Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 3)
A network administrator needs to implement dynamic route redundancy between a FortiGate unit located in a remote office and a FortiGate unit located in the central office.
The remote office accesses central resources using IPSec VPN tunnels through two different Internet providers.
What is the best method for allowing the remote office access to the resources through the FortiGate unit used at the central office?
A. Use two or more route-based IPSec VPN tunnels and enable OSPF on the IPSec virtual interfaces.
B. Use two or more policy-based IPSec VPN tunnels and enable OSPF on the IPSec virtual interfaces.
C. Use route-based VPNs on the central office FortiGate unit to advertise routes with a dynamic routing protocol and use a policy-based VPN on the remote office with two or more static default routes.
D. Dynamic routing protocols cannot be used over IPSec VPN tunnels.
Answer: A
Q2. - (Topic 2)
Which of the following statements are correct regarding Application Control?
A. Application Control is based on the IPS engine.
B. Application Control is based on the AV engine.
C. Application Control can be applied to SSL encrypted traffic.
D. Application Control cannot be applied to SSL encrypted traffic.
Answer: A,C
Q3. - (Topic 1)
A FortiGate AntiVirus profile can be configured to scan for viruses on SMTP, FTP, POP3, and SMB protocols using which inspection mode?
A. Proxy
B. DNS
C. Flow-based
D. Man-in-the-middle
Answer: C
Q4. - (Topic 3)
Which of the following items are considered to be advantages of using the application control features on the FortiGate unit?
Application control allows an administor to:
A. set a unique session-ttl for select applications.
B. customize application types in a similar way to adding custom IPS signatures.
C. check which applications are installed on workstations attempting to access the network.
D. enable AV scanning per application rather than per policy.
Answer: A
Q5. - (Topic 3)
Which of the following statements is correct about how the FortiGate unit verifies username and password during user authentication?
A. If a remote server is included in a user group, it will be checked before local accounts.
B. An administrator can define a local account for which the password must be verified by querying a remote server.
C. If authentication fails with a local password, the FortiGate unit will query the authentication server if the local user is configured with both a local password and an authentication server.
D. The FortiGate unit will only attempt to authenticate against Active Directory if Fortinet Server Authentication Extensions are installed and configured.
Answer: B
Q6. - (Topic 1)
What is the FortiGate unit password recovery process?
A. Interrupt boot sequence, modify the boot registry and reboot. After changing the password, reset the boot registry.
B. Log in through the console port using the “maintainer” account within approximately 30 seconds of a reboot.
C. Hold down the CTRL + Esc (Escape) keys during reboot, then reset the admin password.
D. The only way to regain access is to interrupt the boot sequence and restore a configuration file for which the password has been modified.
Answer: B
Q7. - (Topic 2)
Shown below is a section of output from the debug command diag ip arp list.
index=2 ifname=port1 172.20.187.150 00:09:0f:69:03:7e state=00000004 use=4589 confirm=4589 update=2422 ref=1
In the output provided, which of the following best describes the IP address 172.20.187.150?
A. It is the primary IP address of the port1 interface.
B. It is one of the secondary IP addresses of the port1 interface.
C. It is the IP address of another network device located in the same LAN segment as the FortiGate unit’s port1 interface.
Answer: C
Q8. - (Topic 3)
When viewing the Banned User monitor in Web Config, the administrator notes the entry illustrated in the exhibit.
Which of the following statements is correct regarding this entry?
A. The entry displays a ban that has been added as a result of traffic triggering a configured DLP rule.
B. The entry displays a ban that was triggered by HTTP traffic matching an IPS signature.
This client is banned from receiving or sending any traffic through the FortiGate.
C. The entry displays a quarantine, which could have been added by either IPS or DLP.
D. This entry displays a ban entry that was added manually by the administrator on June11th.
Answer: A
Q9. - (Topic 3)
Which of the following statements correctly describes the deepscan option for HTTPS?
A. When deepscan is disabled, only the web server certificate is inspected; no decryption of content occurs.
B. Enabling deepscan will perform further checks on the server certificate.
C. Deepscan is only applicable to mail protocols, where all IP addresses in the header are checked.
D. With deepscan enabled, archived files will be decompressed before scanning for a more comprehensive file inspection.
Answer: A
Q10. - (Topic 3)
Which of the following tasks fall under the responsibility of the SSL proxy in a typical HTTPS connection? (Select all that apply.)
A. The web client SSL handshake.
B. The web server SSL handshake.
C. File buffering.
D. Communication with the urlfilter process.
Answer: A,B
Q11. - (Topic 1)
The FortiGate unit’s GUI provides a link to update the firmware.
Clicking this link will perform which of the following actions?
A. It will connect to the Fortinet Support site where the appropriate firmware version can be selected.
B. It will send a request to the FortiGuard Distribution Network so that the appropriate firmware version can be pushed down to the FortiGate unit.
C. It will present a prompt to allow browsing to the location of the firmware file.
D. It will automatically connect to the Fortinet Support site to download the most recent firmware version for the FortiGate unit.
Answer: C
Q12. - (Topic 3)
What advantages are there in using a fully Meshed IPSec VPN configuration instead of a hub and spoke set of IPSec tunnels?
A. Using a hub and spoke topology is required to achieve full redundancy.
B. Using a full mesh topology simplifies configuration.
C. Using a full mesh topology provides stronger encryption.
D. Full mesh topology is the most fault-tolerant configuration.
Answer: D
Q13. - (Topic 2)
Examine the Exhibits shown below, then answer the question that follows. Review the following DLP Sensor (Exhibit 1):
Review the following File Filter list for rule #1 (Exhibit 2):
Review the following File Filter list for rule #2 (Exhibit 3):
Review the following File Filter list for rule #3 (Exhibit 4):
An MP3 file is renamed to ‘workbook.exe’ and put into a ZIP archive. It is then sent through the FortiGate device over HTTP. It is intercepted and processed by the configuration shown in the above Exhibits 1-4.
Assuming the file is not too large for the File scanning threshold, what action will the FortiGate unit take?
A. The file will be detected by rule #1 as an ‘Audio (mp3)’, a log entry will be created and it will be allowed to pass through.
B. The file will be detected by rule #2 as a “*.exe”, a log entry will be created and the interface that received the traffic will be brought down.
C. The file will be detected by rule #3 as an Archive(zip), blocked, and a log entry will be created.
D. Nothing, the file will go undetected.
Answer: A
Q14. - (Topic 1)
An administrator configures a FortiGate unit in Transparent mode on the 192.168.11.0 subnet. Automatic Discovery is enabled to detect any available FortiAnalyzers on the network.
Which of the following FortiAnalyzers will be detected? (Select all that apply.)
A. 192.168.11.100
B. 192.168.11.251
C. 192.168.10.100
D. 192.168.10.251
Answer: A,B
Q15. - (Topic 3)
Which of the following represents the method used on a FortiGate unit running FortiOS version 4.2 to apply traffic shaping to P2P traffic, such as BitTorrent?
A. Apply a Traffic Shaper to a BitTorrent entry in an Application Control List.
B. Enable the Shape option in a Firewall policy with a Service set to BitTorrent.
C. Define a DLP Rule to match against BitTorrent traffic and include the rule in a DLP Sensor with Traffic Shaping enabled.
D. Specify the amount of Rate Limiting to be applied to BitTorrent traffic through the P2P settings of the Firewall Policy Protocol Options.
Answer: A