NEW QUESTION 1
Which of the following statements are true about Man-in-the-middle SSL Content Inspection? (Choose three.)

• A. The FortiGate device “re-signs” all the certificates coming from the HTTPS servers
• B. The FortiGate device acts as a sub-CA
• C. The local service certificate of the web server must be installed in the FortiGate device
• D. The FortiGate device does man-in-the-middle inspection.
• E. The required SSL Proxy certificate must first be requested to a public certificate authority (CA).

Answer: BCE

NEW QUESTION 2
Which protocols can you use for secure administrative access to a FortiGate? (Choose two)

• A. SSH
• B. Telnet
• C. NTLM
• D. HTTPS

Answer: AD

NEW QUESTION 3
Two devices are in an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of diagnose sys session stat for the STUDENT device. Exhibit B shows the command output of diagnose sys session stat for the REMOTE device.
Exhibit A:

Exhibit B:

Given the information provided in the exhibits, which of the following statements are correct? (Choose two.)

• A. STUDENT is likely to be the master device.
• B. Session-pickup is likely to be enabled.
• C. The cluster mode is active-passive.
• D. There is not enough information to determine the cluster mode.

Answer: AD

NEW QUESTION 4
A FortiGate device is configured with two VDOMs. The management VDOM is 'root' , and is configured in transparent mode,'vdom1' is configured as NAT/route mode. Which traffic is generated only by 'root' and not 'vdom1'? (Choose three.)

• A. SNMP traps
• B. FortiGaurd
• C. ARP
• D. NTP
• E. ICMP redirect

Answer: ABD

NEW QUESTION 5
Which of the following items is NOT a packet characteristic matched by a firewall service object?

• A. ICMP type and code
• B. TCP/UDP source and destination ports
• C. IP protocol number
• D. TCP sequence number

Answer: D

NEW QUESTION 6
With FSSO DC-agent mode, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent.
If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.)

• A. The login event is sent to a collector agent.
• B. The FortiGate receives the user information directly from the receiving domain controller agent of the secondary domain controller.
• C. The domain collector agent may perform a DNS lookup for the authenticated client's IP address.
• D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent.

Answer: AC

NEW QUESTION 7
Which two web filtering inspection modes inspect the full URL? (Choose two.)

• A. DNS-based
• B. Proxy-based
• C. Flow-based
• D. URL-based

Answer: BC

NEW QUESTION 8
How do application control signatures update on a FortiGate device?

• A. Through FortiGuard updates.
• B. Upgrade the FortiOS firmware to a newer release.
• C. By running the Application Control auto-learning feature.
• D. Signatures are hard coded to the device and cannot be updated.

Answer: A

NEW QUESTION 9
Which of the following actions can be used to back up the keys and digital certificates in a FortiGate device? (Choose two.)

• A. Taking a full backup of the FortiGate configuration
• B. Uploading a PKCS#10 file to a USB drive
• C. Manually uploading the certificate information to a Certificate authority (CA)
• D. Uploading a PKCS#12 file to a TFTP server

Answer: AD

NEW QUESTION 10
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled?

• A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.
• B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.
• C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.
• D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.

Answer: B

NEW QUESTION 11
A FortiGate is configured to receive push updates from the FortiGuard Distribution Network, however, they are not being received.
Which is one reason for this problem?

• A. The FortiGate is connected to multiple ISPs.
• B. FortiGuard scheduled updates are enabled in the FortiGate configuration.
• C. The FortiGate is in Transparent mode.
• D. The external facing interface of the FortiGate is configured to get the IP address from a DHCP server.

Answer: D

NEW QUESTION 12
To which remote device can the FortiGate send logs? (Choose three.)

• A. Syslog
• B. FortiAnalyzer
• C. Hard drive
• D. Memory
• E. FortiCloud

Answer: ABE

NEW QUESTION 13
Which statement best describes what SSL.root is?

• A. The name of the virtual network adapter required in each user's PC for SSL VPN Tunnel mode.
• B. The name of a virtual interface in the root VDOM where all the SSL VPN user traffic comes from.
• C. A Firewall Address object that contains the IP addresses assigned to SSL VPN users.
• D. The virtual interface in the root VDOM that the remote SSL VPN tunnels connect to.

Answer: B

NEW QUESTION 14
What determines whether a log message is generated or not?

• A. Firewall policy setting
• B. Log Settings in the GUI
• C. 'config log' command in the CLI
• D. Syslog
• E. Webtrends

Answer: A

NEW QUESTION 15
Which is NOT true about source matching with firewall policies?

• A. A source address object must be selected in the firewall policy.
• B. A source user/group may be selected in the firewall policy.
• C. A source device may be defined in the firewall policy.
• D. A source interface must be selected in the firewall policy.
• E. A source user/group and device must be specified in the firewall policy.

Answer: E

NEW QUESTION 16
In which order are firewall policies processed on a FortiGate unit?

• A. From top to bottom, according with their sequence number.
• B. From top to bottom, according with their policy ID number.
• C. Based on best match.
• D. Based on the priority value.

Answer: A