Refer to the exhibit, which contains partial output from an IKE real-time debug.
Which two statements about this debug output are correct? (Choose two.)
- A . The initiator provided remote as its IPsec peer ID.
- B . It shows a phase 2 negotiation.
- C . Perfect Forward Secrecy (PFS) is enabled in the configuration.
- D . The local gateway IP address is 10.0.0.1.
A,D
Explanation:
A because: received peer identifier FQDN ‘remote’ D because : ike 0: comes 10.0.0.2:500 -> 10.0.0.1:500
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.
The administrator does not have access to the remote gateway.
Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?
- A . Change phase 1 encryption to 3DES and authentication to SHA128.
- B . Change phase 1 encryption to AES128 and authentication to SHA512.
- C . Change phase 1 encryption to AESCBC and authentication to SHA2.
- D . Change phase 1 encryption to AES256 and authentication to SHA256.
An administrator has created a VPN community within VPN Manager on FortiManager. They also added gateways to the VPN community and are now trying to create firewall policies to permit traffic over the tunnel; however, the VPN interfaces are not listed as available options.
What step must the administrator take to resolve this issue?
- A . Install the VPN community and gateway configuration to the FortiGate devices, in order for the interfaces to be displayed within Policy & Objects on FortiManager
- B . Set up all of the phase 1 settings in the VPN community that they neglected to set up initially. The interfaces will be automatically generated after the administrator configures all of the required settings.
- C . Refresh the device status from the Device Manager so that FortiGate will populate the IPsec interfaces.
- D . Create interface mappings for the IPsec VPN interfaces, before they can be used in a policy.
A
Explanation:
1- Create a VPN Community
2- Install VPN Configuration
3- Add IPsec Firewall Policies
4- Install the Policies
Examine the output of the ‘diagnose debug rating’ command shown in the exhibit; then answer the question below.
Which statement are true regarding the output in the exhibit? (Choose two.)
- A . There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.
- B . The TZ value represents the delta between each FortiGuard server’s time zone and the FortiGate’s time zone.
- C . FortiGate will send the FortiGuard queries to the server with highest weight.
- D . A server’s round trip delay (RTT) is not used to calculate its weight.
How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?
- A . FortiManager can download and maintain local copies of FortiGuard databases.
- B . FortiManager supports only FortiGuard push to managed devices.
- C . FortiManager will respond to update requests only if they originate from a managed device.
- D . FortiManager does not support rating requests.
View these partial outputs from two routing debug commands:
Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?
- A . Both port1 and port2
- B . port3
- C . port1
- D . port2
Refer to the exhibit, which shows the output of a diagnose command.
What can be concluded about the debug output in this scenario?
- A . Servers with a negative TZ value are less preferred for rating requests.
- B . There is a natural correlation between the value in the Packets field and the value in the Weight field.
- C . FortiGate used 64.26.151.37 as the initial server to validate its contract.
- D . The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers, was 121.111.236.179.
An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement is correct regarding this command?
- A . Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.
- B . Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
- C . Sends a link failed signal to all connected devices.
- D . Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.
View the central management configuration shown in the exhibit, and then answer the question below.
Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?
- A . 10.0.1.240
- B . One of the public FortiGuard distribution servers
- C . 10.0.1.244
- D . 10.0.1.242
Exhibits:
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
An administrator is trying to configure ADVPN with a hub-spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however, the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned by one spoke are forwarded to the other spokes?
- A . Configure an individual neighbor and remove neighbor-range configuration.
- B . Configure the hub as a route reflector client.
- C . Change the router id to 10.1.0.254.
- D . Make the configuration of remote-as different from the configuration of local-as.
B
Explanation:
Source: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-BGP-route-reflector/ta-p/191503 Source 2: RFC 4456
Refer to the exhibit, which contains the output of diagnose sys session list.
If the HA ID for the primary unit is zero (0), which statement about the output is true?
- A . This session cannot be synced with the slave unit.
- B . The inspection of this session has been offloaded to the slave unit.
- C . The master unit is processing this traffic.
- D . This session is for HA heartbeat traffic.
View the exhibit, which contains the output of get sys ha status, and then answer the question below.
Which statements are correct regarding the output? (Choose two.)
- A . The slave configuration is not synchronized with the master.
- B . The HA management IP is 169.254.0.2.
- C . Master is selected because it is the only device in the cluster.
- D . port 7 is used the HA heartbeat on all devices in the cluster.
Which statement about protocol options is true?
- A . Protocol options allows administrators a streamlined method to instruct FortiGate to block all sessions corresponding to disabled protocols.
- B . Protocol options allows administrators the ability to configure the Any setting for all enabled protocols which provides the most efficient use of system resources.
- C . Protocol options allow administrators to configure a maximum number of sessions for each configured protocol.
- D . Protocol options allows administrators to configure which Layer 4 port numbers map to upper-layer protocols, such as HTTP, SMTP, FTP, and so on.
An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions.
Which TCP session timer must be increased to fix this problem?
- A . TCP half open.
- B . TCP half close.
- C . TCP time wait.
- D . TCP session time to live.
A
Explanation:
http://docs-legacy.fortinet.com/fos40hlp/43prev/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=CLI_get_Commands.58.25.html
The tcp-halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACKremains in the table.
The tcp-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACKremains in the table.
The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in thetable. A closed session remains in the session table for a few seconds more to allow any out-of-sequence packet.
A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website.
The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:
What should the administrator check to fix the problem?
- A . The connectivity between the FortiGate unit and the DNS server.
- B . The connectivity between the client workstations and the DNS server.
- C . That DNS traffic from client workstations is allowed by the explicit web proxy policies.
- D . That DNS service is enabled in the explicit web proxy interface.
Refer to the exhibit, which contains a screenshot of some phase 1 settings.
The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands to an SSH session on FortiGate: diagnose vpn ike log-filter dst-addr4 10.0.10.1 diagnose debug application ike -1
However, the IKE real-time debug does not show any output.
Why?
- A . The administrator must also run the command diagnose debug enable.
- B . The administrator must enable the following real-time debug: diagnose debug application ipsec -1.
- C . The log-filter setting is incorrect. The VPN traffic does not match this filter.
- D . The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match.
A
Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-Diagnostics-Possible-reasons/ta-p/192006
Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)
- A . Installing configuration changes to managed devices
- B . Importing interface mappings from managed devices
- C . Adding devices to FortiManager
- D . Previewing pending configuration changes for managed devices
A,D
Explanation:
Reference: https://docs.fortinet.com/document/fortimanager/6.2.0/administration-guide/668612/using-the-install-wizard-to-install-device-settings-only
Refer to the exhibit, which shows the output of a BGP debug command.
Which statement explains why the state of the 10.200.3.1 peer is Connect?
- A . The local router has a different AS number than the remote peer.
- B . The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the openConfirm yet.
- C . The local router initiated the BGP session to 10.200.3.1 but did not receive a response.
- D . The router 10.200.3.1 has authentication configured for BGP and the local router does not.
View the global IPS configuration, and then answer the question below.
Which of the following statements is true regarding this configuration?
- A . IPS will scan every byte in every session.
- B . FortiGate will spawn IPS engine instances based on the system load.
- C . New packets will be passed through without inspection if the IPS socket buffer runs out of memory.
- D . IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.
The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning behavior.
Which of the following statements describes IPS adaptive scanning?
- A . Determines the optimal number of IPS engines required based on system load.
- B . Downloads signatures on demand from FDS based on scanning requirements.
- C . Determines when it is secure enough to stop scanning session traffic.
- D . Choose a matching algorithm based on available memory and the type of inspection being performed.
C
Explanation:
Configuring IPS intelligenceStarting with FortiOS 5.2, intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte.
config ips globalset intelligent-mode {enable|disable}end
In which two states is a given session categorized as ephemeral? (Choose two.)
- A . A TCP session waiting for FIN ACK
- B . A UDP session with packets sent and received
- C . A UDP session with only one packet received
- D . A TCP session waiting for the SYN ACK
View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below.
Which statements are correct regarding the output shown? (Choose two.)
- A . There are 0 ephemeral sessions.
- B . All the sessions in the session table are TCP sessions.
- C . No sessions have been deleted because of memory pages exhaustion.
- D . There are 166 TCP sessions waiting to complete the three-way handshake.
A,C
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40578
Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?
- A . Diagnose debug application radius -1.
- B . Diagnose debug application fnbamd -1.
- C . Diagnose authd console Clog enable.
- D . Diagnose radius console Clog enable.
B
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD32838
Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router. The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?
- A . 1
- B . 2
- C . 3
- D . 4
Refer to the exhibit, which contains the partial output of a diagnose command.
Based on the output, which two statements are correct? (Choose two.)
- A . Anti-replay is enabled
- B . The remote gateway IP is 10.200.4.1.
- C . DPD is disabled.
- D . Quick mode selectors are disabled.
View the exhibit, which contains an entry in the session table, and then answer the question below.
Which one of the following statements is true regarding FortiGate’s inspection of this session?
- A . FortiGate applied proxy-based inspection.
- B . FortiGate forwarded this session without any inspection.
- C . FortiGate applied flow-based inspection.
- D . FortiGate applied explicit proxy-based inspection.
A
Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042
An administrator added the following Ipsec VPN to a FortiGate configuration:
configvpn ipsec phasel -interface
edit "RemoteSite"
set type dynamic
set interface "portl"
set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "RemoteSite"
set phasel name "RemoteSite"
set proposal 3des-sha256
next
end
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection.
The output is shown in the exhibit.
What is causing the IPsec problem in the phase 1 ?
- A . The incoming IPsec connection is matching the wrong VPN configuration
- B . The phrase-1 mode must be changed to aggressive
- C . The pre-shared key is wrong
- D . NAT-T settings do not match
View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.
The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel.
To diagnose, the administrator enters these CLI commands:
However, the IKE real time debug does not show any output.
Why?
- A . The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.
- B . The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.
- C . The debug shows only error messages. If there is no output, then the tunnel is operating normally.
- D . The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Which two statements about this debug output are correct? (Choose two.)
- A . The remote gateway IP address is 10.0.0.1.
- B . The initiator provided remote as its IPsec peer ID.
- C . It shows a phase 1 negotiation.
- D . The negotiation is using AES128 encryption with CBC hash.
Examine the output of the ‘get router info ospf interface’ command shown in the exhibit; then answer the question below.
Which statements are true regarding the above output? (Choose two.)
- A . The port4 interface is connected to the OSPF backbone area.
- B . The local FortiGate has been elected as the OSPF backup designated router.
- C . There are at least 5 OSPF routers connected to the port4 network.
- D . Two OSPF routers are down in the port4 network.
A,C
Explanation:
on BROADCAST network there are 4 neighbors, among which 1*DR +1*BDR. So our FG has 4 neighbors, but create adjacency only with 2 (with DR and BDR). 2 neighbors DRother (not down).
Examine the output from the ‘diagnose debug authd fsso list’ command; then answer the question below.
# diagnose debug authd fsso list ―FSSO logons-IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is NOT the one used by the workstation INTERNAL2. TRAINING. LAB.
What should the administrator check?
- A . The IP address recorded in the logon event for the user STUDENT.
- B . The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.
- C . The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.
- D . The reserve DNS lookup for the IP address 192.168.3.1.
Refer to the exhibits, which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network.
If the priority on route ID 2 were changed from 10 to 0, what would happen to traffic matching that user session?
- A . The session would remain in the session table, but its traffic would now egress from
both port1 and port2. - B . The session would remain in the session table, and its traffic would egress from port2.
- C . The session would be deleted, and the client would need to start a new session.
- D . The session would remain in the session table, and its traffic would egress from port1.
D
Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to-update-existing-NAT/ta-p/198439
Which two conditions would prevent a static route from being added to the routing table? (Choose two.)
- A . There is another other route to the same destination, with a lower distance.
- B . The route has a lower priority value than another route to the same destination.
- C . The next-hop IP address is unreachable.
- D . The interface specified in the route configuration is down
A,D
Explanation:
The routing table contains only the static route with the lowest distance https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-and/ta-p/198221
Refer to the exhibit, which contains partial outputs from two routing debug commands.
Why is the port2 default route not in the second command’s output?
- A . It has a higher priority value than the default route using port1.
- B . It is disabled in the FortiGate configuration.
- C . It has a lower priority value than the default route using port1.
- D . It has a higher distance than the default route using port1.
View the exhibit, which contains the output of a web diagnose command, and then answer the question below.
Which one of the following statements explains why the cache statistics are all zeros?
- A . The administrator has reallocated the cache memory to a separate process.
- B . There are no users making web requests.
- C . The FortiGuard web filter cache is disabled in the FortiGate’s configuration.
- D . FortiGate is using a flow-based web filter and the cache applies only to proxy-based inspection.
What is the diagnose test application ipsmenitor 5 command used for?
- A . To enable IPS bypass mode
- B . To disable the IPS engine
- C . To restart all IPS engines and monitors
- D . To provide information regarding IPS sessions
A
Explanation:
# diagnose test application ipsmonitor
5: Toggle bypass status
13: IPS session list
98: Stop all IPS engines
99: Restart all IPS engines and monitor
View the exhibit, which contains the output of a real-time debug, Which statement about this output is true?
Which of the following statements is true regarding this output?
- A . The requested URL belongs to category ID 255.
- B . The server hostname Is training, fortinet.com.
- C . FortiGate found the requested URL in its local cache.
- D . This web request was inspected using the ftgd-allow web filler profile.
C
Explanation:
Example log for no local cache case: #id=93000 msg="pid=57 urlfilter_main-723 in main.c received pkt:count=91 "IPS and WAD will only send request to urlfilter daemon when cache is missed. " So the WAD process by itself found the URL rating in the local cache and didn`t ask for help from the URL process as in the example.
What does the dirty flag mean in a FortiGate session configured for NGFW policy mode?
- A . The existing session table entry has been updated with the app_id and the firewall policy table needs to be checked for a match.
- B . The application or URL category is unknown and needs to be rescanned by the IPS engine to try to identify the Layer 7 details.
- C . The URL category for this session has been updated by FortiGuard and the session needs to be checked against the policy again to ensure proper web filtering is applied.
- D . Traffic has been identified as coming from an application that is not allowed and the relevant replacement message needs to be displayed to the user, if configured.
A
Explanation:
Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 99
View the following FortiGate configuration.
All traffic to the Internet currently egresses from port1.
The exhibit shows partial session information for Internet traffic from a user on the internal network:
If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s session?
- A . The session would remain in the session table, and its traffic would still egress from port1.
- B . The session would remain in the session table, but its traffic would now egress from both port1 and port2.
- C . The session would remain in the session table, and its traffic would start to egress from port2.
- D . The session would be deleted, so the client would need to start a new session.
A
Explanation:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD40943
Refer to the exhibit, which shows a FortiGate configuration.
An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is passing through the policy.
What must the administrator change to fix the issue?
- A . Increase webfilter-timeout.
- B . Change protocol to TCP.
- C . Enable fortiguard-anycast.
- D . Disable webfilter-force-off.
D
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.5/cli-reference/109620/config-system-fortiguard
A FortiGate is rebooting unexpectedly without any apparent reason.
What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)
- A . Firewall monitor.
- B . Policy monitor.
- C . Logs.
- D . Crashlogs.
Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.
An administrator would like to test session failover between the two service provider connections.
What changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)
- A . Configure set snat-route-change enable.
- B . Change the priority of the port2 static route to 5.
- C . Change the priority of the port1 static route to 11.
- D . unset snat-route-change to return it to the default setting.
A,C
Explanation:
Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 148-149
Which statement about IKE and IKE NAT-T is true?
- A . IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.
- B . IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.
- C . They both use UDP as their transport protocol and the port number is configurable.
- D . They each use their own IP protocol number.
C
Explanation:
IKE without NAT-T runs over UDP port 500. IKE with NAT-T runs over UDP port 4500. It can be configurable – https://docs.fortinet.com/document/fortigate/7.0.0/new-features/33578/configurable-ike-port
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP.
The output of the debug flow is shown in the exhibit:
Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)
- A . HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.
- B . Redirection of HTTP to HTTPS administrative access is disabled.
- C . HTTP administrative access is configured with a port number different than 80.
- D . The packet is denied because of reverse path forwarding check.
View the exhibit, which contains the output of a debug command, and then answer the question below.
Which of the following statements about the exhibit are true? (Choose two.)
- A . In the network on port4, two OSPF routers are down.
- B . Port4 is connected to the OSPF backbone area.
- C . The local FortiGate’s OSPF router ID is 0.0.0.4
- D . The local FortiGate has been elected as the OSPF backup designated router.
Refer to the exhibit, which contains the output of a debug command.
If the default settings are in place, what can be concluded about the conserve mode shown in the exhibit?
- A . FortiGate is currently blocking all new sessions regardless of the content inspection requirements or configuration settings due to high memory use.
- B . FortiGate is currently allowing new sessions that require flow-based or proxy-based content inspection but is not performing inspection on those sessions.
- C . FortiGate is currently blocking new sessions that require flow-based or proxy-based content inspection.
- D . FortiGate is currently allowing new sessions that require flow-based content inspection and blocking sessions that require proxy-based content inspection.
View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.
Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?
- A . FortiGate will exempt the connection based on the Web Content Filter configuration.
- B . FortiGate will block the connection based on the URL Filter configuration.
- C . FortiGate will allow the connection based on the FortiGuard category based filter configuration.
- D . FortiGate will block the connection as an invalid URL.
B
Explanation:
fortigate does it in order Static URL -> FortiGuard C > Content -> Advanced (java, cookie removal..)so block it in first step
Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)
- A . SIP session helper runs in the kernel; SIP ALG runs as a user space process.
- B . SIP ALG supports SIP HA failover; SIP helper does not.
- C . SIP ALG supports SIP over IPv6; SIP helper does not.
- D . SIP ALG can create expected sessions for media traffic; SIP helper does not.
- E . SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?
- A . Configure remote link monitoring to detect an issue in the forwarding path.
- B . Configure set send-garp-on-failover enable under config system ha on both cluster members.
- C . Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
- D . Configure set link-failed-signal enable under config system ha on both cluster members.
D
Explanation:
Virtual MAC Address and Failover – The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port. – Some high-end switches might not clear their MAC table correctly after a failover – Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces): #Config system ha set link-failed-signal enable end – This simulates a link failure that clears the related entries from MAC table of the switches.
Examine the output of the ‘diagnose ips anomaly list’ command shown in the exhibit; then answer the question below.
Which IP addresses are included in the output of this command?
- A . Those whose traffic matches a DoS policy.
- B . Those whose traffic matches an IPS sensor.
- C . Those whose traffic exceeded a threshold of a matching DoS policy.
- D . Those whose traffic was detected as an anomaly by an IPS sensor.
Which two statements about the Security Fabric are true? (Choose two.)
- A . Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.
- B . Only the root FortiGate sends logs to FortiAnalyzer.
- C . Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global CMDB objects sent by the root FortiGate.
- D . FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.
A,C
Explanation:
FortiGate’s to Root uses FortiTelemetry (TCP-8013) FortiTelemetry is also used for FortiClient communication Root Fortigate to FortiAnalyzer uses API (TCP-443)
View the exhibit, which contains the output of a debug command, and then answer the question below.
Which one of the following statements about this FortiGate is correct?
- A . It is currently in system conserve mode because of high CPU usage.
- B . It is currently in extreme conserve mode because of high memory usage.
- C . It is currently in proxy conserve mode because of high memory usage.
- D . It is currently in memory conserve mode because of high memory usage.
Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)
- A . Primary unit stops sending HA heartbeat keepalives.
- B . The FortiGuard license for the primary unit is updated.
- C . One of the monitored interfaces in the primary unit is disconnected.
- D . A secondary unit is removed from the HA cluster.
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.
Which statements are true regarding the output in the exhibit? (Choose two.)
- A . BGP state of the peer 10.125.0.60 is Established.
- B . BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.
- C . Local BGP peer has not received an OpenConfirm from 10.200.3.1.
- D . The local BGP peer has received a total of 3 BGP prefixes.
Refer to the exhibit, which contains the output of a BGP debug command.
Which statement about the exhibit is true?
- A . The local router has received a total of three BGP prefixes from all peers.
- B . The local router has not established a TCP session with 100.64.3.1.
- C . Since the counters were last reset, the 10.200.3.1 peer has never been down.
- D . The local router BGP state is OpenConfirm with the 10.127.0.75 peer.
What is the purpose of an internal segmentation firewall (ISFW)?
- A . It inspects incoming traffic to protect services in the corporate DMZ.
- B . It is the first line of defense at the network perimeter.
- C . It splits the network into multiple security segments to minimize the impact of breaches.
- D . It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.
C
Explanation:
ISFW splits your network into multiple security segments. They serve as a breach containers from attacks that come from inside.
Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)
- A . Preview pending configuration changes for managed devices.
- B . Add devices to FortiManager.
- C . Import policy packages from managed devices.
- D . Install configuration changes to managed devices.
- E . Import interface mappings from managed devices.
A,D
Explanation:
https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/1200_install_to%20devices/0400_Install%20wizard-device%20settings.htm
There are 4 main wizards:Add Device: is used to add devices to central management and import their configurations.
Install: is used to install configuration changes from Device Manager or Policies & Objects to themanaged devices. It allows you to preview the changes and, if the administrator doesn’t agree with the changes, cancel and modify them.
Import policy: is used to import interface mapping, policy database, and objects associated with the managed devices into a policy package under the Policy & Object tab. It runs with the Add Device wizard by default and may be run at any time from the managed device list.
Re-install policy: is used to perform a quick install of the policy package. It doesn’t give the ability to preview the changes that will be installed to the managed device.
Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.)
- A . The npu_flag for this tunnel is 03.
- B . Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.
- C . Anti-replay is enabled.
- D . The npu_flag for this tunnel is 02.
Which two tasks are automated using the Import Configuration wizard on FortiManager? (Choose two.)
- A . Importing firewall address objects from managed devices
- B . Importing interface mappings from managed devices
- C . Importing static and dynamic route configurations from managed devices
- D . Importing devices to FortiManager
A,B
Explanation:
https://docs.fortinet.com/document/fortimanager/7.0.5/administration-guide/337348
An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration.
The administrator has also enabled the IKE real time debug:
diagnose debug application ike-1
diagnose debug enable
In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN?
- A . Phase1; IKE mode configuration; XAuth; phase 2.
- B . Phase1; XAuth; IKE mode configuration; phase2.
- C . Phase1; XAuth; phase 2; IKE mode configuration.
- D . Phase1; IKE mode configuration; phase 2; XAuth.
B
Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Concepts/IKE_Packet_Processing.htm