Question #1
Which two statements about metadata variables are true? (Choose two.)
- A . You create them on FortiGate
- B . They apply only to non-firewall objects.
- C . The metadata format is $<metadata_variabie_name>.
- D . They can be used as variables in scripts
Correct Answer: AD
AD
Explanation:
Metadata variables are created on the FortiGate and can be used to dynamically insert information into scripts or configurations.
Metadata variables are designed to be used as placeholders within scripts, allowing for dynamic content to be applied when the script is executed.
AD
Explanation:
Metadata variables are created on the FortiGate and can be used to dynamically insert information into scripts or configurations.
Metadata variables are designed to be used as placeholders within scripts, allowing for dynamic content to be applied when the script is executed.
Question #2
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
- A . ebgp-enforce-multihop
- B . recursive-next-hop
- C . ibgp-enfoce-multihop
Questions and Answers PDF 3/41 - D . update-source
Correct Answer: A, D
A, D
Explanation:
To configure a loopback as the BGP source, you need to set the “ebgp-enforce-multihop” and “update-source” parameters in the BGP configuration. The “ebgp-enforce-multihop” allows EBGP connections to neighbor routers that are not directly connected, while “update-source” specifies the IP address that should be used for the BGP session1.
Reference := BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update source
A, D
Explanation:
To configure a loopback as the BGP source, you need to set the “ebgp-enforce-multihop” and “update-source” parameters in the BGP configuration. The “ebgp-enforce-multihop” allows EBGP connections to neighbor routers that are not directly connected, while “update-source” specifies the IP address that should be used for the BGP session1.
Reference := BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update source
Question #3
Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?
- A . The access is blocked based on the Content Filter configuration
- B . The access is allowed based on the FortiGuard Category Based Filter configuration
- C . The access is blocked based on the URL Filter configuration
- D . The access is hocked if the local or the public FortiGuard server does not reply
Correct Answer: C
C
Explanation:
The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it shows that the URL “www.facebook.com” is specifically set to “Block” under the URL Filter section1. Reference:= Fortigate: How to configure Web Filter function on Fortigate, Web filter | FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering … – Fortinet … – Fortinet Community
C
Explanation:
The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it shows that the URL “www.facebook.com” is specifically set to “Block” under the URL Filter section1. Reference:= Fortigate: How to configure Web Filter function on Fortigate, Web filter | FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering … – Fortinet … – Fortinet Community
Question #4
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device
What can the administrator do to fix this problem?
- A . Verify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports
- B . Configure set link -failed signal enable under-config system ha on both Cluster members
- C . Configure remote Iink monitoring to detect an issue in the forwarding path
- D . Configure set send-garp-on-failover enables under config system ha on both cluster members
Correct Answer: C
C
Explanation:
C
Explanation:
Question #5
Exhibit.
Refer to the exhibit, which shows information about an OSPF interlace
What two conclusions can you draw from this command output? (Choose two.)
- A . The port3 network has more man one OSPF router
- B . The OSPF routers are in the area ID of 0.0.0.1.
- C . The interfaces of the OSPF routers match the MTU value that is configured as 1500.
- D . NGFW-1 is the designated router
Correct Answer: A, C
A, C
Explanation:
From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.
Reference: Fortinet FortiOS Handbook: OSPF Configuration
A, C
Explanation:
From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.
Reference: Fortinet FortiOS Handbook: OSPF Configuration
Question #6
In which two ways does fortiManager function when it is deployed as a local FDS? (Choose two)
- A . lt can be configured as an update server a rating server or both
- B . It provides VM license validation services
- C . It supports rating requests from non-FortiGate devices.
- D . It caches available firmware updates for unmanaged devices
Correct Answer: A, B
A, B
Explanation:
When deployed as a local FortiGuard Distribution Server (FDS), FortiManager functions in several capacities. It can act as an update server, a rating server, or both, providing firmware updates and FortiGuard database updates. Additionally, it plays a crucial role in VM license validation services, ensuring that the connected FortiGate devices are operating with valid licenses. However, it does not support rating requests from non-FortiGate devices nor cache firmware updates for unmanaged devices.
Fortinet FortiOS Handbook: FortiManager as a Local FDS Configuration
A, B
Explanation:
When deployed as a local FortiGuard Distribution Server (FDS), FortiManager functions in several capacities. It can act as an update server, a rating server, or both, providing firmware updates and FortiGuard database updates. Additionally, it plays a crucial role in VM license validation services, ensuring that the connected FortiGate devices are operating with valid licenses. However, it does not support rating requests from non-FortiGate devices nor cache firmware updates for unmanaged devices.
Fortinet FortiOS Handbook: FortiManager as a Local FDS Configuration
Question #7
Refer to the exhibit.
which contains a partial configuration of the global system.
What can you conclude from this output?
- A . NPs and CPs are enabled
- B . Only CPs arc disabled
- C . Only NPs are disabled
- D . NPs and CPs arc disabled
Correct Answer: D
D
Explanation:
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate’s hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
Reference: FortiOS Handbook – CLI Reference for FortiOS 5.2
D
Explanation:
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate’s hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
Reference: FortiOS Handbook – CLI Reference for FortiOS 5.2
Question #8
Refer to the exhibit, which shows a routing table.
What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)
- A . Remove the 16.1.10.C prefix from the OSPF network
- B . Configure a distribute-list-out
- C . Configure a route-map out
- D . Disable Redistribute Connected
Correct Answer: B, C
B, C
Explanation:
To block the advertisement of the 10.1.10.0 prefix in OSPF, you can configure a distribute-list-out or a route-map out. A distribute-list-out is used to filter outgoing routing updates from being advertised to OSPF neighbors1. A route-map out can also be used for filtering and is applied to outbound routing updates2. Reference: = Technical Tip: Inbound route filtering in OSPF usi … – Fortinet Community, OSPF | FortiGate / FortiOS 7.2.2 – Fortinet Documentation
B, C
Explanation:
To block the advertisement of the 10.1.10.0 prefix in OSPF, you can configure a distribute-list-out or a route-map out. A distribute-list-out is used to filter outgoing routing updates from being advertised to OSPF neighbors1. A route-map out can also be used for filtering and is applied to outbound routing updates2. Reference: = Technical Tip: Inbound route filtering in OSPF usi … – Fortinet Community, OSPF | FortiGate / FortiOS 7.2.2 – Fortinet Documentation
Question #9
Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)
- A . IPSec Tunnel aggregation is configured
- B . net-device is enabled in the tunnel IPSec phase 1 configuration
- C . OSPI is configured to run over IPSec.
- D . add-route is disabled in the tunnel IPSec phase 1 configuration.
Correct Answer: B, C
B, C
Explanation:
From the partial routing table in the exhibit, here are two conclusions that can be drawn regarding the FortiGate configuration:
net-device is enabled in the tunnel IPSec phase 1 configuration.
The routing table shows multiple entries for tunnel interfaces (e.g., tunnel 0 and tunnel 1). This typically indicates that each IPSec tunnel has a corresponding interface in the FortiGate configuration, which is characteristic of the net-device feature being enabled in the IPSec phase 1 configuration.
OSPF is configured to run over IPSec.
The routes with the protocol "O" are OSPF routes. Given that OSPF routes appear for IPs that are reachable through tunnel interfaces, it suggests that OSPF is running over these IPSec tunnels, which is likely used for dynamic routing over the VPN.
B, C
Explanation:
From the partial routing table in the exhibit, here are two conclusions that can be drawn regarding the FortiGate configuration:
net-device is enabled in the tunnel IPSec phase 1 configuration.
The routing table shows multiple entries for tunnel interfaces (e.g., tunnel 0 and tunnel 1). This typically indicates that each IPSec tunnel has a corresponding interface in the FortiGate configuration, which is characteristic of the net-device feature being enabled in the IPSec phase 1 configuration.
OSPF is configured to run over IPSec.
The routes with the protocol "O" are OSPF routes. Given that OSPF routes appear for IPs that are reachable through tunnel interfaces, it suggests that OSPF is running over these IPSec tunnels, which is likely used for dynamic routing over the VPN.
Question #10
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
- A . Enable AD-VPN in IPsec phase 1
- B . Disable add-route on hub
- C . Configure IP addresses on IPsec virtual interlaces
- D . Set protected network to all
Correct Answer: A
A
Explanation:
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager.
Reference: = ADVPN | FortiManager 7.2.0 – Fortinet Documentation
A
Explanation:
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager.
Reference: = ADVPN | FortiManager 7.2.0 – Fortinet Documentation
Question #11
Exhibit.
Refer to the exhibit, which provides information on BGP neighbors.
Which can you conclude from this command output?
- A . The router are in the number to match the remote peer.
- B . You must change the AS number to match the remote peer.
- C . BGP is attempting to establish a TCP connection with the BGP peer.
- D . The bfd configuration to set to enable.
Correct Answer: C
C
Explanation:
The BGP state is “Idle”, indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration.
Reference: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents:
Troubleshooting BGP
How BGP works
C
Explanation:
The BGP state is “Idle”, indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration.
Reference: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents:
Troubleshooting BGP
How BGP works
Question #12
Exhibit.
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.
Which two parameters must you configure on the corresponding single hub? (Choose two.)
- A . Set auto-discovery-sender enable
- B . Set ike-version 2
- C . Set auto-discovery-forwarder enable
- D . Set auto-discovery-receiver enable
Correct Answer: A, B
A, B
Explanation:
On the hub side of an ADVPN setup, you need to enable auto-discovery-sender. This allows the hub to send shortcut offers to the spokes, which are necessary for setting up direct tunnels between spokes for optimized traffic flow.
The Internet Key Exchange (IKE) version should match between the spokes and the hub for the VPN to establish correctly. Since the spoke is configured with ike-version 2, the hub must also be configured to use IKE version 2 for compatibility.
A, B
Explanation:
On the hub side of an ADVPN setup, you need to enable auto-discovery-sender. This allows the hub to send shortcut offers to the spokes, which are necessary for setting up direct tunnels between spokes for optimized traffic flow.
The Internet Key Exchange (IKE) version should match between the spokes and the hub for the VPN to establish correctly. Since the spoke is configured with ike-version 2, the hub must also be configured to use IKE version 2 for compatibility.
Question #13
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
- A . Only the root FortiGate.
- B . Each FortiGate in the Security fabric.
- C . The FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.
- D . Only the last FortiGate that handled a session in the Security Fabric
Correct Answer: B
B
Explanation:
Option B is correct because each FortiGate in the Security Fabric can send logs to FortiAnalyzer for centralized logging and analysis12. This allows you to monitor and manage the entire Security Fabric from a single console and view aggregated reports and dashboards.
Option A is incorrect because the root FortiGate is not the only device that can send logs to FortiAnalyzer. The root FortiGate is the device that initiates the Security Fabric and acts as the central point of contact for other FortiGate devices3. However, it does not have to be the only log source for FortiAnalyzer.
Option C is incorrect because the FortiGate devices performing NAT or UTM are not the only devices that can send logs to FortiAnalyzer. These devices can perform additional security functions on the traffic that passes through them, such as firewall, antivirus, web filtering, etc4. However, they are not the only devices that generate logs in the Security Fabric.
Option D is incorrect because the last FortiGate that handled a session in the Security Fabric is not the only device that can send logs to FortiAnalyzer. The last FortiGate is the device that terminates the session and applies the final security policy5. However, it does not have to be the only device that reports the session information to FortiAnalyzer.
Reference: =
1: Security Fabric – Fortinet Documentation1
2: FortiAnalyzer Demo6
3: Security Fabric topology
4: Security Fabric UTM features
5: Security Fabric session handling
B
Explanation:
Option B is correct because each FortiGate in the Security Fabric can send logs to FortiAnalyzer for centralized logging and analysis12. This allows you to monitor and manage the entire Security Fabric from a single console and view aggregated reports and dashboards.
Option A is incorrect because the root FortiGate is not the only device that can send logs to FortiAnalyzer. The root FortiGate is the device that initiates the Security Fabric and acts as the central point of contact for other FortiGate devices3. However, it does not have to be the only log source for FortiAnalyzer.
Option C is incorrect because the FortiGate devices performing NAT or UTM are not the only devices that can send logs to FortiAnalyzer. These devices can perform additional security functions on the traffic that passes through them, such as firewall, antivirus, web filtering, etc4. However, they are not the only devices that generate logs in the Security Fabric.
Option D is incorrect because the last FortiGate that handled a session in the Security Fabric is not the only device that can send logs to FortiAnalyzer. The last FortiGate is the device that terminates the session and applies the final security policy5. However, it does not have to be the only device that reports the session information to FortiAnalyzer.
Reference: =
1: Security Fabric – Fortinet Documentation1
2: FortiAnalyzer Demo6
3: Security Fabric topology
4: Security Fabric UTM features
5: Security Fabric session handling
Question #14
Which configuration can be used to reduce the number of BGP sessions in on IBGP network?
- A . Route-reflector-peer enable
- B . Route-reflector-client enable
- C . Route-reflector enable
- D . Route-reflector-server enable
Correct Answer: B
B
Explanation:
To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients. Reference: = Route exchange | FortiGate / FortiOS 7.2.0 – Fortinet Documentation
B
Explanation:
To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients. Reference: = Route exchange | FortiGate / FortiOS 7.2.0 – Fortinet Documentation
Question #15
Exhibit.
Refer to the exhibit, which contains an active-active toad balancing scenario.
During the traffic flow the primary FortiGate forwards the SYN packet to the secondary FortiGate.
What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?
- A . Secondary physical MAC port1
- B . Secondary virtual MAC port1
- C . Secondary virtual MAC port1 then physical MAC port1
- D . Secondary physical MAC port2 then virtual MAC port2
Correct Answer: A
A
Explanation:
In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary’s physical MAC on port1, as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.
A
Explanation:
In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary’s physical MAC on port1, as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.