denied users are blocked for 30 minutes.

C. The number of logs generated by denied traffic is reduced.

D. A session for denied traffic is created.

6. Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security
policy (Exhibit B) for Facebook.
Users are given access to the Facebook web application. They can play video
content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

a. Force access to Facebook using the HTTP service.

b. Make the SSL inspection a deep content inspection.

c. Add Facebook in the URL category in the security policy.

 d. Get the additional application signatures required to add to the security policy.

7. Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-
FortiGate) in the security fabric. After synchronization, this object is not available
on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

a. Change the csf setting on ISFW (downstream) to set configuration-sync local.

b. Change the csf setting on ISFW (downstream) to set authorization-request-type

certificate.
 c. Change the csf setting on both devices to set downstream-access enable.

d. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification

default.

8. Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate
configured with the default configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

a. FortiGate will start sending all files to FortiSandbox for inspection.

b. FortiGate has entered conserve mode.

c. Administrators cannot change the configuration.

d. Administrators can access FortiGate only through the console port.

9. Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

a. The debug flow is for ICMP traffic.

b. The default route is required to receive a reply.

c. Anew traffic session was created.

d. A firewall policy allowed the connection.

10. An administrator is configuring an IPsec VPN between site A and site B. The
Remote Gateway setting in both sites has been configured as Static IP Address. For
site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode
selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for
site B?

a. 192.168.2.0/24

b. 192.168.0.0/8

c. 192.168.1.0/24

d. 192.168.3.0/24

11. Which two settings are required for SSL VPN to function between two FortiGate
devices? (Choose two.)

a. The client FortiGate requires a manually added route to remote subnets.

b. The client FortiGate requires a client certificate signed by the CA on the

server FortiGate.

c. The server FortiGate requires a CA certificate to verify the client FortiGate

certificate.
 d. The client FortiGate requires the SSL VPN tunnel interface type to connect
SSL VPN.

12. Which statement correctly describes the use of reliable logging on FortiGate?

a. Reliable logging is enabled by default in all configuration scenarios.

b. Reliable logging is required to encrypt the transmission of logs.

c. Reliable logging can be configured only using the CLI.

d. Reliable logging prevents the loss of logs when the local disk is full.

13. Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall
policies configuration information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a
workstation with the IP address 10.0.1.10?

a. 10.200.1.1

b. 10.0.1.254

c. 10.200.1.10

d. 10.200.1.100

14. Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the
firewall policy and VIP configuration on the FortiGate device, and the routing table
on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2)
from the internet, the connection times out. At the same time, the administrator runs
a sniffer on FortiGate to capture incoming web traffic to the server and does not see
any output.
Based on the information shown in the exhibit, what configuration change must the
administrator make to fix the connectivity issue?

a. Configure a loopback interface with address 203.0.113.2/32.

b. In the VIP configuration, enable arp-reply.

c. Enable port forwarding on the server to map the external service port to the internal
service port.

d. In the firewall policy configuration, enable match-vip.

15. Which two statements are true about the FGCP protocol? (Choose two.)

a. FGCP elects the primary FortiGate device.

b. FGCP is not used when FortiGate is in transparent mode.

c. FGCP runs only over the heartbeat links.

d. FGCP is used to discover FortiGate devices in different HA groups.

16. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate
by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The
secondary tunnel must be used only if the primary tunnel goes down. In addition,
 FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to
meet the requirements? (Choose two.)

A. Configure a higher distance on the static route for the primary tunnel, and a
lower distance on the static route for the secondary tunnel.

B. Configure a lower distance on the static route for the primary tunnel, and a
higher distance on the static route for the secondary tunnel.

C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2

configuration of both tunnels.

D. Enable Dead Peer Detection.

17. What are two benefits of flow-based inspection compared to proxy-based

inspection? (Choose two.)

A. FortiGate uses fewer resources.

B. FortiGate performs a more exhaustive inspection on traffic.

C. FortiGate adds less latency to traffic.

D. FortiGate allocates two sessions per connection.

18. FortiGuard categories can be overridden and defined in different categories. To

create a web rating override for the example.com home page, the override must be
configured using a specific syntax.
Which two syntaxes are correct to configure a web rating override for the home
page? (Choose two.)

A. www.example.com

B. www.example.com/index.html

C. www.example.com:443

D. example.com
 19. Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block
access to all social networking sites except Twitter. However, when users try to
access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow
Twitter while blocking all other social networking sites?

a. On the FortiGuard Category Based Filter configuration, set Action to Warning for
Social Networking.

b. On the Static URL Filter configuration, set Type to Simple.

c. On the Static URL Filter configuration, set Action to Exempt.

d. On the Static URL Filter configuration, set Action to Monitor.

20. Which three statements explain a flow-based antivirus profile? (Choose three.)

a. Flow-based inspection uses a hybrid of the scanning modes available in proxy-

based inspection.

b. If a virus is detected, the last packet is delivered to the client.

c. The IPS engine handles the process as a standalone.

d. FortiGate buffers the whole file but transmits to the client at the same time.
e. Flow-based inspection optimizes performance compared to proxy-based inspection.

21. Which three criteria can FortiGate use to look for a matching firewall policy to
process traffic? (Choose three.)

a. Services defined in the firewall policy

b. Highest to lowest priority defined in the firewall policy

c. Destination defined as Internet Services in the firewall policy

d. Lowest to highest policy ID number

e. Source defined as Internet Services in the firewall policy

22.