Q61

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true
about the policy list view?

A. Policy lookup will be disabled.

B. By Sequence view will be disabled.
C. Search option will be disabled
D. Interface Pair view will be disabled.
ANSWER: D
SECTION: Firewall and authentication

Q62
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s
configuration does not change when you enable policy-based inspection?

*
0/1
A. Web filtering
B. Antivirus
C. Web proxy
D. Application control
ANSWER: B
SECTION: Deployment and System Configuration

Q63
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added
to the physical interface. Which statements about the VLAN sub interfaces can have the same VLAN ID,
only if they have IP addresses in different subnets.

0/1
A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different
subnets
B. The two VLAN sub interfaces must have different VLAN IDs
C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same
subnet
ANSWER: B
SECTION: Firewall and authentication

Q64
A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based
on this configuration, which statement is true?
A. Addicting.Games is allowed based on the Application Overrides configuration.
B. Addicting.Games is blocked on the Filter Overrides configuration.
C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
D. Addcting.Games is allowed based on the Categories configuration.
ANSWER: A
SECTION: Firewall and authentication

Q65

Examine the exhibit, which shows a firewall policy configured with multiple security profiles.
Which two security profiles are handled by the IPS engine? (Choose two.)
A. Select one or more
B. Web Filter
C. IPS
D. AntiVirus
E. Application Control

ANSWER: C,E
SECTION: Firewall and authentication

Q66
Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)
Options:
A. The debug flow is of ICMP traffic.
B. A firewall policy allowed the connection.
C. A new traffic session is created.
D. The default route is required to receive a reply.

ANSWER: A,C
SECTION: Deployment and System Configuration

Q67
Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Options:
A. SSL VPN idle-timeout
B. SSL VPN http-request-body-timeout
C. SSL VPN login-timeout
D. SSL VPN dtls-hello-timeout
ANSWER: A
SECTION: VPN

Q68
Refer to the exhibits.

Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and
Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating
or incoming?

Options:
A. Apple FaceTime will be allowed, based on the Categories configuration.

B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

C. Apple FaceTime will be allowed, based on the Apple filter configuration.

D. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to
Allow.
ANSWER: B
SECTION: Content inspection

Q69
Refer to the exhibit.
The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP
address 10.0. 1. 10?

Options:
A. 10.200. 1. 1
B. 10.200.3. 1
C. 10.200. 1. 100
D. 10.200. 1. 10
ANSWER: C
SECTION: Firewall and authentication

Q70
The IPS engine is used by which three security features? (Choose three.)

Options:
A. Antivirus in flow-based inspection
B. Web filter in flow-based inspection
C. Application control
D. DNS filter
E.Web application firewall
ANSWER: A,B,C
SECTION: Content inspection

Q71
Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of
diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Options:
A. port2
B. port4
C. port3
D. port1

ANSWER: D
Section: Routing

Q72
Which statement about video filtering on FortiGate is true?

Options:
A. Full SSL Inspection is not required.
B. It is available only on a proxy-based firewall policy.
C. It inspects video files hosted on file sharing services.
D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
ANSWER: B
Section: Content inspection

Q73
Which certificate value can FortiGate use to determine the relationship between the issuer and the
certificate?

Options:
A. Subject Key Identifier value
B. SMMIE Capabilities value
C. Subject value
D. Subject Alternative Name value
ANSWER: A
Section: Content inspection

Q74
Refer to the exhibit.
Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Options:
A. There are five devices that are part of the security fabric.
B. Device detection is disabled on all FortiGate devices.
C. This security fabric topology is a logical topology view.
D. There are 19 security recommendations for the security fabric.

ANSWER: C,D
Section: Deployment and System Configuration

Q75
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting
any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the
browser does not report errors.

What is the reason for the certificate warning errors?

Options:
A. The matching firewall policy is set to proxy inspection mode.
B. The certificate used by FortiGate for SSL inspection does not contain the required certificate
extensions.
C. The full SSL inspection feature does not have a valid license.
D. The browser does not trust the certificate used by FortiGate for SSL inspection.
ANSWER: D
Section: Content inspection
Q76
Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

Options:
A. The debug flow is for ICMP traffic.
B. The default route is required to receive a reply.
C. new traffic session was created.
D. A firewall policy allowed the connection.
ANSWER: A,C
Section: Deployment and System Configuration

Q77
An administrator wants to simplify remote access without asking users to provide user credentials.

Which access control method provides this solution?

Options:
A. ZTNA IP/MAC filtering mode
B. ZTNA access proxy
C. SSL VPN
D. L2TP
ANSWER: B
Section: VPN

Q78
Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

Which CLI command must the administrator use to view the route?

Options:
A. get router info routing-table database
B. diagnose firewall route list
C. get internet-service route list
D. get router info routing-table all
ANSWER: B
Section: Routing

Q79
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

Options:
A. The next-hop IP address is unreachable.
B. It failed the RPF check .
C. It matched an explicitly configured firewall policy with the action DENY.
D. It matched the default implicit firewall policy.
ANSWER: D
Section: Routing

Q80
Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

Options:
A. diagnose wad session list
B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list | grep "hook=pre"&"hook=out"
ANSWER: A
Section: Deployment and System Configuration

Q81
An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Options:
A. idle-timeout
B. login-timeout
C. udp-idle-timer
D. session-ttl
ANSWER: B
Section: VPN

Q82
When a firewall policy is created, which attribute is added to the policy to support recording logs to a
FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these
devices?

Options:
A. Log ID
B. Universally Unique Identifier
C. Policy ID
D. Sequence ID
ANSWER: B
Section: Firewall and authentication

Q83
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).
Which statement is correct if a user is unable to receive a block replacement message when
downloading an infected file for the first time?

Options:
A. The firewall policy performs the full content inspection on the file.
B. The flow-based inspection is used, which resets the last packet to the user.
C. The volume of traffic being inspected is too high for this model of FortiGate.
D. The intrusion prevention security profile needs to be enabled when using flow-based inspection
mode.
ANSWER: B
Section: Firewall and authentication
Q84
Which statement is correct regarding the security fabric?

Options:
A. FortiManager is one of the required member devices.
B. FortiGate devices must be operating in NAT mode.
C. A minimum of two Fortinet devices is required.
D. FortiGate Cloud cannot be used for logging purposes.
ANSWER: B
Section: Deployment and System Configuration
Explanation:
FortiGate devices must be operating in NAT mode is the correct answer. This is the explanation. You must
have a minimum of two FORTIGATE devices at the core of the Security Fabric, plus one FortiAnalyzer or
cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The
FortiGate devices must be running in NAT mode. the other one is incorrect, because said you must have
two fortinet devices no fortigate. PAGE 428 7.2

Q85
Examine the exhibit, which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP
address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address. Which IP address will be used to source NAT the
Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

Options:
A. 10.200. 1. 10
B. Any available IP address in the WAN (port1) subnet 10.200. 1.0/24
C. 10.200. 1. 1
D. 10.0. 1.254
ANSWER: A
Section: Firewall and authentication

Q86
Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)

Options:
A. Source defined as Internet Services in the firewall policy.
B. Destination defined as Internet Services in the firewall policy.
C. Highest to lowest priority defined in the firewall policy.
D. Services defined in the firewall policy.
E. Lowest to highest policy ID number.
ANSWER: A,B,D
Section: Firewall and authentication

Q87
Refer to the exhibit.

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2
up?

Options:
A. On Remote-FortiGate, set Seconds to 43200.
B. On HQ-FortiGate, set Encryption to AES256.
C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
D. On HQ-FortiGate, enable Auto-negotiate.
ANSWER: B
Section: VPN

Q88
Which two statements are correct about a software switch on FortiGate? (Choose two.)

Options:
A. It can be configured only when FortiGate is operating in NAT mode
B. Can act as a Layer 2 switch as well as a Layer 3 router
C. All interfaces in the software switch share the same IP address
D. It can group only physical interfaces
ANSWER: A,C
Section: Routing

Q89
Which of the following statements about central NAT are true? (Choose two.)

Options:
A. IP tool references must be removed from existing firewall policies before enabling central NAT .
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
ANSWER: A,B
Section: Section: Firewall and authentication

Q90
Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA? (Choose two.)

Options:
A. DNS
B. ping
C. udp-echo
D. TWAMP
ANSWER: C,D
Section: Section: Firewall and authentication

Q91
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

Options:
A. get system status
B. get system performance status
C. diagnose sys top
D. get system arp
ANSWER: D
Section: Routing

Q92
Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.
Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true?
(Choose two.)

Options:
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual
MAC address of port2 as source.
B. The traffic sourced from the client and destined to the server is sent to FGT-1.
C. The cluster can load balance ICMP connections to the secondary.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to
the secondary.
ANSWER: A,D
Section: Section: Firewall and authentication
Q93
Which of the following SD-WAN load balancing method use interface weight value to distribute traffic?
(Choose two.)

Options:
A. Source IP
B. Spillover
C. Volume
D. Session
ANSWER: C,D
Section: Section: Firewall and authentication

Q94
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec
VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up

* The secondary tunnel must be used only if the primary tunnel goes down

* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements?
(Choose two,)

Options:
A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static
route for the secondary tunnel.
B. Enable Dead Peer Detection.
C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.
D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
ANSWER: B,C
Section: VPN

Q95
Which statement is correct regarding the use of application control for inspecting web applications?

Options:
A. Application control can identity child and parent applications, and perform different actions on them.
B. Application control signatures are organized in a nonhierarchical structure.
C. Application control does not require SSL inspection to identity web applications.
D. Application control does not display a replacement message for a blocked web application.
ANSWER: A
Section: Content inspection

Q96
Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic
output?

Options:
A. The session is in SYN_SENT state.
B. The session is in FIN_ACK state.
C. The session is in FTN_WAIT state.
D. The session is in ESTABLISHED state.
ANSWER: A
Section: Firewall and authentication

Q97
Refer to the exhibits.
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds. Based on the system performance output, which two
statements are correct? (Choose two.)

Options:
A. Administrators can access FortiGate only through the console port.
B. FortiGate has entered conserve mode.
C. FortiGate will start sending all files to FortiSandbox for inspection.
D. Administrators cannot change the configuration.
ANSWER: B,D
Section: Deployment and System Configuration

Q98
Which two statements ate true about the Security Fabric rating? (Choose two.)

Options:
A. It provides executive summaries of the four largest areas of security focus.
B. Many of the security issues can be fixed immediately by clicking Apply where available.
C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.
ANSWER: B,C
Section: Deployment and System Configuration

Q99
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:
A.
It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B. ADVPN is only supported with IKEv2.

C. Tunnels are negotiated dynamically between spokes.
D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2
proposals are defined in advance.
ANSWER: A,C
Section: VPN
Q100
Which statement describes a characteristic of automation stitches?

Options:
A. They can have one or more triggers.
B. They can be run only on devices in the Security Fabric.
C. They can run multiple actions simultaneously.
D. They can be created on any device in the fabric.
ANSWER: C
Section: Deployment and System Configuration

Q101
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true
about the policy list view?

Options:
A. Policy lookup will be disabled.
B. By Sequence view will be disabled.
C. Search option will be disabled
D. Interface Pair view will be disabled.
ANSWER: D
Section: Firewall and authentication

Q102
Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

Options:
A. diagnose wad session list
B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list | grep "hook=pre"&"hook=out"
ANSWER: A
Section: Firewall and authentication

Q103
In which two ways can RPF checking be disabled? (Choose two )

Options:
A. Enable anti-replay in firewall policy.
B. Disable the RPF check at the FortiGate interface level for the source check
C. Enable asymmetric routing.
D. Disable strict-arc-check under system settings.
ANSWER: C,D
Section: Routing

Q104
An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

Options:
A. VLAN interface
B. Software Switch interface
C. Aggregate interface
D. Redundant interface
ANSWER: C
Section: Firewall and authentication

Q105
Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:
A. FortiGuard web filter queries
B. PKI
C. Traffic shaping
D. DNS
ANSWER: A,D
Section: Firewall and authentication

Q106
Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Options:
A. By default, all interfaces are part of the same broadcast domain.
B. The existing network IP schema must be changed when installing a transparent mode.
C. Static routes are required to allow traffic to the next hop.
D. FortiGate forwards frames without changing the MAC address.
ANSWER: A,D
Section: Firewall and authentication

Q107
Which statement regarding the firewall policy authentication timeout is true?
Options:
A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming
from the user's source IP.
B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after
this timer has expired.
C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming
from the user's source MAC.
D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after
this timer has expired.
ANSWER: A
Section: Firewall and authentication

Q108
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address
is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN
tunnel to work?

Options:
A. Static IP Address
B. Dialup User
C. Dynamic DNS
D. Pre-shared Key
ANSWER: B
Section: VPN

Q109
Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:
A. FortiGuard web filter queries
B. PKI
C. Traffic shaping
D. DNS
ANSWER: A,D
Section: Deployment and System Configuration

Q110
Refer to the exhibit.
Which contains a network diagram and routing table output.

The Student is unable to access Webserver.

What is the cause of the problem and what is the solution for the problem?

Options:
A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static
route to 10.0.4.0/24 through wan1.
B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static
route to 10.0.4.0/24 through wan1.
C. The first reply packet for Student failed the RPF check . This issue can be resolved by adding a static
route to 203.0. 114.24/32 through port3.
D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static
route to 203.0. 114.24/32 through port3.
ANSWER: D
Section: Firewall and authentication

Q111
Refer to the exhibit.
The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10.0. 1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10) pings the
IP address of Remote-FortiGate (10.200.3. 1)?

Options:
A. 10.200. 1. 149
B. 10.200. 1. 1
C. 10.200. 1.49
D. 10.200. 1.99
ANSWER: D
Section: Firewall and authentication

Q112
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

Options:
A. It uses UDP 8888.
B.It uses UDP 53.
C.It uses DNS over HTTPS.
D. It uses DNS overTLS.

ANSWER: D
Section: Deployment and System Configuration