NEW QUESTION 1
An administrator has enabled the DHCP Server on the port1 interface and configured the following based on the exhibit.

Which statement is correct based on this configuration? Response:

• A. The MAC address 00:0c:29:29:38:da belongs to the port1 interface.
• B. Access to the network is blocked for the devices with the MAC address 00:0c:29:29:38:da and the IP address 10.0.1.254.
• C. 00:0c:29:29:38:da is the virtual MAC address assigned to the secondary IP address (10.0.1.254) of the port1 interface.
• D. The IP address 10.0.1.254 is reserves for the device with the MAC address 00:0c:29:29:38:da.

Answer: D

NEW QUESTION 2
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

What are the expected actions if traffic matches this IPS sensor? (Choose two.)

• A. The sensor will gather a packet log for all matched traffic.
• B. The sensor will not block attackers matching the A32S.Botnet signature.
• C. The sensor will block all attacks for Windows servers.
• D. The sensor will reset all connections that match these signatures.

Answer: BC

NEW QUESTION 3
Which one of the following processes is involved in updating IPS from FortiGuard?

• A. FortiGate IPS update requests are sent using UDP port 443.
• B. Protocol decoder update requests are sent to service.fortiguard.net.
• C. IPS signature update requests are sent to update.fortiguard.net.
• D. IPS engine updates can only be obtained using push updates.

Answer: C

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/07-FortiGuard.htm

NEW QUESTION 4
Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then answer the following question:

An administrator has added the following static route on FGTI.

Since the change, the new static route is not showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?

• A. The new route’s destination subnet overlaps an existing route.
• B. The new route’s Distance value should be higher than 10.
• C. The Gateway IP address is not in the same subnet as port1.
• D. The Priority is 0, which means that this route will remain inactive.

Answer: C

NEW QUESTION 5
What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two.)

• A. Services defined in the firewall policy.
• B. Incoming and outgoing interfaces
• C. Highest to lowest priority defined in the firewall policy.
• D. Lowest to highest policy ID number.

Answer: AB

NEW QUESTION 6
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scope of application control to the browser-based technology category only.
• B. It limits the scope of application control to scan application traffic based on application category only.
• C. It limits the scope of application control to scan application traffic using parent signatures only
• D. It limits the scope of application control to scan application traffic on DNS protocol only.

Answer: B

NEW QUESTION 7
Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

• A. It is allowed, but with no inspection
• B. It is allowed and inspected as long as the inspection is flow based
• C. It is dropped.
• D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: A

NEW QUESTION 8
Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: C

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

NEW QUESTION 9
How do you format the FortiGate flash disk?

• A. Load a debug FortiOS image.
• B. Load the hardware test (HQIP) image.
• C. Execute the CLI command execute formatlogdisk.
• D. Select the format boot device option from the BIOS menu.

Answer: D

NEW QUESTION 10
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

• A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
• B. ADVPN is only supported with IKEv2.
• C. Tunnels are negotiated dynamically between spokes.
• D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Answer: AC

NEW QUESTION 11
A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true?

• A. It can create administrator accounts with access to the same VDOM.
• B. It cannot have access to more than one VDOM.
• C. It can reset the password for the admin account.
• D. It can upgrade the firmware on the FortiGate device.

Answer: B

NEW QUESTION 12
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check.
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

NEW QUESTION 13
Which of the following conditions are required for establishing an IPSec VPN between two FortiGate devices? (Choose two.)

• A. If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer.
• B. If the VPN is configured as route-based, there must be at least one firewall policy with the action set toIPSec.
• C. If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or Dynamic DNS in the other peer.
• D. If the VPN is configured as a policy-based in one peer, it must also be configured as policy-based in the other peer.

Answer: AC

NEW QUESTION 14
Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server?

• A. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]
• B. 0.0.0.0/0 [20/0] via 10.4.200.2, port2
• C. 10.4.200.0/30 is directly connected, port2
• D. 172.16.32.0/24 is directly connected, port1

Answer: D

NEW QUESTION 15
Which of the following statements describe WMI polling mode for the FSSO collector agent? (Choose two.)

• A. The NetSessionEnum function is used to track user logoffs.
• B. WMI polling can increase bandwidth usage in large networks.
• C. The collector agent uses a Windows API to query DCs for user logins.
• D. The collector agent do not need to search any security event logs.

Answer: CD

NEW QUESTION 16
You have tasked to design a new IPsec deployment with the following criteria: Which topology should be used to satisfy all of the requirements?

• A. Partial mesh
• B. Hub-and-spoke
• C. Fully meshed
• D. Redundant

Answer: B

NEW QUESTION 17
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

• A. remote user’s public IP address
• B. The public IP address of the FortiGate device.
• C. The remote user’s virtual IP address.
• D. The internal IP address of the FortiGate device.

Answer: D

Explanation:
Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP address

NEW QUESTION 18
Which is the correct description of a hash result as it relates to digital certificates?

• A. A unique value used to verify the input data
• B. An output value that is used to identify the person or deduce that authored the input data.
• C. An obfuscation used to mask the input data.
• D. An encrypted output value used to safe-guard the input data

Answer: A

NEW QUESTION 19
What FortiGate configuration is required to actively prompt users for credentials?

• A. You must enable one or more protocols that support active authentication on a firewall policy.
• B. You must position the firewall policy for active authentication before a firewall policy for passive authentication
• C. You must assign users to a group for active authentication
• D. You must enable the Authentication setting on the firewall policy

Answer: C

NEW QUESTION 20
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

• A. Include the group of guest users in a policy.
• B. Extend timeout timers.
• C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.
• D. Ensure all firewalls allow the FSSO required ports.

Answer: AD

NEW QUESTION 21
Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)

• A. Priority
• B. Metric
• C. Distance
• D. Cost

Answer: AC

NEW QUESTION 22
When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster?

• A. Connected monitored ports > HA uptime > priority > serial number
• B. Priority > Connected monitored ports > HA uptime > serial number
• C. Connected monitored ports > priority > HA uptime > serial number
• D. HA uptime > priority > Connected monitored ports > serial number

Answer: C

NEW QUESTION 23
View the exhibit.


What does this raw log indicate? (Choose two.)

• A. FortiGate blocked the traffic.
• B. type indicates that a security event was recorded.
• C. 10.0.1.20 is the IP address for lavito.tk.
• D. policyid indicates that traffic went through the IPS firewall policy.

Answer: AB

NEW QUESTION 24
......