NEW QUESTION 1
An administrator added the following Ipsec VPN to a FortiGate configuration:
configvpn ipsec phasel -interface edit "RemoteSite"
set type dynamic
set interface "portl"
set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe next
end
config vpn ipsec phase2-interface edit "RemoteSite"
set phasel name "RemoteSite" set proposal 3des-sha256
next end
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.


What is causing the IPsec problem in the phase 1 ?

• A. The incoming IPsec connection is matching the wrong VPN configuration
• B. The phrase-1 mode must be changed to aggressive
• C. The pre-shared key is wrong
• D. NAT-T settings do not match

Answer: C

NEW QUESTION 2
Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)

• A. Primary unit stops sending HA heartbeat keepalives.
• B. The FortiGuard license for the primary unit is updated.
• C. One of the monitored interfaces in the primary unit is disconnected.
• D. A secondary unit is removed from the HA cluster.

Answer: AB

NEW QUESTION 3
How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?

• A. FortiManager can download and maintain local copies of FortiGuard databases.
• B. FortiManager supports only FortiGuard push to managed devices.
• C. FortiManager will respond to update requests only if they originate from a managed device.
• D. FortiManager does not support rating requests.

Answer: A

NEW QUESTION 4
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.

Which statements are true regarding the output in the exhibit? (Choose two.)

• A. BGP state of the peer 10.125.0.60 is Established.
• B. BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.
• C. Local BGP peer has not received an OpenConfirm from 10.200.3.1.
• D. The local BGP peer has received a total of 3 BGP prefixes.

Answer: AC

NEW QUESTION 5
View the exhibit, which contains a session entry, and then answer the question below.

Which statement is correct regarding this session?

• A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.
• B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.
• C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
• D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Answer: A

NEW QUESTION 6
A FortiGate device has the following LDAP configuration:

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user –samid administrator
“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab” Based on the output, what FortiGate LDAP setting is configured incorrectly?

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: A

NEW QUESTION 7
A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

• A. The user student must not be listed in the CA’s ignore user list.
• B. The user student must belong to one or more of the monitored user groups.
• C. The student workstation’s IP subnet must be listed in the CA’s trusted list.
• D. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

Answer: BD

NEW QUESTION 8
A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

• A. Both session have the local flag on.
• B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
• C. One session has the proxy flag on, the other one does not.
• D. One of the sessions has the IP address of port2 as the source IP address.

Answer: AD

NEW QUESTION 9
Which of the following conditions must be met for a static route to be active in the routing table? (Choose three.)

• A. The next-hop IP address is up.
• B. There is no other route, to the same destination, with a higher distance.
• C. The link health monitor (if configured) is up.
• D. The next-hop IP address belongs to one of the outgoing interface subnets.
• E. The outgoing interface is up.

Answer: ABE

NEW QUESTION 10
Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?

• A. Diagnose debug application radius -1.
• B. Diagnose debug application fnbamd -1.
• C. Diagnose authd console –log enable.
• D. Diagnose radius console –log enable.

Answer: A

NEW QUESTION 11
An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.


Based on the output in the exhibit, what can cause this authentication problem?

• A. User student is not found in the LDAP server.
• B. User student is using a wrong password.
• C. The FortiGate has been configured with the wrong password for the LDAP administrator.
• D. The FortiGate has been configured with the wrong authentication schema.

Answer: A

NEW QUESTION 12
Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?

• A. FortiGate limits the number of simultaneous sessions per explicit web proxy use
• B. This limit CANNOT be modified by the administrator.
• C. FortiGate limits the total number of simultaneous explicit web proxy users.
• D. FortiGate limits the number of simultaneous sessions per explicit web proxy use
• E. The limit CAN be modified by the administrator.
• F. FortiGate limits the number of workstations that authenticate using the same web proxy user credentials.This limit CANNOT be modified by the administrator.

Answer: C

NEW QUESTION 13
View these partial outputs from two routing debug commands:

Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?

• A. Both port1 and port2
• B. port3
• C. port1
• D. port2

Answer: C

NEW QUESTION 14
What events are recorded in the crashlogs of a FortiGate device? (Choose two.)

• A. A process crash.
• B. Configuration changes.
• C. Changes in the status of any of the FortiGuard licenses.
• D. System entering to and leaving from the proxy conserve mode.

Answer: AD

NEW QUESTION 15
View the central management configuration shown in the exhibit, and then answer the question below.

Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?

• A. 10.0.1.240
• B. One of the public FortiGuard distribution servers
• C. 10.0.1.244
• D. 10.0.1.242

Answer: B

NEW QUESTION 16
View the exhibit, which contains the output of a debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

• A. In the network on port4, two OSPF routers are down.
• B. Port4 is connected to the OSPF backbone area.
• C. The local FortiGate’s OSPF router ID is 0.0.0.4
• D. The local FortiGate has been elected as the OSPF backup designated router.

Answer: BC