YOU DEPLOYED A FULL LOADED FG-7121F IN THE DATA CENTER AND ENABLED SSLVPN-LOAD-BALANCE.
BASED ON THE BEHAVIOR OF THIS FEATURE WHICH STATEMENT IS CORRECT? YOU CAN USE SRC-IP OR DST-IP-DPORT ON DP-LOAD-DISTRIBUTION-METHOD TO MAKE SSL VPN LOAD BALANCING WORK AS EXPECTED. IF A FPM GOES DOWN, SSL VPN IP POOL IP ADDRESS WILL BE RE-ALLOCATED TO THE REMAINING FPMS. ENABLING SSL VPN LOAD BALANCING WILL CLEAR THE SESSION TABLE. TO HAVE BETTER TRAFFIC DISTRIBUTION YOU SHOULD USE IP POOLS THAT INCREMENT IN MULTIPLES OF 12.
GIVEN THE INFORMATION SHOW IN THE OUTPUT, WHICH TWO STATEMENTS ARE CORRECT? (CHOOSE TWO.) GEOGRAPHICAL IP POLICIES ARE ENABLED AND EVALUATED AFTER LOCAL TECHNIQUES. AN IP ADDRESS THAT WAS PREVIOUSLY USED BY AN ATTACKER WILL ALWAYS BE BLOCK THE IP REPUTATION FEATURE HAS BEEN MANUALLY UPDATED REPUTATION FROM BLACKLISTED IP ADDRESS FROM DHCP OR PPPOE POOLS CAN BE RESTORED. ATTACKERS CAN BE BLOCKED BEFORE THEY TARGET THE SERVERS BEHIND THE FORTIWEB.
REFER TO THE CONFIGURATION SNIPPET:
CONFIG IPS GLOBAL
SET NP-ACCEL-MODE BASIC
SET CP-ACCEL-MODE NONE
END
WHAT WILL HAPPEN IF YOU CHANGE THE BASIC PARAMETER IN SET CP-ACCEL-MODE TO ADVANCED? (CHOOSE TWO.) THE CP ASIC WILL START PROCESSING ALL IPS TRAFFIC. NTURBO WILL BE ENABLED. THE FLOW-BASED IPS SIGNATURE CORRELATION WILL BE OFFLOADED. ENHANCED IPSA WILL BE ENABLED.
REFER TO THE EXHIBITS.
YOU MUST INTEGRATE A FORTIMAIL AND FORTISANDBOX ENHANCED CLOUD SOLUTION FOR A CUSTOMER WHO IS CONCERNED ABOUT THE E-MAIL BEING DELAYED FOR TOO LONG.
ACCORDING TO THE CONFIGURATION SHOW IN THE EXHIBITS, WHICH WOULD BE AN EXPECTED BEHAVIOR? FORTIMAIL WILL IGNORE THE TIMEOUT VALUE IF CONTENT DISARM AND RECONSTRUTION (CDR) IS ENABLED. FORTIMAIL WILL REALY VALID E-MAILS SERVER AS SOON AS IT IS DONE WITH OTHER LOCAL INSPECTIONS IF AN ATTACHMENT IS SENT TO THE FORTISANDBOX WHILE THE JOB QUEUE IS FULL, THE EMAIL MIGHT BE DELAYED FOR UP TO 30 MINUTES, AFTER THAT E-MAIL WILL BE RELAYED TO THE MAIL SERVER FORTIMAIL WILL NOT WAIT FOR RESULT ONLY FOR ATTACHMENTS THAT HAVE BEEN ALREADY SUBMITTED TO THE FORTISANDBOX IN THE LAST 60 MINUTES.
refer to the exhibit, which shows a topology diagram.
A customer wants to use SD-WAN for traffic generated from the data center towards Branches. SD-WAN on HUB should follow the underlay condition on each Branch and the solution should be scalable for hundreds of Branches.
Which SD WAN-Rules strategy should be used? Lowest Cost SLA Manual Based on route-tags Best Quality based on route-tags Auto Based on link quality .
Refer to the exhibit showing a FortiEDR configuration.
Based on the exhibit, which statement is correct? FortiEDR collector will not collect OS Metadata. The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy. if an unresolved file rule is triggered, by default the file is logged but not blocked. if a malicious file is executed and attempts to establish a connection it will generate duplicate events.
A customer has FortiAP devices in three offices managed from a FortiGate in the HQ. Each FortiAP is connected to a dedicated management VLAN.
The customer wants the users connected to the FortiAP SSIDs to use the branch local internet connection, but each branch uses a different VLAN ID for the bridge. HQ users travel to different branches and connect to the same SSID.
Which configuration option will solve this requirement? Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN na use set dynamic-vlan enable on the VAP configuration. Use set vlan-pooling hash on the VAP configuration with the corresponding vlan-pool. Use set vlan-pooling round-robin on the VAP configuration with the corresponding vlan-pool. Set each FortiAP to a wtp-group and use set vlan-pooling wtp-group on the VAP configuration with the corresponding VLAN ID configuration for each group.
Review the Application control Log:
which configuration causes the IPS engine to generate this log?
config ips global
set exclude-signatures none config ips global
set database extended config ips global
set inspect-mode full config ips global
set anomaly-mode continuous.
A FortiGate must be configured to accept Voip traffic which will include session initiation protocol (SIP) traffic.
Which statement about VoIP configuration options is correct? By default VoIP traffic will be processed using the SIP Session Helper Restricting SIP requests is only possible when using the SIP Session Helper FortiOS cannot accept SIP traffic if both the SIP Session Helper and the application layer gateway (ALG) are disabled. Rate tracking of SIP requests is only possibel when the application layer gateway (ALG) is set to Flow mode.
Which two statements about bounce address tagging and verification (BATV) on Fortmail are true?(Choose two.) FortiMail will insert the BATV tag to the sender address in the envelolpe. Emails with an empty sender address will be subjected to bounce verification. You must publish the BATV public key as a DNS TXT record. BATV must be enabled in a session profile applied to an inbound IP policy.
Refer to the exhibt.
A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.) If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express. You can only deploy initial installations to Windows clients. A client can be eligible for multiple enabled configurations on the EMS server, and on will be chosen based on first priority. The Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy.
Refer to the exhibit.
Company Corp was visited by an external risk assessment auditor and informed that change control and auditing must be enabled in Fortimanager to meet new compliance procedures.
The administrator has enabled Workflow mode in FortiManger and has assigned approval roles to the current administrators. However, workflow approval does not function as expected. The CTO is currently unable to appove submitted changes.
Given the exhibit, which two possible solutions will resolve the workflow approval problems with the Workflow_72 ADOM? (Choose two.) The CTO must have a defined email address for the admin user account. The CISO must have a higher access level than Read_Only_User in FortiManager. The CTO and CISO need to swap Approval Groups so that the highest authority is in Group #1. The CTO needs to be added to "Email Notification" in the Workflow_72 ADOM. The CTO must have Standard level or higher for FortiMananger.
Refer to the exhibits.
A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is show in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C. O config vpn ipsec phase1-interface
edit "vpn-hub02-1"
set ike-version 2
set authmethod signature
set certificate "BR01FGTLOCAL"
set peer "vpn-hub02-1_peer"
next
end O config vpn ipsec phase1-interface
edit "vpn-hub02-1"
set ike-version 2
set net-device enable
set psksecret fortinet
next
end O config vpn ipsec phase1-interface
edit "vpn-hub02-1"
set ike-version 1
set authmethod signature
set certificate "BR01FGTLOCAL"
set peer "vpn-hub02-1_peer"
next
end.
You are desiging a setup where the FortiGate device is connected to two upstream ISPs using BGP. Part of the requirement is that you must be able to refresh the route advertisements manually without disconnecting the BGP neighbors this goal?
Graceful-restart Deterministic-med Soft-reconfiguration Synchronization.
Refer to the exhibit.
You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
how should the initial connection be made? Connect the switch on any interface between ports 21 to 24. Connect the switch on any interface between ports 1 to 4. Connect the switch on any interface between ports 5 to 8. Connect the switch on any interface between ports 25 to 28. .
A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL descryption (FAD-1), and re-encryption (FAD-2).
CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the pain -text traffic, and forwared the inspected traffic to FAD-2.
The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.
Given this scenario, which two configuration tasks must the administrator perform on CL-1? (choose two.) config firewall profile-protocol-options
edit SSL-offload
config https
set options splice
end
next
end config firewall ssl-server
edit FAD-1
set ip <FAD-1 IP address>
set ssl-mode full
next
end config firewall profile-protocol-options
edit SSL-offload
config http
set ssl-offloaded yes
end
next
end config application list
edit SSL-offload-App-Detect
set deep-app-inspection enable
next
end config application list
edit SSL-offload-App-Detect
set force-inclusion-ssl-di-sigs enable
next
end.
You have configured a Site-to-Site IPsec VPN tunnel between a FortiGate and a third-party device but notice that one of the error counters on the tunnel interface keeps increasing.
VPN-TUNNEL Link encap: Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets: 337 errors: 4 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen: 0
RX bytes: 451856798 (430.9 MB) TX bytes:266756340 (254.4 MB)
Which three configuration options can resolve this problem? (Choose three.)
Enable Forward Error Correction (FEC) on the VPN interface for ingress traffic. Enable Forward Error Correction (FEC) on the VPN interface for egress traffic. Adjust the MTU of the IPsec interface. Disable DF-bit honoring in the global settings. Adjust the MTU of the physical interface to which the IPsec tunnel is bound.
You configured a FortiADC in a one-arm deployment load balancing two IIS Windows servers in a DMZ behind an existing FortiGate. The Virtual IP and firewall policy in the FortiGate has been properly configured to point incoming web traffic to the correct FortiADC virtual server IP. The FortiADC and IIS server logs shows incoming traffic, but the client devices did not receive any response traffic. Which two options are possible reasons for this behavior? (Choose two.) Packet Forwarding Method is set to DNAT on the FortiADC but the FortiGate is blocking asymmetric traffic. Packet Forwarding Method is set to Full NAT on the FortiADC but the NAT Source Pool List is set to the FortiADC interface IP.
Packet Forwarding Method is set to Full NAT on the FortiADC but X-Forwarded-For is not enabled. Packet Forwarding Method is set to Direct Routing on the FortiADC but DSR is not configured on the IIS Server.
Refer to the exhibits, which show a topology and diagnostic commands. Which two statements about the path resolution are true? (Choose two.)
Packet-loss is the quality criteria. Latency is the quality criteria. wan1 is currently used as an outgoing interface. wan2 is currently used as an outgoing interface.
Refer to the exhibit, which shows diagnostic output.
A customer reports that ICMP traffic flow is not corresponding to the SD-WAN setup. What is the problem in this scenario?
Route for the destination IP is missing in the routing table O Port1 is used because has more available bandwidth O Traffic is matched by policy route OSD-WAN Rule is matching only DNS traffic.
Refer to the exhibits.
You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below.
Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.)
Enable HTTP service in the Server Policy. Configure a TXT record of the domain and point to the IP address of the Virtual Server. Disable Redirect HTTP to HTTPS in the Server Policy. Remove the Web Protection Profile from this Server Policy.
Refer to the exhibit.
An administrator discovers that CPU utilization of a FortiGate-200F is high and determines that no traffic is being accelerated by hardware.
Given the exhibit, why is no traffic being accelerated by hardware? Oper-session-accounting is enabled under np6xlite config. Ostrict-dirty-session-check is enabled in global config. O delay-top-npu-session is enabled under the firewall policy. O check-protocol-header is set to strict in the global config.
Refer to the exhibits.
The exhibits show the configuration and debug output from a FortiGate Public SDN Connector. What is a possible reason for this dynamic address object to be empty?
O Only Private IP is in the scope of the predefined Owner role. O The Application ID and Client secret are incorrect. O The App registration does not have a role with necessary read permissions on the resource group. O The Filter should be set to Category=Servers.
Refer to the exhibit, which shows an SD-WAN configuration.
You configured the SD-WAN from Branch1 to the HUB and enabled packet duplication. You later notice that the traffic is not being duplicated.
In this scenario, what is causing this problem?
O Packet duplication is not enabled on the HUB side. O Packet duplication did not occur because an interface is out of SLA. There is a mismatch in the FortiOS version between Branch1 and HUB. O Traffic cannot be duplicated over multiple zones.
You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster.
Which statement about this solution is true?
The configuration of the MTA Adapter Local Interface is different than on port1. O The configuration is different than on a standalone device. The MTA adapter mode is only detection mode. The MTA adapter is only available in the primary node.
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems on Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.
They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy, and performance as a priority.
Which two design options are true based on these requirements? (Choose two.)
Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
A FortiGate running FortiOS 7.2.0 GA is configured in multi-vdom mode with a vdom set to vdom type Admin and another vdom set to vdom type Traffic,
Which two GUI sections are available on both VDOM types? (Choose two.) Security Fabric topology and external connectors Interface configuration Packet capture Certificates FortiClient configuration.
Refer to the exhibits.
The exhibit shows a FortiGate model device that will be used for zero touch provisioning and a CLI Template.
To facilitate a more efficient roll out of FortiGate devices, you are tasked with using meta fields with the CLI Template to configure the DHCP server on the "office1" FortiGate.
Given this scenario, what would be the output of the CLI Template once it has been applied to the "office1" FortiGate? config system dhcp server
edit 1
set dns-service default
set default-gateway 10.10.1.1
set netmask 255.255.255.0
set interface "internal"
config ip-range
edit 1
set start-ip 10.10.1.10
set end-ip 10.10.1.111
next
end
next
end config system dhcp server
edit 1
set dns-service default
set default-gateway 10.10.1.1
set netmask 255.255.255.0
set interface "internal"
config ip-range
edit 1
set start-ip 10.10.1.3
set end-ip 10.10.1.5
next
end
next
end config system dhcp server
edit 1
set dns-service default
set default-gateway 10.10.1.1
set netmask 255.255.255.0
set interface "internal"
config ip-range
edit 1
set start-ip 10.10.1.11
set end-ip 10.10.1.111
next
end
next
end.
Your organization wants you to create a base SD-WAN configuration for spoke sites, including SD-WAN rules and Performance SLAS. It needs to be done in a way that can be easily ported to new sites with the minimum amount of change.
How should you create the SD-WAN zones?
With members without interface assignments With no members configured With members and assign interfaces but do not specify a gateway With members and assign overlay interfaces.
Refer to the exhibit.
A customer wants to automate the creation and configuration of FortiGate VM instances in a VMware vCenter environment using Terraform. They have the creation part working with the code shown in the exhibit.
Which code snippet will allow Terraform to automatically connect to a newly deployed FortiGate if its IP was dynamically assigned by VMware NSX-T? provider "fortinet_fortigate" {
hostname = module.vsphere_virtual_machine.default_ip_address
token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb"
insecure = "true"
} provider "fortios" {
hostname = module.vsphere_virtual_machine.default_ip_address
token = "jn3t3Nw7qckQzt 955Htkfj5hwQ6jdb"
insecure = "true"
} provider "fortinet_fortigate" {
hostname = vsphere_virtual_machine.vm.default_ip_address
token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb"
insecure="true"
} provider "fortios" {
hostname = vsphere_virtual_machine.vm.default_ip_address
token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb"
insecure "true".
Refer to the exhibit, which shows a FortiGate configuration snippet.
A customer in Costa Rica has a FortiGate with SD-WAN configured to use a VPN connection to the United States to browse the internet using a public IP from that country. They would like to enable the SD-WAN rule using a webhook.
Which configuration must be added to the FortiGate, and which curl command must be used to accomplish that? (Choose two.)
Add to the FortiGate the configuration:
config system automation-trigger
edit "Enable USA Browsing webhook"
set event-type incoming-webhook
next
end
config system automation-stitch
edit "Enable USA Browsing"
set trigger "Enable USA Browsing webhook"
config actions
edit 1
set action "Enable USA Browsing script"
set required enable
next
end
next
end On the web server use the command:
curl -X GET https://192.168.1.99/api/v2/monitor/system/automation- stitch/webhook/Enable%20USA%20Browsing' -H 'Authorization: Bearer
HNOpffsbgggayn3dHcshQQkg5nklff'
Add to the FortiGate the configuration: config system automation-trigger
edit "Enable USA Browsing"
set event-type incoming-webhooknextend
config system automation-stitch
edit "Enable USA Browsing stitch"
set trigger "Enable USA. Browsing" config actions.
edit 1
set action "Enable USA Browsing script"
set required enable
next
end
next
end On the web server use the command:
curl -X POST 'https://192.168.1.99/api/v2/monitor/system/automation- stitch/webhook/Enable%20USA%20Browsing' -H 'Authorization: Bearer
HNOpffsbgggayn3dHcshQQkg5nklff'.
Refer to the exhibits.
The exhibits show a routing scenario and a debug output.
A customer reports that if the Spoke-1 stops working on ISP-2 and the Spoke-2 stops working on ISP-1, traffic between clients stops passing through the VPN.
Based on debug output in Exhibit B, what should you do to correct the situation? Enable iBGP multipath Enable next-hop-self feature on the DC Enable additional-path feature Enable recursive resolution for BGP routes.
A customer wants to use the FortiAuthenticator REST API to create an SSO group called SalesGroup.
The following API call is being made with the 'curl' utility:
curl -k -v -u "admin: zeyDZXmP6GbKcerqdWWEYNTnH2Ta0Cz5HTp2dAVS" -X POST -d '{"name":"SalesGroup") -H 'Content-Type: application/json' https://10.10.10.22/api/v1/ssogroup/100/
Which statement correctly describes the expected behavior of the FortiAuthenticator REST API? Only users with the "Full permission" role can access the REST API. If it is lost, the current REST API web service access key can be retrieved from the CLI with a diagnose command. This API call will fail because it requires API version 2. The API call will fail because you cannot use POST with a specific ID.
Refer to the exhibit showing a FortiView monitor screen.
After a Secure SD-WAN implementation a customer reports that in FortiAnalyzer under FortiView Secure SD-WAN Monitor there is No Device for selection.
What can cause this issue? Extended logging is not enabled on FortiGate Upload option from FortiGate to FortiAnalyzer is not set as a real time sla-fail-log-period and sla-pass-log-period on FortiGate health check is not set ADOM 1 is set as a Fabric ADOM.
You are performing a packet capture on a FortiGate 2600F with the hyperscale licensing installed. You need to display on screen all egress/ingress packets from the port16 interface that have been offloaded to the NP7.
Which three commands need to be run? (Choose three.) diagnose npu sniffer filter dir 2 diagnose sniffer packet port16 diagnose npu sniffer filter dir 0 diagnose sniffer packet npudbg.
A FortiGate deployment contains the following configuration:
config system vdom-exception
edit 1
set object router.route-map
set scope inclusive
set vdom SERVICES
next
end
What is the result of this configuration?
Route-maps from VDOM SERVICES are available in all other VDOMS Route-maps for VDOM SERVICES are excluded from HA configuration synchronization
Route-maps from the Root VDOM configuration are available in VDOM SERVICES Route-maps are not configurable in VDOM SERVICES.
Refer to the exhibits, which show a firewall policy configuration and a network topology.
An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages.
Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com? FortiGate will fall-back to the default Fortinet_CA_SSL certificate. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection. FortiGate will use the first certificate in the server-cert list-the abc.com certificate. FortiGate will reject the connection since no certificate is defined.
What is the benefit of using FortiGate NAC LAN Segments? It provides support for multiple DHCP servers within the same VLAN. lt provides support for IGMP snooping between hosts within the same VLAN. lt allows for assignment of dynamic address objects matching NAC policy. It provides physical isolation without changing the IP address of hosts.
Refer to the exhibit.
You are managing a FortiSwitch 3032E that is managed by FortiLink on a FortiGate 3960E. The 3032E is heavily utilized and there is only one port free.
The requirement is to add an additional three FortiSwitch 448E devices with 10Gbps SFP+ connectivity directly to the 3032E. The plan is to use split port (phy-mode) with QSFP28 mode to connect the new 448E switches.
In this scenario, which two statements about the switch deployment are correct? (Choose two.) The port mode of Switch 1 must be changed to QSFP. Additional ports on Switch 1 can be split for a maximum of 128 interfaces. Switches 2-4 will connect successfully with Switch 1 split port in QSFP28 mode. FortiLink must be changed to Layer 2 for Switch 1. After enabling split ports and rebooting Switch 1, the new ports can be configured from the FortiGate.
Refer to the exhibit that shows VPN debugging output.
The VPN tunnel between headquarters and the branch office is not being established.
What is causing the problem?
There is no matching Diffie-Hellman Group HQ is using IKE v1 and the branch office is using with IKE v2 There is a mismatch in the ISAKMP SA lifetime
The Phase-1 encryption algorithms are not matching.
Refer to the exhibit.
The exhibit shows a FortiGate high-availability (HA) cluster deployed in FortiGate Session Life Support Protocol (FGSP) mode. Standalone configuration sync mode is enabled.
Given the exhibit, which two statements about FortiGate FGSP HA cluster behavior are correct? (Choose two.)
You can selectively synchronize only specific sessions between FGSP cluster members.
Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2.
You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously.
Cluster members will upgrade one at a time and failover during firmware upgrades.
Refer to the exhibit.
The exhibit shows a FortiGate high-availability (HA) cluster deployed in FortiGate Session Life Support Protocol (FGSP) mode. Standalone configuration sync mode is enabled.
Given the exhibit, which two statements about FortiGate FGSP HA cluster behavior are correct? (Choose two.) You can selectively synchronize only specific sessions between FGSP cluster members. Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2. You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously. Cluster members will upgrade one at a time and failover during firmware upgrades. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVink.
A FortiGate is configured to perform outbound firewall authentication with Azure AD as a SAML IdP. What are two valid interactions that occur when the client attempts to access the internet? (Choose two.) The Microsoft SAML IdP sends the SAML response to the FortiGate SP. The client browser forwards the SAML response received from Microsoft SAML IdP to the FortiGate SP. FortiGate SP sends a SAML request to the IdP. FortiGate SP redirects the client browser to the local captive portal and then redirects to the Microsoft SAML IdP.
Refer to the exhibit.
A customer needs to create a multi-tier MCLAG set up with the topology as shown in the exhibit.
A1/A2
B1/B2
C1/C2
Which command snippet should be applied to it, to allow active/active links in this topology? A1 # config switch auto-isl-port-group
A1 (auto-isl-port-g~o) # edit aggregate-port10
A1 (aggregate-port10) # set members port10
A1 (aggregate-port10) # next
A1 (auto-isl-port-g~o) # end A1 # config switch auto-isl-port-group
A1 (auto-isl-port-g-o) # edit aggregate-port11
A1 (aggregate-port11) # set members port11
A1 (aggregate-port11) # next
A1 (auto-isl-port-g-o) # end A1 # config switch auto-isl-port-group
A1 (auto-isl-port-g~o) edit aggregate-port1-2
A1 (aggregate-port1-2) # set members port1 port2
A1 (aggregate-port1-2) # next
Al (auto-isl-port-g~o) # end A2 # config switch auto-isl-port-group
A2 (auto-isl-port-g~o) # edit aggregate-port1
A2 (aggregate-port1) # set members port1
A2 (aggregate-port1) # next
A2 (auto-isl-port-g~o) # end A1 # config switch auto-isl-port-group
A1 (auto-isl-port-g~o) # edit aggregate-port2
A1 (aggregate-port2) # set members port2
A1 (aggregate-port2) # next
A1 (auto-isl-port-g~o) # end A1 # config switch auto-isl-port-group
A1 (auto-isl-port-g~o) # edit aggregate-port10-11
A1 (aggregate-port10-port11) # set members port10 port11
A1 (aggregate-port10-port11) # next
A1 (auto-isl-port-g~o) # end A2 # config switch auto-isl-port-group
A2 (auto-isl-port-g~o) # edit aggregate-port10-11
A2 (aggregate-port10-11) # set members port10 port11
A2 (aggregate-port10-11) # next
A2 (auto-isl-port-g~o) # end.
One log relevant to the event is extracted from FortiGate logs:
date=2022-07-11 time=10:37:08 eventtime 1657571829014946018 tz="-1000" logid="0000000022" type="traffic" subtype="forward" level-"notice" vd="root"
srcip=10.100.91.12 srcport-51542 srcintf="port3" srcint frole="lan" dstip-8.8.8.8 dstport=53 dstintf="port1" datintfrole="wan" srcuuid="2b4ee3fc-0124-51ed- 7898-eaelb990blec" dstuuid="2b4ee3fc-0124-51ed-7898-eaelb990blec" srccountry="Reserved" dstcountry-"United States" sessionid-402530 proto=17
action="accept" policyid-13 policytype="policy" poluuid="766bb040-0124-51ed-ca3a-eacce4ed289f" policyname="LAN to Internet" service="DNS" trandisp="snat"
transip-10.100.64.101 transport=51542 appid=16195 app="DNS" appcat "Network. Service" apprisk "elevated" applist-"default" duration=180 sentbyte=45 rcvdbyte-120 sentpkt 1 rcvdpkt 1 srchwvendor="Fortinet" devtype="Router" srcfamily "FortiGate" osname="Fortios" mastersrcmac="00:09:01:00:03:01" SLсmac="00:09:01:00:03:01" srcserver-0
The devices and the administrator are all located in different time zones. Daylight savings time (DST) is disabled.
The FortiGate is at GMT-10:00.
The FortiAnalyzer is at GMT-08:00.
Your browser local time zone is at GMT-03:00.
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?
20:37:08
20:37:08 17:37:08 12:37:08 10:37:08.
Refer to the exhibits.
During the implementation of a Fortinet Security Fabric configuration, CLI commands were issued in the order shown in the exhibit. On the next day, the local admin for FGTC issues the following command:
FGTC # config system csf
set configuration-sync default
end
In this scenario, which outcome is true regarding the "subnet_1" firewall address object on FGTC? The object is automatically created. The object is not automatically created.
The object will only be automatically created on FGTC if it is modified on FGTA-1.
The object needs to be recreated on FGTA-1 before it is automatically created on FGTC.
Refer to the exhibit.
An HTTPS access proxy is configured to demonstrate its function as a reverse proxy on behalf of the
web server it is protecting. It verifies user identity, device identity, and trust context, before granting
access to the protected source. It is assumed that the FortiGate EMS fabric connector has already
been successfully connected.
You need to ensure that ZTNA access through the FortiGate will redirect users to the
FortiAuthenticator to perform username/password and multifactor authentication to validate access
prior to accessing resources behind the FortiGate.
In this scenario, which two further steps need to be taken on the FortiGate? (Choose two.) Create an authentication scheme with the "method" as SAML Create a SAML user/server object referring to the FortiAuthenticator. Create an authentication rule that sets the sso-auth-method to the FortiAuthenticator. Create a firewall rule that allows access from the remote endpoint to the resources behind the FortiGate.
Refer to the exhibit.
A customer is trying to setup a Playbook automation using a FortiAnalyzer, FortiWeb and FortiGate.
The intention is to have the FortiGate quarantine any source of SQL Injection detected by the FortiWeb.
They got the automation stitch to trigger on the FortiGate when simulating an attack to their website,
but the quarantine object was created with the IP 0.0.0.0.
Referring to the configuration and logs in the exhibits, which two statements are true? (Choose two.) FortiSOC Playbooks combining FortiWeb and FortiGate are not supported. To diagnose this issue, you need to use the command diagnose test application of tpd 22.
The Group By option in the handler should be different to src, so src can be used on the Playbook configuration.
To fix the issue the parameter for script on the Playbook configuration should be epip. The FortiAnalyzer ADOM Type must be Fabric.
Refer to the exhibit.
FortiGate 2200E is using multiple VRFs to isolate the traffic from different departments.
You want to enable route leaking of specific routes to allow direct traffic between the VRFs in a scalable way.
Which two steps are required to achieve this requirement in this scenario? (Choose two.) Configure route-maps to leak the selected routes between the VRFS Enable Multi-VDOM Create an additional VRF to interconnect the VRFs using VDOM Links
Use OSPF or BGP as a routing protocol.
Refer to the exhibit.
A FortiWeb appliance is configured for load balancing web sessions to internal web servers.
The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation? Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions Server 1 will receive 33.3% of the sessions, Server 2 will receive 66.6% of the sessions
Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
Server 1 will receive 0% of the sessions, Server 2 will receive 100% of the sessions.
Refer to the exhibit of a FortiNAC configuration.
In this scenario, which two statements are correct? (Choose two.) Port8 is connected to a FortiGate in FortiLink mode. An unknown host is connected to port3. The IP address of the FortiSwitch is 10.12.240.2. A device that is modeled in FortiNAC is connected on VLAN 4093.
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI.
Which two options will prevent this situation in the future? (Choose two.)
Move the internet connection from the SFP interfaces to the LC interfaces. Replace with a FortiDDoS 1500F.
Create an HA setup with a second FortiDDoS 200F.
Change the Adaptive Mode.
Refer to the exhibit showing a firewall policy configuration.
To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.
What change does the administrator need to make? config firewall policy
edit 1
set fsso enable
next
end config user setting
set auth-secure-http enable
set auth-http-basic disable
end config firewall policy
edit 1
set ntlm-guest disable
next
end config user setting
set auth-on-demand always
end.
Refer to the exhibit.
What is happening in this scenario? The user is authenticating against a FortiGate Captive Portal. The user status changed at FortiClient EMS to off-net. The user is authenticating against an IdP. The user has not authenticated on their external browser.
A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.
Which two actions will improve performance the most without making a FortiGate license change? (Choose two.) Migrate the FortiGate to an Azure D8s v3. Enable "Accelerated networking" on the Azure network interfaces. Enable SR-IOV on the FortiGate. Migrate the FortiGate to an Azure F4s_v2.
|
