Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 10)
Which statements are correct regarding application control? (Choose two.)
A. It is based on the IPS engine.
B. It is based on the AV engine.
C. It can be applied to SSL encrypted traffic.
D. Application control cannot be applied to SSL encrypted traffic.
Answer: A,C
Q2. - (Topic 15)
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit.
Which statements is correct regarding this output? (Select one answer).
A. One tunnel is rekeying.
B. Two tunnels are rekeying.
C. Two tunnels are up.
D. One tunnel is up.
Answer: C
Q3. - (Topic 11)
Examine the static route configuration shown below; then answer the question following it. config router static edit 1 set dst 172.20.1.0 255.255.255.0 set device port1 set gateway 172.11.12.1 set distance 10 set weight 5 next edit 2 set dst 172.20.1.0 255.255.255.0 set blackhole enable set distance 5 set weight 10 next end Which of the following statements correctly describes the static routing configuration
provided? (Choose two.)
A. All traffic to 172.20.1.0/24 is dropped by the FortiGate.
B. As long as port1 is up, all traffic to 172.20.1.0/24 is routed by the static route number 1. If the interface port1 is down, the traffic is routed using the blackhole route.
C. The FortiGate unit does NOT create a session entry in the session table when the traffic is being routed by the blackhole route.
D. The FortiGate unit creates a session entry in the session table when the traffic is being
routed by the blackhole route.
Answer: A,C
Q4. - (Topic 21)
Which statements are correct regarding an IPv6 over IPv4 IPsec configuration? (Choose two.)
A. The source quick mode selector must be an IPv4 address.
B. The destination quick mode selector must be an IPv6 address.
C. The Local Gateway IP must be an IPv4 address.
D. The remote gateway IP must be an IPv6 address.
Answer: B,C
Q5. - (Topic 2)
Which is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying a FortiGate unit?
A. MIB-based report uploads.
B. SNMP access limited by access lists.
C. Packet encryption.
D. Running SNMP service on a non-standard port is possible.
Answer: C
Q6. - (Topic 16)
Examine the following log message for IPS:
2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50"
Which statement is correct about the above log? (Choose two.)
A. The target is 192.168.3.168.
B. The target is 192.168.3.170.
C. The attack was NOT blocked.
D. The attack was blocked.
Answer: B,C
Q7. - (Topic 5)
Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)
A. Split tunneling is supported.
B. It requires the installation of a VPN client.
C. It requires the use of an Internet browser.
D. It does not support traffic from third-party network applications.
E. An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit.
Answer: A,B,E
Q8. - (Topic 15)
Which statement is an advantage of using a hub and spoke IPsec VPN configuration
instead of a fully-meshed set of IPsec tunnels?
A. Using a hub and spoke topology provides full redundancy.
B. Using a hub and spoke topology requires fewer tunnels.
C. Using a hub and spoke topology uses stronger encryption protocols.
D. Using a hub and spoke topology requires more routes.
Answer: B
Q9. - (Topic 1)
When creating FortiGate administrative users, which configuration objects specify the account rights?
A. Remote access profiles.
B. User groups.
C. Administrator profiles.
D. Local-in policies.
Answer: C
Q10. - (Topic 22)
Which statements are true about offloading antivirus inspection to a Security Processor (SP)? (Choose two.)
A. Both proxy-based and flow-based inspection are supported.
B. A replacement message cannot be presented to users when a virus has been detected.
C. It saves CPU resources.
D. The ingress and egress interfaces can be in different SPs.
Answer: B,C
Q11. - (Topic 14)
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members.
What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two.)
A. Port3 is configured with an IP address for management access.
B. The firewall rules are purged on the disconnected unit.
C. The HA mode changes to standalone.
D. The system hostname is set to the unit serial number.
Answer: A,C
Q12. - (Topic 6)
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices.
Which three configuration steps must be performed on both units to support this scenario? (Choose three.)
A. Create firewall policies to allow and control traffic between the source and destination IP addresses.
B. Configure the appropriate user groups to allow users access to the tunnel.
C. Set the operating mode to IPsec VPN mode.
D. Define the phase 2 parameters.
E. Define the Phase 1 parameters.
Answer: A,D,E
Q13. - (Topic 4)
The FortiGate port1 is connected to the Internet. The FortiGate port2 is connected to the internal network. Examine the firewall configuration shown in the exhibit; then answer the question below.
Based on the firewall configuration illustrated in the exhibit, which statement is correct?
A. A user that has not authenticated can access the Internet using any protocol that does not trigger an authentication challenge.
B. A user that has not authenticated can access the Internet using any protocol except HTTP, HTTPS, Telnet, and FTP.
C. A user must authenticate using the HTTP, HTTPS, SSH, FTP, or Telnet protocol before they can access all Internet services.
D. DNS Internet access is always allowed, even for users that has not authenticated.
Answer: D
Q14. - (Topic 20)
Examine at the output below from the diagnose sys top command: # diagnose sys top 1 Run Time: 11 days, 3 hours and 29 minutes 0U, 0N, 1S, 99I; 971T, 528F, 160KF sshd 123 S 1.9 1.2 ipsengine 61 S < 0.0 5.2 miglogd 45 S 0.0 4.9
pyfcgid 75 S 0.0 4.5
pyfcgid 73 S 0.0 3.9
Which statements are true regarding the output above? (Choose two.)
A. The sshd process is the one consuming most CPU.
B. The sshd process is using 123 pages of memory.
C. The command diagnose sys kill miglogd will restart the miglogd process.
D. All the processes listed are in sleeping state.
Answer: A,D
Q15. - (Topic 7)
Which statements regarding banned words are correct? (Choose two.)
A. Content is automatically blocked if a single instance of a banned word appears.
B. The FortiGate updates banned words on a periodic basis.
C. The FortiGate can scan web pages and email messages for instances of banned words.
D. Banned words can be expressed as simple text, wildcards and regular expressions.
Answer: C,D
Q16. - (Topic 4)
What methods can be used to deliver the token code to a user that is configured to use two-factor authentication? (Choose three.)
A. Browser pop-up window.
B. FortiToken.
C. Email.
D. Code books.
E. SMS phone message.
Answer: B,C,E