NEW QUESTION 1

Which two statements about antivirus scanning mode are true? (Choose two.)

• A. In proxy-based inspection mode, files bigger than the buffer size are scanned.
• B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
• C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
• D. In flow-based inspection mode, files bigger than the buffer size are scanned.

Answer: BC

Explanation:
An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM—something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

NEW QUESTION 2

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

• A. The administrator can register the same FortiToken on more than one FortiGate.
• B. The administrator must use a FortiAuthenticator device.
• C. The administrator can use a third-party radius OTP server.
• D. The administrator must use the user self-registration server.

Answer: B

NEW QUESTION 3

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate, enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495
Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

NEW QUESTION 4

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

• A. Root VDOM
• B. FG-traffic VDOM
• C. Customer VDOM
• D. Global VDOM

Answer: A

NEW QUESTION 5

Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

• A. Lookup is done on the first packet from the session originator
• B. Lookup is done on the last packet sent from the responder
• C. Lookup is done on every packet, regardless of direction
• D. Lookup is done on the trust reply packet from the responder

Answer: AD

NEW QUESTION 6

Refer to the exhibit.


The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

• A. ‘host 192.168.0.2 and port 8080’
• B. ‘host 10.0.0.50 and port 80’
• C. ‘host 192.168.0.1 and port 80’
• D. ‘host 10.0.0.50 and port 8080’

Answer: A

NEW QUESTION 7

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services. What CLI command must the administrator use to view the route?

• A. get router info routing-table all
• B. get internet service route list
• C. get router info routing-table database
• D. diagnose firewall proute list

Answer: D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/latest/administration-guide/139692/routing-concepts

NEW QUESTION 8

Which of statement is true about SSL VPN web mode?

• A. The tunnel is up while the client is connected.
• B. It supports a limited number of protocols.
• C. The external network application sends data through the VPN.
• D. It assigns a virtual IP address to the client.

Answer: B

Explanation:
FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.

NEW QUESTION 9

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

• A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
• B. FortiGate supports pre-shared key and signature as authentication methods.
• C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
• D. A certificate is not required on the remote peer when you set the signature as the authentication method.

Answer: AB

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/913287/ipsec-vpn-authenticating-aremote-fortigate

NEW QUESTION 10

Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?

• A. A user
• B. A root CA
• C. A bridge CA
• D. A subordinate

Answer: A

NEW QUESTION 11

Which two statements are true about the RPF check? (Choose two.)

• A. The RPF check is run on the first sent packet of any new session.
• B. The RPF check is run on the first reply packet of any new session.
• C. The RPF check is run on the first sent and reply packet of any new session.
• D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Answer: AD

Explanation:
Reference: https://www.programmersought.com/article/16383871634/

NEW QUESTION 12

Which two types of traffic are managed only by the management VDOM? (Choose two.)

• A. FortiGuard web filter queries
• B. PKI
• C. Traffic shaping
• D. DNS

Answer: AD

NEW QUESTION 13

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

• A. Run a sniffer on the web server.
• B. Capture the traffic using an external sniffer connected to port1.
• C. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”
• D. Execute a debug flow.

Answer: D

NEW QUESTION 14

Which statement about video filtering on FortiGate is true?

• A. Full SSL Inspection is not required.
• B. It is available only on a proxy-based firewall policy.
• C. It inspects video files hosted on file sharing services.
• D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

NEW QUESTION 15

Which two statements are true about collector agent advanced mode? (Choose two.)

• A. Advanced mode uses Windows convention—NetBios: Domain\Username.
• B. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate
• C. Advanced mode supports nested or inherited groups
• D. Security profiles can be applied only to user groups, not individual users.

Answer: BC

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

NEW QUESTION 16

In an explicit proxy setup, where is the authentication method and database configured?

• A. Proxy Policy
• B. Authentication Rule
• C. Firewall Policy
• D. Authentication scheme

Answer: D

NEW QUESTION 17

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

• A. Antivirus scanning
• B. File filter
• C. DNS filter
• D. Intrusion prevention

Answer: AD

NEW QUESTION 18

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

• A. System event logs
• B. Forward traffic logs
• C. Local traffic logs
• D. Security logs

Answer: C

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970

NEW QUESTION 19

Exhibit:

Refer to the exhibit to view the authentication rule configuration In this scenario, which statement is true?

• A. IP-based authentication is enabled
• B. Route-based authentication is enabled
• C. Session-based authentication is enabled.
• D. Policy-based authentication is enabled

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD45387

NEW QUESTION 20

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?
A User or User Group

• A. IP address
• B. No other object can be added
• C. FQDN address

Answer: B

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy

NEW QUESTION 21
......