FCP_FGT_AD-7 4 Exam Dumps - FCP - FortiGate 7 4 Administrator

Text Material Preview

<p>FCP_FGT_AD-7.4</p><p>Exam Name: FCP - FortiGate 7.4 Administrator</p><p>Full version: 200 Q&As</p><p>Full version of FCP_FGT_AD-7.4 Dumps</p><p>Share some FCP_FGT_AD-7.4 exam dumps</p><p>below.</p><p>1. Which two statements about the application control profile mode are true? (Choose two.)</p><p>A. It uses flow-based scanning techniques, regardless of the inspection mode used.</p><p>B. It cannot be used in conjunction with IPS scanning.</p><p>C. It can be selected in either flow-based or proxy-based firewall policy.</p><p>1 / 27</p><p>https://www.certqueen.com/FCP_FGT_AD-7.4.html</p><p>D. It can scan only unsecure protocols.</p><p>Answer: A,C</p><p>Explanation:</p><p>The two statements about the application control profile mode that are true are:</p><p>A. It uses flow-based scanning techniques, regardless of the inspection mode used.</p><p>The application control profile can be applied in both flow-based and proxy-based inspection</p><p>modes, and it utilizes flow-based scanning techniques for application identification.</p><p>C. It can be selected in either flow-based or proxy-based firewall policy.</p><p>You can choose the application control profile in either flow-based or proxy-based firewall</p><p>policies, providing flexibility in the application of application control.</p><p>The other options are not accurate:</p><p>B is incorrect because the application control profile can be used in conjunction with IPS</p><p>(Intrusion Prevention System) scanning.</p><p>D is incorrect because the application control profile can scan both secure and unsecure</p><p>protocols.</p><p>So, the correct choices are A and C.</p><p>2. FortiGuard categories can be overridden and defined in different categories. To create a web</p><p>rating override for the example.com home page, the override must be configured using a</p><p>specific syntax.</p><p>Which two syntaxes are correct to configure a web rating override for the home page? (Choose</p><p>two.)</p><p>A. www.example.com</p><p>B. www.example.com/index.html</p><p>C. www.example.com:443</p><p>D. example.com</p><p>Answer: A,D</p><p>Explanation:</p><p>A. www.example.com</p><p>D. example.com</p><p>To create a web rating override for the home page of the example.com domain, the</p><p>administrator must use one of the following syntaxes:</p><p>www.example.com: This syntax specifies the fully qualified domain name (FQDN) of the</p><p>website, including the www subdomain. This syntax will apply the web rating override to all</p><p>pages on the website, including the home page.</p><p>example.com: This syntax specifies the root domain of the website, without the www</p><p>2 / 27</p><p>subdomain. This syntax will also apply the web rating override to all pages on the website,</p><p>including the home page.</p><p>3. Refer to the exhibit.</p><p>Which statement about the configuration settings is true?</p><p>A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.</p><p>B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.</p><p>C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.</p><p>D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the</p><p>same port.</p><p>Answer: B</p><p>Explanation:</p><p>B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.</p><p>In this scenario, the remote user is accessing the FortiGate device using HTTPS (port 443),</p><p>which is typically used for SSL-VPN access. Therefore, when accessing the device at that</p><p>address and port, the SSL-VPN login page should open for the user to authenticate and</p><p>3 / 27</p><p>establish a VPN connection.</p><p>4. Which CLI command will display sessions both from client to the proxy and from the proxy to</p><p>the servers?</p><p>A. diagnose wad session list</p><p>B. diagnose wad session list | grep hook-pre&&hook-out</p><p>C. diagnose wad session list | grep hook=pre&&hook=out</p><p>D. diagnose wad session list | grep "hook=pre"&"hook=out"</p><p>Answer: A</p><p>Explanation:</p><p>diagnose wad session list</p><p>Running the diagnose wad session list command will indeed display the sessions managed by</p><p>the Web Application Firewall (WAF) module, and you can review the information in the output to</p><p>analyze traffic from the client to the proxy and from the proxy to the servers.</p><p>5. Examine the output from a debug flow:</p><p>Why did the FortiGate drop the packet?</p><p>A. The next-hop IP address is unreachable.</p><p>B. It failed the RPF check.</p><p>C. It matched an explicitly configured firewall policy with the action DENY.</p><p>D. It matched the default implicit firewall policy.</p><p>Answer: D</p><p>Explanation:</p><p>It matched the default implicit firewall policy.</p><p>implicit firewall rule == (policy id 0)</p><p>traffic is denied by implicit firewall rule.</p><p>6. Which two statements about antivirus scanning in a firewall policy set to proxy-based</p><p>inspection mode, are true? (Choose two.)</p><p>A. A file does not need to be buffered completely before it is moved to the antivirus engine for</p><p>4 / 27</p><p>scanning.</p><p>B. The client must wait for the antivirus scan to finish scanning before it receives the file.</p><p>C. FortiGate sends a reset packet to the client if antivirus reports the file as infected.</p><p>D. If a virus is detected, a block replacement message is displayed immediately.</p><p>Answer: B,D</p><p>Explanation:</p><p>In a firewall policy set to proxy-based inspection mode:</p><p>B. The client must wait for the antivirus scan to finish scanning before it receives the file.</p><p>In proxy-based inspection, the client may need to wait for the antivirus scan to complete before</p><p>receiving the file. The file may need to be fully scanned before being delivered to the client,</p><p>depending on the specific configuration and circumstances.</p><p>D. If a virus is detected, a block replacement message is displayed immediately.</p><p>If a virus is detected during the antivirus scan in proxy-based inspection mode, FortiGate can</p><p>generate a block replacement message immediately, informing the user that the file is infected.</p><p>So, both statements B and D are valid in the context of proxy-based inspection mode.</p><p>7. Refer to the exhibit.</p><p>Based on the ZTNA tag, the security posture of the remote endpoint has changed.</p><p>What will happen to endpoint active ZTNA sessions?</p><p>A. They will be re-evaluated to match the endpoint policy.</p><p>B. They will be re-evaluated to match the firewall policy.</p><p>C. They will be re-evaluated to match the ZTNA policy.</p><p>D. They will be re-evaluated to match the security policy.</p><p>Answer: C</p><p>5 / 27</p><p>Explanation:</p><p>C. They will be re-evaluated to match the ZTNA policy.</p><p>Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if</p><p>the endpoint is no longer compliant with the ZTNA policy.</p><p>8. Which timeout setting can be responsible for deleting SSL VPN associated sessions?</p><p>A. SSL VPN idle-timeout</p><p>B. SSL VPN http-request-body-timeout</p><p>C. SSL VPN login-timeout</p><p>D. SSL VPN dtls-hello-timeout</p><p>Answer: A</p><p>Explanation:</p><p>SSL VPN idle-timeout</p><p>The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive</p><p>before it is terminated. When an SSL VPN session becomes inactive (for example, if the user</p><p>closes the VPN client or disconnects from the network), the session timer begins to count down.</p><p>If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic,</p><p>the session will be terminated and the associated resources (such as VPN tunnels and virtual</p><p>interfaces) will be deleted.</p><p>Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can</p><p>change this timeout using the Idle Logout setting on the GUI.</p><p>9. Which statement correctly describes NetAPI polling mode for the FSSO collector agent?</p><p>A. NetAPI polling can increase bandwidth usage in large networks.</p><p>B. The NetSessionEnum function is used to track user logouts.</p><p>C. The collector agent must search security event logs.</p><p>D. The collector agent uses a Windows API to query DCs for user logins.</p><p>Answer: B</p><p>Explanation:</p><p>The NetSessionEnum function is used to track user logouts.</p><p>Study Guide C FSSO C FSSO with Windows Active Directory C Collector Agent-Based Polling</p><p>Mode Options.</p><p>Collector agent-based polling mode has three methods (or options) for collecting logon info:</p><p>6 / 27</p><p>NetAPI, WinSecLog and WMI.</p><p>NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls</p><p>the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods;</p><p>however, it can miss some logon events if a DC is under heavy system load. This is because</p><p>sessions can be quickly created and purged form RAM, before the agent has a chance to poll</p><p>and notify FG.</p><p>NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls</p><p>the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods;</p><p>however, it can miss some login events if a DC is under heavy system load. This is because</p><p>sessions can be quickly created and purged from RAM, before the agent has a chance to poll</p><p>and notify FortiGate.</p><p>Incorrect:</p><p>A. NetAPI polling can increase bandwidth usage in large networks. (WinSecLog)</p><p>C. The collector agent must search security event logs. (WinSecLog)</p><p>D. The collector agent uses a Windows API to query DCs for user logins. (WMI)</p><p>- WinSecLog: polis all the security event logs from the DC. It doesn't miss any login events that</p><p>have been recorded by the DC because events are not normally deleted from the logs. There</p><p>can be some delay in</p><p>FortiGate receiving events if the network is large and, therefore, writing to the logs is slow. It</p><p>also requires that the audit success of specific event IDs is recorded in the Windows security</p><p>logs. For a full list of supported event IDs, visit the Fortinet Knowledge Base</p><p>(http://kb.fortinet.com).</p><p>- NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls</p><p>the NetSessionEnum function on Windows. It's faster than the WinSec and WMI methods;</p><p>however, it can miss some login events if a DC is under heavy system load. This is because</p><p>sessions can be quickly created and purged from RAM, before the agent has a chance to poll</p><p>and notify FortiGate.</p><p>10. Refer to the exhibit.</p><p>7 / 27</p><p>The exhibit shows a diagram of a FortiGate device connected to the network and the firewall</p><p>policy and IP pool configuration on the FortiGate device.</p><p>Which two actions does FortiGate take on internet traffic sourced from the subscribers?</p><p>(Choose two.)</p><p>A. FortiGate allocates port blocks per user, based on the configured range of internal IP</p><p>addresses.</p><p>B. FortiGate allocates port blocks on a first-come, first-served basis.</p><p>C. FortiGate generates a system event log for every port block allocation made per user.</p><p>D. FortiGate allocates 128 port blocks per user.</p><p>Answer: B,C</p><p>Explanation:</p><p>B: FortiGate allocates port blocks on a first-come, first-served basis</p><p>C: For logging purposes, when FortiGate allocates a port block to a host, it generates a system</p><p>event log to inform the administrator</p><p>Not A: FortiGate allocates a block size and number per host for a range of external addresses</p><p>Not D: It allows 8 blocks of 128 ports per host</p><p>FortiGate allocates port blocks on a first-come, first-served basis.</p><p>For logging purposes, when FortiGate allocates a port block to a host, it generates a system</p><p>event log to inform the administrator.</p><p>11. Refer to the exhibit.</p><p>8 / 27</p><p>The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs</p><p>are configured in transparent mode.</p><p>The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to</p><p>access the internet. The To_Internet VDOM is the only VDOM with internet access and is</p><p>directly connected to ISP modem.</p><p>With this configuration, which statement is true?</p><p>A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.</p><p>B. A default static route is not required on the To_Internet VDOM to allow LAN users to access</p><p>the internet.</p><p>C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.</p><p>D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the</p><p>Root</p><p>VDOM is used only as a management VDOM.</p><p>Answer: A</p><p>Explanation:</p><p>A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.</p><p>Incorrect:</p><p>B. A default static route is not required on the To_Internet VDOM to allow LAN users to access</p><p>the internet.</p><p>C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.</p><p>(transparent-transparent)</p><p>9 / 27</p><p>D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the</p><p>Root VDOM is used only as a management VDOM.</p><p>Each VDOM has independent security policies and routing tables. Also, and by default, traffic</p><p>from one VDOM cannot go to a different VDOM.</p><p>You cannot create an inter-VDOM link between Layer 2 transparent mode VDOMs. At least one</p><p>of the VDOMs must be operating in NAT mode.</p><p>Similar to FortiGate without VDOMs enabled, the management VDOM should have outgoing</p><p>internet access. Otherwise, features such as scheduled FortiGuard updates, fail.</p><p>12. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the</p><p>HA Uptime of the other FortiGate devices, it becomes the primary" The QUESTION NO: here is:</p><p>HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes)</p><p>HA age of fortinet SNxxx64682 is only 198seconds, HA by age need more than 300 seconds as</p><p>estated in the reference "If HA age difference is less than 5 minutes (300 seconds), the device</p><p>priority and FortiGate serial number selects the cluster unit to become the primary unit.</p><p>B. FortiGate devices are not in sync because one device is down. (not in exhibit)</p><p>C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime. (no greater</p><p>than 300 sec)</p><p>13. Which security feature does FortiGate provide to protect servers located in the internal</p><p>networks from attacks such as SQL injections?</p><p>A. Denial of Service</p><p>B. Web application firewall</p><p>C. Antivirus</p><p>D. Application control</p><p>Answer: B</p><p>Explanation:</p><p>Some FortiGate features are meant to protect clients, not servers. For example, FortiGuard web</p><p>filtering blocks requests based on the category of the server’s web pages. Antivirus prevents</p><p>clients from accidentally downloading spyware and worms. Neither protects a server (which</p><p>doesn’t send requests?it receives them) from malicious scripts or SQL injections. Protecting</p><p>web servers requires a different approach because they are subject to other kinds of attacks.</p><p>This is where WAF applies. The WAF feature is available only in proxy inspection mode.</p><p>Web Application Firewall (WAF) is a security feature that protects web applications from a</p><p>variety of attacks, including SQL injections. It analyzes and filters HTTP traffic between a web</p><p>application and the internet to block malicious attempts to exploit vulnerabilities in the</p><p>10 / 27</p><p>application. By monitoring and filtering HTTP traffic, WAF helps prevent attacks such as SQL</p><p>injections, cross-site scripting (XSS), and other web application vulnerabilities.</p><p>14. Refer to the exhibits.</p><p>The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit</p><p>B) for</p><p>Facebook.</p><p>Users are given access to the Facebook web application. They can play video content hosted</p><p>on Facebook, but they are unable to leave reactions on videos or other types of posts.</p><p>11 / 27</p><p>Which part of the policy configuration must you change to resolve the issue?</p><p>A. Force access to Facebook using the HTTP service.</p><p>B. Make the SSL inspection a deep content inspection.</p><p>C. Add Facebook in the URL category in the security policy.</p><p>D. Get the additional application signatures required to add to the security policy.</p><p>Answer: B</p><p>Explanation:</p><p>Needs SSL full inspection.</p><p>They can play video (tick) content hosted on Facebook, but they are unable to leave reactions</p><p>12 / 27</p><p>on videos</p><p>or other types of posts.</p><p>This indicate that the rule are partially working as they can watch video but can't react, i.e. liking</p><p>the content. So, must be an issue with the SSL inspection rather then adding an app rule.</p><p>The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required. All</p><p>other Application Signatures Facebook and Facebook_Video.Play does not require SSL</p><p>inspection. Hence that the users can play video content. If you look up the Application Signature</p><p>for Facebook_like.Button it will say "Requires SSL Deep Inspection".</p><p>FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot</p><p>inspect encrypted traffic.</p><p>15. An administrator is running the following sniffer command:</p><p>diagnose sniffer packet any "host 10.0.2.10" 3</p><p>What information will be included in the sniffer output? (Choose three.)</p><p>A. IP header</p><p>B. Ethernet header</p><p>C. Packet payload</p><p>D. Application header</p><p>E. Interface name</p><p>Answer: A,B,C</p><p>Explanation:</p><p>It really depends on the Verbosity Level. This specific question for Verbosity level 3 is ABC.</p><p>C is correct:</p><p>Verbose levels in detail:</p><p>1: print header of packets.</p><p>2: print header and data from IP of packets.</p><p>3: print header and data from Ethernet of packets.</p><p>4: print header of packets with interface name.</p><p>5: print header and data from IP of packets with interface name.</p><p>6: print header and data from Ethernet of packets with interface name.</p><p>Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186</p><p>16. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using</p><p>two IPsec VPN tunnels and static routes.</p><p>All traffic must be routed through the primary tunnel when both tunnels are up. The secondary</p><p>tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able</p><p>to detect a dead tunnel to speed up tunnel failover.</p><p>13 / 27</p><p>Which two key configuration changes must the administrator make on FortiGate to meet the</p><p>requirements? (Choose two.)</p><p>A. Configure a higher distance on the static route for the primary tunnel, and a lower distance</p><p>on the static route for the secondary tunnel.</p><p>B. Configure a lower distance on the static route for the primary tunnel, and a higher distance</p><p>on the</p><p>static route for the secondary tunnel.</p><p>C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.</p><p>D. Enable Dead Peer Detection.</p><p>Answer: B,D</p><p>Explanation:</p><p>To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the</p><p>administrator should make the following key configuration changes:</p><p>B. Configure a lower distance on the static route for the primary tunnel, and a higher distance</p><p>on the static route for the secondary tunnel.</p><p>By configuring a lower administrative distance for the static route of the primary tunnel, the</p><p>FortiGate will prefer this route when both tunnels are up. If the primary tunnel goes down, the</p><p>higher administrative distance on the static route for the secondary tunnel will cause the</p><p>FortiGate to use the secondary tunnel.</p><p>D. Enable Dead Peer Detection.</p><p>Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If the</p><p>FortiGate detects that the primary tunnel is no longer responsive (dead), it can trigger the</p><p>failover to the secondary tunnel, ensuring a faster tunnel failover.</p><p>So, the correct choices are B and D.</p><p>17. Examine the exhibit, which shows a firewall policy configured with multiple security profiles.</p><p>14 / 27</p><p>Which two security profiles are handled by the IPS engine? (Choose two.)</p><p>A. Web Filter</p><p>B. IPS</p><p>C. AntiVirus</p><p>D. Application Control</p><p>Answer: B,D</p><p>Explanation:</p><p>When the FortiGate is set for proxy inspection mode, the IPS engine will handle the Application</p><p>Control and IPS security profiles.</p><p>The security profiles that will be handled by the IPS engine when the FortiGate is set for proxy</p><p>15 / 27</p><p>inspection mode are Application Control and IPS. In this mode, the FortiGate acts as an</p><p>intermediary between the client and the server, intercepting and inspecting traffic to enforce</p><p>security policies. The IPS engine is responsible for analyzing network traffic and identifying any</p><p>malicious or suspicious activity based on predefined rules and signatures.</p><p>18. Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)</p><p>A. Port block allocation</p><p>B. Fixed port range</p><p>C. One-to-one</p><p>D. Overload</p><p>Answer: A,B</p><p>Explanation:</p><p>The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments are:</p><p>A. Port block allocation</p><p>B. Fixed port range</p><p>A. Port block allocation: In this method, a range of ports is allocated to each internal IP address.</p><p>This allows multiple internal devices to share the same public IP address but use different port</p><p>ranges, enabling more efficient use of IP addresses.</p><p>B. Fixed port range: This method allocates a fixed range of ports to each internal IP address. It</p><p>is similar to port block allocation but restricts the port range to a fixed set of ports for each</p><p>internal IP address, which can be useful for certain applications or scenarios.</p><p>Both port block allocation and fixed port range allocation are commonly used in CGNAT</p><p>deployments to manage the mapping of internal private IP addresses to public IP addresses</p><p>and ports, allowing for efficient use of limited IPv4 addresses.</p><p>19. An administrator has configured outgoing interface any in a firewall policy.</p><p>Which statement is true about the policy list view?</p><p>A. Interface Pair view will be disabled.</p><p>B. Search option will be disabled.</p><p>C. Policy lookup will be disabled.</p><p>D. By Sequence view will be disabled.</p><p>Answer: A</p><p>Explanation:</p><p>Interface Pair view will be disabled.</p><p>Study Guide C FW Policies C Managing FW Policies C Policy List C Interface Pair View and By</p><p>Sequence.</p><p>16 / 27</p><p>FW policies appear in an organized list. The list is organized either in Interface Pair View or By</p><p>Sequence.</p><p>Usually, the list will appear in Interface Pair View. Each section contains policies for that ingress-</p><p>egress pair. Alternatively, you can view your policies as a single, comprehensive list by</p><p>selecting By Sequence at the top of the page.</p><p>In some cases, you won’t have a choice of which view is used.</p><p>If you use multiple source or destination interfaces, or the any interface, in a FW policy, policies</p><p>cannot be separated into sections by interface pairs C some would be triplets or more. So</p><p>instead, policies are then always displayed in a single list (By Sequence).</p><p>Interface Pair view will be disabled.</p><p>20. Which two statements are true when FortiGate is in transparent mode? (Choose two.)</p><p>A. By default, all interfaces are part of the same broadcast domain.</p><p>B. The existing network IP schema must be changed when installing a transparent mode</p><p>FortiGate in the network.</p><p>C. Static routes are required to allow traffic to the next hop.</p><p>D. FortiGate forwards frames without changing the MAC address.</p><p>Answer: A,D</p><p>Explanation:</p><p>The correct statements regarding FortiGate in transparent mode are:</p><p>A. By default, all interfaces are part of the same broadcast domain.</p><p>D. FortiGate forwards frames without changing the MAC address.</p><p>In transparent mode, FortiGate operates at Layer 2 and doesn't change the MAC addresses of</p><p>the packets it forwards. Also, all interfaces are part of the same broadcast domain by default.</p><p>This means that devices connected to different interfaces of the FortiGate can communicate</p><p>with each other as if they are on the same network segment.</p><p>21. Refer to the exhibits.</p><p>17 / 27</p><p>18 / 27</p><p>The exhibits show the firewall policies and the objects used in the firewall policies.</p><p>The administrator is using the Policy Lookup feature and has entered the search criteria shown</p><p>in the exhibit.</p><p>Which policy will be highlighted, based on the input</p><p>criteria?</p><p>A. Policy with ID 4.</p><p>B. Policy with ID 5.</p><p>C. Policies with ID 2 and 3.</p><p>D. Policy with ID 1.</p><p>Answer: B</p><p>Explanation:</p><p>Policy with ID 5.</p><p>It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it</p><p>allows http and https traffic (80, 443).</p><p>There are 3 rules related to port3</p><p>and two rules source LOCAL_CLIENT</p><p>this would leave us with Rule 1 & 5</p><p>Rule one Service is = ULL_UDP</p><p>Rule five = Internet Services</p><p>Destination port we are looking for is 443 (usually this is TCP)</p><p>So it had to be PID5</p><p>We are looking for a policy that will allow or deny traffic from the source interface Port3 and</p><p>19 / 27</p><p>source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There</p><p>are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies</p><p>are evaluated from top to bottom. This means that the first policy that matches the traffic is</p><p>applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy</p><p>ID 5 will be highlighted.</p><p>22. An administrator has configured central DNAT and virtual IPs.</p><p>Which item can be selected in the firewall policy Destination field?</p><p>A. An IP pool</p><p>B. A VIP object</p><p>C. A VIP group</p><p>D. The mapped IP address object of the VIP object</p><p>Answer: D</p><p>Explanation:</p><p>- when central NAT is enabled => put the mapped IP address of the VIP object.</p><p>- when central NAT is disabled => put the VIP object.</p><p>In the context of central DNAT and virtual IPs in FortiGate, the correct option for the firewall</p><p>policy</p><p>Destination field is:</p><p>D. The mapped IP address object of the VIP object</p><p>When configuring central DNAT, you typically select the mapped IP address object associated</p><p>with the VIP object in the firewall policy Destination field. This mapped IP address represents</p><p>the internal destination to which traffic will be redirected.</p><p>So, the correct choice is D.</p><p>23. Which two statements about advanced AD access mode for the FSSO collector, agent are</p><p>true? (Choose two.)</p><p>A. FortiGate can act as an LDAP client to configure the group filters.</p><p>B. It uses the Windows convention for naming; that is, Domain\Username.</p><p>C. It supports monitoring of nested groups.</p><p>D. It is only supported if DC agents are deployed.</p><p>Answer: A,C</p><p>Explanation:</p><p>The correct statements about the advanced AD access mode for the FSSO collector agent are:</p><p>A. FortiGate can act as an LDAP client to configure the group filters.</p><p>In advanced AD access mode, FortiGate can use LDAP (Lightweight Directory Access Protocol)</p><p>20 / 27</p><p>to query</p><p>and retrieve user and group information from Active Directory for configuring group filters.</p><p>C. It supports monitoring of nested groups.</p><p>Advanced AD access mode does support monitoring of nested groups, allowing for a more</p><p>comprehensive view of user group memberships.</p><p>24. An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway</p><p>setting in both sites has been configured as Static IP Address. For site A, the local quick mode</p><p>selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.</p><p>How must the administrator configure the local quick mode selector for site B?</p><p>A. 192.16.3.0/24</p><p>B. 192.16.2.0/24</p><p>C. 192.16.1.0/24</p><p>D. 192.16.0.0/8</p><p>Answer: B</p><p>Explanation:</p><p>The local quick mode selector for site B should be configured to match the remote quick mode</p><p>selector of site</p><p>A. In this case, the remote quick mode selector for site A is 192.16.2.0/24. Therefore, the</p><p>correct answer is: B. 192.16.2.0/24</p><p>So, the administrator should configure the local quick mode selector for site B as 192.16.2.0/24</p><p>to ensure that the IPsec VPN configuration is consistent between the two sites.</p><p>25. Refer to the exhibit.</p><p>21 / 27</p><p>22 / 27</p><p>The exhibit contains a network diagram, firewall policies, and a firewall address object</p><p>configuration. An administrator created a Deny policy with default settings to deny Webserver</p><p>access for Remote-user2. Remote-user2 is still able to access Webserver.</p><p>Which two changes can the administrator make to deny Webserver access for Remote-User2?</p><p>(Choose two.)</p><p>A. Disable match-vip in the Deny policy.</p><p>B. Set the Destination address as Deny_IP in the Allow-access policy.</p><p>C. Enable match-vip in the Deny policy.</p><p>D. Set the Destination address as Web_server in the Deny policy.</p><p>Answer: C,D</p><p>Explanation:</p><p>By default does not match vip in deny policy for destination all. So 2 options we have:</p><p>26. An organization's employee needs to connect to the office through a high-latency internet</p><p>connection.</p><p>Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation</p><p>failure?</p><p>A. Change the session-ttl.</p><p>B. Change the login-timeout.</p><p>C. Change the idle-timeout.</p><p>D. Change the udp-idle-timer.</p><p>Answer: B</p><p>Explanation:</p><p>Change the login-timeout.</p><p>Set up timers to avoid logouts when SSL VPN users are connected over high latency</p><p>connections. When connected to SSL VPN over high latency connections, FortiGate can time</p><p>out the client before the client can finish the negotiation process, such as DNS lookup and time</p><p>to enter a token. Two new CLI commands under "config vpn ssl settings" have been added to</p><p>address this. The first command "set login-timeout" allows you to set up the login timeout,</p><p>replacing the previous hard timeout value. The second command "set dtls-hello-timeout" allows</p><p>you to set up the maximum DTLS hello timeout for SSL</p><p>VPN connections.</p><p>27. Which of the following statements about backing up logs from the CLI and downloading logs</p><p>from the GUI are true? (Choose two.)</p><p>A. Log downloads from the GUI are limited to the current filter view</p><p>B. Log backups from the CLI cannot be restored to another FortiGate.</p><p>23 / 27</p><p>C. Log backups from the CLI can be configured to upload to FTP as a scheduled time</p><p>D. Log downloads from the GUI are stored as LZ4 compressed files.</p><p>Answer: A,B</p><p>Explanation:</p><p>A. Log downloads from the GUI are limited to the current filter view: This statement is true.</p><p>When downloading logs from the GUI, you can only download logs that match the current filter</p><p>settings.</p><p>B. Log backups from the CLI cannot be restored to another FortiGate: This statement is true.</p><p>Log backups from the CLI are specific to the FortiGate unit they were taken from and cannot be</p><p>directly restored to another FortiGate unit.</p><p>The question is about Backing up logs from CLI and Downloading logs from the GUI, therefore,</p><p>C is incorrect because the question doesn't say anything about uploading logs from CLI, but</p><p>says backing up from CLI...</p><p>28. Which two settings must you configure when FortiGate is being deployed as a root FortiGate</p><p>in a Security Fabric topology? (Choose two.)</p><p>A. FortiManager IP address</p><p>B. FortiAnalyzer IP address</p><p>C. Pre-authorize downstream FortiGate devices</p><p>D. Fabric name</p><p>Answer: B,D</p><p>Explanation:</p><p>The correct choices for settings to configure when FortiGate is being deployed as a root</p><p>FortiGate in a Security Fabric topology are:</p><p>B. FortiAnalyzer IP address - This setting is required to send logs and reports to the</p><p>FortiAnalyzer for analysis and storage.</p><p>D. Fabric name - This setting is essential to identify the Security Fabric and differentiate it from</p><p>other fabrics in the network.</p><p>29. Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM</p><p>mode? (Choose two.)</p><p>A. FG-traffic</p><p>B. Mgmt</p><p>C. FG-Mgmt</p><p>D. Root</p><p>Answer: A,D</p><p>24 / 27</p><p>Explanation:</p><p>Root VDOM is created by default when VDOMs are enabled.</p><p>configure on Fortigate:</p><p>- captive portal authentication required</p><p>- Authentication failed message for Sales users</p><p>- Authentication success for HR users</p><p>- second policy used by HR users</p><p>In FortiOS, when setting up a FortiGate in split VDOM mode, the default VDOMs created are</p><p>FG-traffic and Root.</p><p>So, in this case, the correct answers would be A. FG-traffic</p><p>and D. Root.</p><p>30. What types of traffic and attacks can be blocked by a web application firewall (WAF) profile?</p><p>(Choose three.)</p><p>A. Traffic to botnetservers</p><p>B. Traffic to inappropriate web sites</p><p>C. Server information disclosure attacks</p><p>D. Credit card data leaks</p><p>E. SQL injection attacks</p><p>Answer: C,D,E</p><p>Explanation:</p><p>The types of traffic and attacks that can be blocked by a Web Application Firewall (WAF) profile</p><p>include:</p><p>C. Server information disclosure attacks: A WAF can help block attacks attempting to disclose</p><p>sensitive information about the server.</p><p>D. Credit card data leaks: A WAF can be configured to detect and block attempts to leak credit</p><p>card or other sensitive data.</p><p>E. SQL injection attacks: WAFs are effective in blocking SQL injection attacks, where attackers</p><p>attempt to manipulate a web application's database by injecting malicious SQL code. Options A</p><p>and B are not typically associated with the primary functions of a WAF:</p><p>A. Traffic to botnet servers: This is often more related to network security or threat intelligence</p><p>solutions rather than the primary function of a WAF.</p><p>B. Traffic to inappropriate websites: Blocking traffic to inappropriate websites is generally</p><p>handled by content filtering or URL filtering solutions rather than a WAF.</p><p>31. Which of the following are valid actions for FortiGuard category based filter in a web filter</p><p>profile ui proxy-based inspection mode? (Choose two.)</p><p>25 / 27</p><p>A. Warning</p><p>B. Exempt</p><p>C. Allow</p><p>D. Learn</p><p>Answer: A,C</p><p>Explanation:</p><p>A. Warning</p><p>C. Allow</p><p>In a FortiGuard category-based filter in a web filter profile using proxy-based inspection mode,</p><p>"Warning" can be used to display a warning message to users attempting to access blocked</p><p>content, and "Allow" permits access to URLs that match the selected categories.</p><p>Exempt is not FortiGuard category action.</p><p>In the context of FortiGate's web filter profile under proxy-based inspection mode, the valid</p><p>actions for FortiGuard category-based filter include:</p><p>A. Warning</p><p>C. Allow</p><p>So, both warning and allow are valid actions for FortiGuard category-based filtering in this</p><p>scenario.</p><p>Proxy: Allow, Block, Monitor, Warning, and Authenticate.</p><p>26 / 27</p><p>More Hot Exams are available.</p><p>350-401 ENCOR Exam Dumps</p><p>350-801 CLCOR Exam Dumps</p><p>200-301 CCNA Exam Dumps</p><p>Powered by TCPDF (www.tcpdf.org)</p><p>27 / 27</p><p>https://www.certqueen.com/promotion.asp</p><p>https://www.certqueen.com/350-401.html</p><p>https://www.certqueen.com/350-801.html</p><p>https://www.certqueen.com/200-301.html</p><p>http://www.tcpdf.org</p>