1. Examine the FortiGate configuration, What will happen to unauthenticated users when an active authentication policy is followed by a fall through policy without authentication? The user must log in again to authenticate. The user will be denied access to resources without authentication. The user will not be prompted for authentication. User authentication happens at an interface level. 2. Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices? FG-traffic VDOM Root VDOM Customer VDOM Global VDOM 3. In an HA cluster operating in active-active mode, which path is taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate? Client > secondary FortiGate > primary FortiGate > web server Client > primary FortiGate > secondary FortiGate > primary FortiGate > web server Client > primary FortiGate > secondary FortiGate > web server Client > secondary FortiGate > web server 4. Which two statements about antivirus scanning mode are true? (Choose two.) In proxy-based inspection mode, antivirus buffers the whole file for scanning, before sending it to the client. In full scan flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client. In proxy-based inspection mode, files bigger than the buffer size are scanned. In quick scan mode, you can configure antivirus profiles to use any of the available antivirus signature databases. 5. The FSSO collector agent set to advanced access mode for the Windows Active Directory uses which convention? LDAP Windows RSSO NTLM 6. Which two statements about virtual domains (VDOMs) are true? (Choose two.) Transparent mode and NAT mode VDOMs cannot be combined on the same FortiGate. Each VDOM can be configured with different system hostnames. Different VLAN subinterfaces of the same physical interface can be assigned to different VDOMs. Each VDOM has its own routing table. 7. What three FortiGate components are tested during the hardware test? (Choose three.) CPU Administrative access HA heartbeat Hard disk Network interfaces 8. A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request? Implement web filter authentication for the specified website. Implement a web filter category override for the specified website. Implement DNS filter for the specified website. Implement web filter quotas for the specified website. 9. Examine the exhibit, which shows the output of a web filtering real time debug. Why is the site www.bing.com being blocked? The web site www.bing.com is categorized by FortiGuard as Malicious Websites. The user has not authenticated with the FortiGate yet. The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites. The rating for the web site www.bing.com has been locally overridden to a category that is being blocked. 10. When using WPAD DNS method, which FQDN format do browsers use to query the DNS server? srv_proxy./wpad.dat srv_tcp.wpad. wpad. proxy..wpad 11. Consider a new IPsec deployment with the following criteria: All satellite offices must connect to the two HQ sites. The satellite offices do not need to communicate directly with other satellite offices. Backup VPN is not required. The design should minimize the number of tunnels being configured. Which topology should you use to satisfy all of the requirements? Partial mesh Redundant Full mesh Hub-and-spoke 12. What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two.) Services defined in the firewall policy. Incoming and outgoing interfaces Highest to lowest priority defined in the firewall policy. Lowest to highest policy ID number. 13. You are configuring the root FortiGate to implement the Security Fabric. You are configuring port10 to communicate with a downstream FortiGate. The exhibit shows the default Edit Interface. When configuring the root FortiGate to communicate with a downstream FortiGate, which two settings must you configure? (Choose two.) Enable Device Detection Administrative Access: FortiTelemetry. IP/Network Mask. Role: Security Fabric. 14. Which two statements about NTLM authentication are correct? (Choose two.) It requires DC agents on every domain controller when used in multidomain environments. It is useful when users log in to DCs that are not monitored by a collector agent. It requires NTLM-enabled web browsers. It takes over as the primary authentication method when configured alongside FSSO. 15. A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used, at the same time, for all traffic destined for 172.20.2.0/24. Given the network diagram shown in the exhibit, which two static routes will satisfy this requirement on FGT1? (Choose two.) 172.20.2.0/24 [1/0] via 10.10.1.2, port1 [0/0] 172.20.2.0/24 [25/0] via 10.30.3.2, port3 [5/0] 172.20.2.0/24 [25/0] via 10.10.1.2, port1 [5/0] 172.20.2.0/24 [1/150] via 10.30.3.2, port3 [10/0] 16. On a FortiGate with a hard disk, how frequently can you upload logs to FortiAnalyzer or FortiManager? (Choose two.) On-demand Hourly Every 5 minutes In real time 17. Given the partial output of an IKE real-time debug shown in the exhibit, which statement about the output is true? The VPN is configured to use pre-shared key authentication. Extended authentication (XAuth) was successful. Remote is the host name of the remote IPsec peer. Phase 1 went down. 18. An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark, Port Forward. Which step must the administrator take to successfully achieve this configuration? Configure an SSL VPN realm for clients to use the Port Forward bookmark. Configure the client application to forward IP traffic through FortiClient. Configure the virtual IP address to be assigned to the SSL VPN users. Configure the client application to forward IP traffic to a Java applet proxy. 19. Which two static routes are not maintained in the routing table? (Choose two.) Dynamic routes Policy routes Named Address routes ISDB routes 20. An administrator wants to configure a FortiGate as a DNS server. FotiGate must use a DNS database first, and then relay all irresolvable queries to an external DNS server. Which DNS method must you use? Recursive Non-recursive Forward to primary and secondary DNS Forward to system DNS 21. Which two FortiGate configuration tasks will create a route in the policy route table? (Choose two.) Creating an SD-WAN route for individual member interfaces Creating an SD-WAN rule to route traffic based on link latency Creating a static route with a named address object Creating a static route with an Internet services object 22. Given the antivirus profile and file transfer output shown in the exhibits, why is FortiGate not blocking the eicar.com file over FTP download? Because the proxy options profile needs to scan FTP traffic on a non-standard port Because the FortiSandbox signature database is required to successfully scan FTP traffic Because deep-inspection must be enabled for FortiGate to fully scan FTP traffic Because FortiGate needs to be operating in flow-based inspection mode in order to scan FTP traffic 23. The exhibits show the firewall policies and the objects used in the firewall policies. The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit. Based on the input criteria, which of the following will be highlighted? The policy with ID 1 The policy with ID 5 The policies with ID 2 and 3 The policy with ID 4 24. The exhibit shows the output from a debug flow. Which two statements about the output are correct? (Choose two.) The packet was allowed by the firewall policy with the ID 00007fc0. The source IP address of the packet was translated to 10.0.1.10 FortiGate received a TCP SYN/ACK packet. FortiGate routed the packet through port3. 25. What is required to create an inter-VDOM link between two VDOMs? Add description here! At least one of the VDOMs must operate in NAT mode. Both VDOMs must operate in NAT mode. The inspection mode of at least one VDOM must be NGFW policy-based. The inspection mode of both VDOMs must match. 26. What FortiGate configuration is required to actively prompt users for credentials? You must enable one or more protocols that support active authentication on a firewall policy. You must position the firewall policy for active authentication before a firewall policy for passive authentication You must assign users to a group for active authentication You must enable the Authentication setting on the firewall policy 27. The exhibit shows network configurations. VDOM1 is operating in transparent mode. VDOM2 is operating in NAT mode. There is an inter-VDOM link between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is connected to port2. A web server with the IP address 10.200.1.2/24 is connected to port1. Which two options must be included in the FortiGate configuration to route and allow connections from the client workstation to the web server? (Choose two.) A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination. A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination. One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the destination interface. One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the destination interface. 28. NGFW mode allows policy-based configuration for most inspection rules. Which security profile configuration does not change when you enable policy-based inspection? Application control Web filtering Web proxy Antivirus 29. Which two statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.) The firmware image must be uploaded manually to each FortiGate. Uninterruptable upgrade is enabled by default. Traffic load balancing is temporarily disabled while the firmware is upgraded. Only secondary FortiGate devices are rebooted. 30. Which statement about the firewall policy authentication timeout is true? It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired. 31. Which two statements correctly describe how FortiGate performs route lookup, when searching for a suitable gateway? (Choose two.) Lookup is done on the first packet from the session originator Lookup is done on the last packet sent from the responder Lookup is done on every packet, regardless of direction Lookup is done on the first reply packet from the responder 32. A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) subinterfaces added to the physical interface. In this scenario, which statement about the VLAN IDs is true? The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets. The two VLAN sub interfaces must have different VLAN IDs. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet. 33. Given the network diagram shown in the exhibit, which route is the best candidate route for FGT1 to route traffic from the workstation to the webserver? 172.16.32.0/24 is directly connected, port1 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0] 10.4.200.0/30 is directly connected, port2 0.0.0.0/0 [20/0] via 10.4.200.2, port2 34. Which two statements about central NAT are true? (Choose two.) SNAT using central NAT does not require a central SNAT policy. Central NAT can be enabled or disabled from the CLI only. IP pool references must be removed from existing firewall policies, before enabling central NAT. DNAT using central NAT requires a VIP object as the destination address in a firewall policy. 35. Which condition must be met in order for a web browser to trust a web server certificate signed by a third-party CA? The private key of the CA certificate that is signed the browser certificate must be installed on the browser. The CA certificate that signed the web server certificate must be installed on the browser. The public key of the web server certificate must be installed on the web browser. The web-server certificate must be installed on the browser. 36. A user located behind the FortiGate device is trying to go to http://www.addictinggames.com (Addicting.Games). The exhibit shows the application detains and application control profile. Based on this configuration, which statement is true? Addicting.Games will be blocked, based on the Filter Overrides configuration. Addicting.Games will be allowed only if the Filter Overrides action is set to Learn. Addicting.Games will be allowed, based on the Categories configuration. Addicting.Games will be allowed, based on the Application Overrides configuration. 37. The exhibit shows a FortiGate configuration. How does FortiGate handle web proxy traffic coming from the IP address 10.2.1.200, that requires authorization? It always authorizes the traffic without requiring authentication. It drops the traffic It authenticates the traffic using the authentication scheme SCHEME2. It authenticates the traffic using the authentication scheme SCHEME1. 38. Which statement about the IP authentication header (AH) used by IPsec is true? AH does not support perfect forward secrecy. AH provides strong data integrity but weak encryption. AH provides data integrity but no encryption. AH does not provide any data integrity or encryption. 39. The exhibits show a network diagram and the explicit web proxy configuration. In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy? ‘host 192.168.0.2 and port 8080’ ‘host 10.0.0.50 and port 80’ ‘host 192.168.0.1 and port 80’ ‘host 10.0.0.50 and port 8080’ 40. How do you format the FortiGate flash disk? Execute the CLI command execute formatlogdisk. Select the format boot device option from the BIOS menu. Load the hardware test (HQIP) image. Load a debug FortiOS image. 41. If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used? The Services field prevents SNAT and DNAT from being combined in the same policy. The Services field is used when you need to bundle several VIPs into VIP groups. The Services field removes the requirement to create multiple VIPs for different services. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer. 42. Which three types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.) Server information disclosure attacks Traffic to botnet servers Credit card data leaks Traffic to inappropriate web sites SQL injection attacks 43. Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session? To generate logs To remove the NAT operation To finish any inspection operations To allow for out-of-order packets that could arrive after the FIN/ACK packets 44. Examine this PAC file configuration, Which of the following statements are true? (Choose two.) Browsers can be configured to retrieve this PAC file from FortiGate. Any web request sent to the 172.25.120.0/24 subnet is allowed to bypass the proxy. All requests not sent to fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060. Any web request sent to fortinet.com is allowed to bypass the proxy. 45. Which two statements correctly describe auto discovery VPN (ADVPN)? (Choose two.) IPSec tunnels are negotiated dynamically between spokes. ADVPN is supported only with IKEv2. It recommends the use of dynamic routing protocols, so that spokes can learn the routes to other spokes. Every spoke requires a static tunnel to be configured to other spokes, so that phase 1 and phase 2 proposals are defined in advance. 46. Given to the static routes shown in the exhibit, which statements are correct? (Choose two.) This is a redundant IPsec setup. This setup requires at least two firewall policies with the action set to IPsec. Dead peer detection must be disabled to support this type of IPsec setup. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down. 47. To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device? FortiManager Root FortiGate FortiAnalyzer Downstream FortiGate 48. If the Issuer and Subject values are the same in a digital certificate, to which type of entity was the certificate issued? A subordinate CA A root CA A user A CRL 49. Examine the output from a debug flow, Why did the FortiGate drop the packet? The next-hop IP address is unreachable. It failed the RPF check. It matched an explicitly configured firewall policy with the action DENY. It matched the default implicit firewall policy. 50. An administrator has configured the following settings, What are the two results of this configuration? (Choose two.) Device detection on all interfaces is enforced for 30 minutes. Denied users are blocked for 30 minutes. A session for denied traffic is created. The number of logs generated by denied traffic is reduced. 51. The exhibit shows a web filtering log. Which statement about the log message is true? The web site miniclip.com matches a static URL filter whose action is set to Warning. The usage quota for the IP address 10.0.1.10 has expired. The action for the category Games is set to block. The name of the applied web filter profile is default. 52. Which two statements about firewall policy NAT using the outgoing interface IP address with fixed port disabled are true? (Choose two.) The source IP is translated to the outgoing interface IP. This is known as many-to-one NAT. Port address translation is not used. Connections are tracked using source port and source MAC address. 53. Refer to the exhibit, According to the certificate values shown in the exhibit, which type of entity was the certificate issued to? A user A root CA A bridge CA A subordinate 54. Which two actions are valid for a FortiGuard category-based filter, in a web filter profile, for a firewall policy in proxy-based inspection mode? (Choose two.) Learn Exempt Allow Warning 55. Which two options are purposes of NAT traversal in IPsec? (Choose two.) To force a new DH exchange with each phase 2 rekey To detect intermediary NAT devices in the tunnel path To encapsulate ESP packets in UDP packets using port 4500 To dynamically change phase 1 negotiation mode to aggressive mode 56. An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true? A phase 2 configuration is not required. This VPN cannot be used as part of a hub-and-spoke topology. A virtual IPsec interface is automatically created after the phase 1 configuration is completed. The IPsec firewall policies must be placed at the top of the list. 57. What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy based mode? It limits the scope of application control to scan traffic based on the browser-based technology category only. It limits the scope of application control to scan application traffic based on application category only. It limits the scope of application control to scan application traffic using parent signatures only It limits the scope of application control to scan application traffic on DNS protocol only. 58. An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B? 192.168.1.0/24 192.168.0.0/8 192.168.2.0/24 192.168.3.0/24 59. The exhibits show the IPS sensor and DoS policy configuration. When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first? ip_src_session IMAP.Login.Brute.Force Location: server Protocol:SMTP SMTP.Login.Brute.Force 60. Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.) Log downloads from the GUI are limited to the current filter view Log backups from the CLI cannot be restored to another FortiGate. Log backups from the CLI can be configured to upload to FTP as a scheduled time Log downloads from the GUI are stored as LZ4 compressed files. 61. Refer to the exhibit, Given the FortiGate interfaces shown in the exhibit, which two statements about the FortiGate interfaces configuration in the exhibit are true? (Choose two.) Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default. Broadcast traffic received on port1-VLAN10 will not be forwarded to port2-VLAN10 port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs. port1-VLAN1 is the native VLAN for the port1 physical interface. 62. When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request? The remote user’s virtual IP address The public IP address of the FortiGate device The remote user’s public IP address The internal IP address of the FortiGate device 63. An administrator observes that the port1 inteface cannot be configured with an IP address. What are three possible reasons for this? (Choose three.) The operation mode is transparent. The interface is a member of a virtual wire pair. The interface is a member of a zone. The interface has been configured for one-arm sniffer. Captive portal is enabled in the interface. 64. Refer to the Exhibits: The exhibits contain a network diagram and virtual IP and firewall policy configuration. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24. The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/32? Any available IP address in the WAN (port1) subnet 10.200.1.0/24 10.200.1.10 10.200.1.1 10.0.1.254 65. Refer to the exhibit, the exhibit shows FortiGate configuration and the output of the debug command. Based on the diagnostic output, how is the FortiGate handling the traffic for new sessions that require proxy based inspection? It is allowed, but with no inspection. It is allowed and inspected, as long as the only inspection required is antivirus. It is dropped. It is allowed and inspected, as long as the inspection is flow based. 66. Which statement about SSL VPN settings for an SSL VPN portal is true? By default, DNS split tunneling is enabled. By default, the admin GUI and the SSL VPN portal use the same HTTPS port. By default, the SSL VPN portal requires the installation of a client’s certificate. By default, FortiGate uses WINS servers to resolve names. 67. The exhibit shows two static routes. Which option accurately describes how FortiGate will handle these two routes to the same destination? FortiGate will only activate the port1 route in the routing table. FortiGate will use the port1 route as the primary candidate. FortiGate will load balance all traffic across both routes. FortiGate will route twice as much traffic to the port2 route. 68. The exhibit shows the IPS sensor configuration and forward traffic logs. An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt, or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic. What is a possible reason for this? The HTTPS signatures have not been added to the sensor. The IPS filter is missing the Protocol: HTTPS option. The firewall policy is not using a full SSL inspection profile. A DoS policy should be used, instead of an IPS sensor. 69. Which two SD-WAN load balancing methods use interface weight value to distribute traffic? Spillover Volume Source IP Sessions 70. Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate? Subject Key Identifier value SMMIE Capabilities value Subject value Subject Alternative Name value 71. What three FortiGate components are tested during the hardware test? (Choose three.) CPU Administrative access HA heartbeat Hard disk Network interfaces 72. Why must you use aggressive mode when a local FortiGate IPsec gateway hosts multiple dialup tunnels? Main mode does not support XAuth for user authentication. In aggressive mode, the remote peers are able to provide their peer IDs in the first message. FortiGate is able to handle NATed connections only in aggressive mode. FortiClient supports only aggressive mode. 73. Which statement about the policy ID number of a firewall policy is true? It is required to modify a firewall policy using the CLI. It represents the number of objects used in the firewall policy. It changes when firewall policies are reordered. It defines the order in which rules are processed. 74. Which two settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy called Full Access? (Choose two.) Enable Event Logging. Enable disk logging. Enable a web filter security profile on the Full Access firewall policy. Enable Log Allowed Traffic on the Full Access firewall policy. 75. An administrator is running the following sniffer command: diagnose sniffer packet any "host 10.0.2.10" 3Which three items will be included in the sniffer output? (Choose three.) IP header Interface name Packet payload Ethernet header Application header 76. In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the following output: FortiGate # diagnose sniffer packet any "port 80" 4interfaces=[any]filters=[port 80]11.510058 port3 in 10.0.1.10.49255 ->10.200.1.254.80: syn 69726312411.760531 port3 in 10.0.1.10.49256 ->10.200.1.254.80: syn 86801783014.505371 port3 in 10.0.1.10.49255 ->10.200.1.254.80: syn 69726312414.755510 port3 in 10.0.1.10.49256 ->10.200.1.254.80: syn 868017830What should the administrator do next to troubleshoot the problem? Capture the traffic using an external sniffer connected to port1. Run a sniffer on the web server. Execute another sniffer in the FortiGate, this time with the filter, "host 10.0.1.10". Execute a debug flow. 77. Refer to the exhibit: Given the routing database shown in the exhibit, which two statements are correct? (Choose two.) The port3 default route has the lowest metric. The port3 default route has the highest distance. There will be eight routes active in the routing table. The port1 and port2 default routes are active in the routing table. 78. Refer to the exhibit. The exhibit shows admission control settings.Which users and user groups are allowed access to the network through captive portal? Groups defined in the captive portal configuration Only individual users "" not groups "" defined in the captive portal configuration All users Users and groups defined in the firewall policy 79. Which two configuration objects can you select in for the Source field of a firewall policy? (Choose two.) Firewall service FQDN address IP pool User or user group 80. Which actions can be applied to each filter in the application control profile? Block, monitor, warning, and quarantine Allow, monitor, block, and learn Allow, monitor, block, and quarantine Allow, block, authenticate, and warning 81. How does FortiGate select the central SNAT policy that is applied to a TCP session? It selects the first matching central SNAT policy, reviewing from top to bottom. It selects the SNAT policy specified in the configuration of the outgoing interface. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic. It selects the central SNAT policy with the lowest priority 82. Refer to the exhibit. Given the output of the # diagnose sys ha checksum cluster command shown in the exhibit, which two statements are correct? (Choose two.) The all VDOM is not synchronized between the primary and secondary FortiGate devices. The global configuration is synchronized between the primary and secondary FortiGate devices. The root VDOM is not synchronized between the primary and secondary FortiGate devices. The FortiGate devices have three VDOMs. 83. Which two statements about DNS filter profiles are true? (Choose two.) They can block DNS requests to known botnet command and control servers They can inspect HTTP traffic. They must be applied in firewall policies with SSL inspection enabled They can redirect blocked requests to a specific portal 84. An administrator needs to strengthen the security for SSL VPN access. Which three statements are best practices to do so? (Choose three.) Configure a client integrity check (host-check) Configure two-factor authentication using security certificates. Configure split tunneling Configure host restrictions by IP address or by MAC address. Configure SSL offloading to a content processor. 85. Refer to the exhibit. An administrator is investigating a report of users having intermittent issues with browsing the web. The administrator ran diagnostics and received the output shown in the exhibit.Which option is the most likely cause of the issue? High session timeout value High memory usage High CPU usage NAT port exhaustion 86. Which process is involved in updating IPS from FortiGuard? IPS engine updates can be obtained using only push updates. FortiGate IPS update requests are sent using UDP port 443. IPS signature update requests are sent to update.fortiguard.net. Protocol decoder update requests are sent to sevice.fortiguard.net. 87. Which two conditions are required for establishing an IPsec VPN between two FortiGate devices? (Choose two.) If the VPN is configured as policy-based in one peer, it must also be configured as policy-based in the other peer. If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or Dynamic DNS in the other peer. If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer. If the VPN is configured as route-based, there must be at least one firewall policy with the action set to IPsec. 88. Refer to the exhibit. The exhibit shows the two VLAN interfaces configuration.A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface. However, the DHCP client cannot get a dynamic IP address from the DHCP server.What condition must exist in order for the DHCP client to successfully get the dynamic IP address? Both interfaces must belong to the same forward domain. Both interfaces must have the same VLAN ID. The role of the VLAN10 interface must be set to server. Both interfaces must be in different VDOMs. 89. Refer to the exhibit. The exhibit contains a proxy address that an administrator created to block HTTP uploads.Where must the proxy address be used? As the source in a firewall policy As the destination in a firewall policy As the destination in a proxy policy As the source in a proxy policy 90. An administrator has configured central DNAT and virtual IPs. Which object can be selected in the firewall policy Destination field? The mapped IP address object of the VIP object A VIP group object A VIP object An IP pool object 91. By default, when logging to disk, when does FortiGate delete logs? Never 7 days 1 year 30 days 92. Which two statements about HA for FortiGate devices are true? (Choose two.) Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs. HA management interface settings are synchronized between cluster members. Heartbeat interfaces are not required on the primary device. Sessions handled by proxy-based security profiles cannot be synchronized. 93. How can you block or allow access to Twitter using a firewall policy? Configure the Service field as Internet Service objects for Twitter. Configure the Source field as Internet Service objects for Twitter Configure the Action field as Learn and select Twitter. Configure the Destination field as Internet Service objects for Twitter. 94. Which statement about FortiGuard services for FortiGate is true? The web filtering database is downloaded locally on FortiGate. FortiGate downloads IPS updates using UDP port 53 or 8888. Antivirus signatures are downloaded locally on FortiGate. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates. 95. How does FortiGate verify the login credentials of a remote LDAP user? FortiGate queries its own database for credentials. FortiGate queries the LDAP server for credentials. FortiGate sends the user-entered credentials to the LDAP server for authentication. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server. 96. When using SD-WAN, how must you configure a next-hop gateway address for a member interface, so that FortiGate can forward Internet traffic? It must be configured in a policy route using the sdwan virtual interface. It must be learned automatically through a dynamic routing protocol. It must be configured in a static route using the sdwan virtual interface. It must be provided in the SD-WAN member interface configuration. 97. Which statement about the FSSO collector agent timers is true? The workstation verify interval is used to periodically check if a workstation is still a domain member. The dead entry timeout interval is used to age out entries with an unverified status. The user group cache expiry is used to age out the monitored groups. The IP address change verify interval monitors the server IP address where the collector agent is installed. 98. Which two statements describe WMI polling mode for the FSSO collector agent? (Choose two.) WMI polling can increase bandwidth usage in large networks. The NetSessionEnum function is used to track user logoffs. The collector agent does not need to search any security event logs. The collector agent uses a Windows API to query DCs for user logins. 99. Refer to the exhibit. An employee connects to https://example.com using a web browser. The web server's certificate was signed by a private internal CA. The FortiGate that is inspecting this traffic is configured for full SSL inspection.The exhibit shows the configuration settings for the SSL/SSH inspection profile that is applied to the policy that is invoked in this instance. All other settings are set to defaults. No certificates have been imported into FortiGate.Which certificate is presented to the employee's web browser? The web server's certificate The user's personal certificate signed by a private internal CA A certificate signed by Fortinet_CA_SSL A certificate signed by Fortinet_CA_Untrusted 100. An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is configured with a web filter and an SSL inspection profile configured for deep inspection. Which two actions can eliminate the certificate error generated by deep inspection? (Choose two.) Implement firewall authentication for all users that need access to fortinet.com. Manually install the FortiGate deep inspection certificate as a trusted CA. Configure fortinet.com access to bypass the IPS engine. Configure an SSL-inspection exemption for fortinet.com. 101. Which statement about a One-to-One IP pool is true? It is used for destination NAT. It limits the client to 64 connections per IP pool. It allows the fixed mapping of an internal address range to an external address range. It does not use port address translation. 102. Refer to the exhibit. The exhibit shows the IPS sensor configuration.If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.) The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature. The sensor will block all attacks aimed at Windows servers. The sensor will reset all connections that match these signatures. The sensor will gather a packet log for all matched traffic. 103. An administrator wants to throttle the total volume of SMTP sessions to their email server. Which DoS sensor can the administrator use to achieve this? ip_src_session ip_dst_session udp_flood tcp_port_scan 104. A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true? It can upgrade the firmware on the FortiGate device. It can reset the password for the admin account. It can create administrator accounts with access to the same VDOM. It cannot have access to more than one VDOM. 105. During the digital verification process, comparing the original and fresh hash results satisfies which security requirement? Signature verification Authentication Data integrity Non-deniability 106. Which three statements correctly describe transparent mode operation? (Choose three.) The transparent FortiGate is visible to network hosts in an IP traceroute. FortiGate acts as a transparent bridge and forwards traffic at Layer 2. Ethernet packets are forwarded based on destination MAC addresses, not IP addresses. It permits inline traffic inspection and firewalling without changing the IP scheme of the network. All interfaces on the transparent mode FortiGate device must be on different IP subnets. 107. Which two statements about conserve mode are true? (Choose two.) Administrators can access the FortiGate only through the console port. FortiGate stops doing RPF checks over incoming packets. FortiGate stops sending files to FortiSandbox for inspection. Administrators cannot change the configuration. 108. Which two features are supported by web filter in flow-based inspection mode with NGFW mode set to profile-based? (Choose two.) Search engines FortiGuard Quotas Static URL Rating option 109. Refer to the exhibit. Given the FortiGate CLI output, why is the administrator getting the error shown in the exhibit? The administrator must first enter the command edit global. The administrator admin does not have the privileges required to configure global settings. The command config system global does not exist in FortiGate. The global settings cannot be configured from the root VDOM context. 110. An administrator has configured a dialup IPsec VPN with XAuth. Which statement best describes what occurs during this scenario? Dialup clients must provide their local ID during phase 2 negotiations. Only digital certificates will be accepted as an authentication method in phase 1. Phase 1 negotiations will skip preshared key exchange. Dialup clients must provide a username and password for authentication. 111. When override is enabled, which option shows the process and selection criteria that is used to elect the primary FortiGate in an HA cluster? Connected monitored ports > HA uptime > priority > serial number HA uptime > priority > Connected monitored ports > serial number Priority > Connected monitored ports > HA uptime > serial number Connected monitored ports > priority > HA uptime > serial number 112. HTTP public key pinning (HPKP) can be an obstacle to implementing full SSL inspection. In which two ways can you resolve this problem? (Choose two.) Enable Allow Invalid SSL Certificates for the relevant security profile. Exempt those web sites that use HPKP from full SSL inspection. Install the CA certificate (that is required to verify the web server certificate) in the certificate stores of users' computers. Use a web browser that does not support HPKP. 113. A company needs to provide SSL VPN access to two user groups. The company also needs to display a different welcome message for each group, on the SSL VPN login. To meet these requirements, what is required in the SSL VPN configuration? Different virtual SSL VPN IP addresses for each group Two separate SSL VPNs in different interfaces mapping the same ssl.root Two firewall policies with different captive portals Different SSL VPN realms for each group 114. Which two route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.) Metric Priority Cost Distance 115. Which two statements are true when using WPAD with the DHCP discovery method? (Choose two.) If the DHCP method fails, browsers will try the DNS method. The browser sends a DHCPINFORM request to the DHCP server. The DHCP server provides the PAC file for download. The browser needs to be preconfigured with the DHCP server IP address. 116. Refer to the exhibit. Based on the firewall configuration shown in the exhibit, which two statements about application control behavior are true? (Choose two.) Access to browser-based Social.Media applications will be blocked. Access to mobile social media applications will be blocked. Access to all applications in the Social.Media category will be blocked. Access to all unknown applications will be allowed. 117. Which two statements about SSL VPN timers are true? (Choose two.) SSL VPN settings do not have customizable timers. SSL VPN timers prevent SSL VPN users from being logged out because of high network latency. SSL VPN timers disconnect idle SSL VPN users when a firewall policy authentication timeout occurs. SSL VPN timers allow to mitigate DoS attacks from partial HTTP requests. 118. Refer to the exhibit. The exhibit contains a session diagnostic output.Which statement about the session diagnostic output is true? The session is in CLOSE_WAIT state. The session is in TIME_WAIT state. The session is in LISTEN state. The session is in ESTABLISHED state. 119. Refer to the exhibit. The exhibit shows a raw log and firewall policies.What information does this raw log provide? (Choose two.) type indicates that a security event was recorded. FortiGate blocked the traffic. 10.0.1.20 is the IP address for lavito.tk. policyid indicates that traffic went through the IPS firewall policy. 120. Which two statements about virtual domains (VDOMs) are true? (Choose two.) A FortiGate device has 64 VDOMs, created by default. The root VDOM is the management VDOM, by default. Each VDOM maintains its own system time. Each VDOM maintains its own routing table. 1 out of 24 Name Email Time is Up! Time's up