Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 1)
Which of the following is true regarding Switch Port Mode?
A. Allows all internal ports to share the same subnet.
B. Provides separate routable interfaces for each internal port.
C. An administrator can select ports to be used as a switch.
D. Configures ports to be part of the same broadcast domain.
Answer: A
Q2. - (Topic 2)
Review the IKE debug output for IPsec shown in the Exhibit below.
Which one of the following statements is correct regarding this output?
A. The output is a Phase 1 negotiation.
B. The output is a Phase 2 negotiation.
C. The output captures the Dead Peer Detection messages.
D. The output captures the Dead Gateway Detection packets.
Answer: C
Q3. - (Topic 2)
Select the answer that describes what the CLI command diag debug authd fsso list is used for.
A. Monitors communications between the FSSO Collector Agent and FortiGate unit.
B. Displays which users are currently logged on using FSSO.
C. Displays a listing of all connected FSSO Collector Agents.
D. Lists all DC Agents installed on all Domain Controllers.
Answer: B
Q4. - (Topic 2)
Examine the exhibit shown below then answer the question that follows it.
Within the UTM Proxy Options, the CA certificate Fortinet_CA_SSLProxy defines which of the following:
A. FortiGate unit’s encryption certificate used by the SSL proxy.
B. FortiGate unit’s signing certificate used by the SSL proxy.
C. FortiGuard’s signing certificate used by the SSL proxy.
D. FortiGuard’s encryption certificate used by the SSL proxy.
Answer: A
Q5. - (Topic 3)
An administrator configures a VPN and selects the Enable IPSec Interface Mode option in the phase 1 settings.
Which of the following statements are correct regarding the IPSec VPN configuration?
A. To complete the VPN configuration, the administrator must manually create a virtual IPSec interface in Web Config under System > Network.
B. The virtual IPSec interface is automatically created after the phase1 configuration.
C. The IPSec policies must be placed at the top of the list.
D. This VPN cannot be used as part of a hub and spoke topology.
E. Routes were automatically created based on the address objects in the firewall policies.
Answer: B
Q6. - (Topic 1)
An administrator has configured a FortiGate unit so that end users must authenticate against the firewall using digital certificates before browsing the Internet. What must the user have for a successful authentication? (Select all that apply.)
A. An entry in a supported LDAP Directory.
B. A digital certificate issued by any CA server.
C. A valid username and password.
D. A digital certificate issued by the FortiGate unit.
E. Membership in a firewall user group.
Answer: B,E
Q7. - (Topic 3)
Which of the following is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying the FortiGate unit?
A. Packet encryption
B. MIB-based report uploads
C. SNMP access limits through access lists
D. Running SNMP service on a non-standard port is possible
Answer: A
Q8. - (Topic 1)
A FortiGate 100 unit is configured to receive push updates from the FortiGuard Distribution Network, however, updates are not being received. Which of the following statements are possible reasons for this? (Select all that apply.)
A. The external facing interface of the FortiGate unit is configured to use DHCP.
B. The FortiGate unit has not been registered.
C. There is a NAT device between the FortiGate unit and the FortiGuard Distribution Network.
D. The FortiGate unit is in Transparent mode.
Answer: A,B,C
Q9. - (Topic 2)
Review the CLI configuration below for an IPS sensor and identify the correct statements regarding this configuration from the choices below. (Select all that apply.)
config ips sensor
edit "LINUX_SERVER"
set comment ''
set replacemsg-group ''
set log enable
config entries
edit 1
set action default
set application all
set location server
set log enable
set log-packet enable
set os Linux set protocol all
set quarantine none
set severity all
set status default
next
end
next
end
A. The sensor will log all server attacks for all operating systems.
B. The sensor will include a PCAP file with a trace of the matching packets in the log message of any matched signature.
C. The sensor will match all traffic from the address object ‘LINUX_SERVER’.
D. The sensor will reset all connections that match these signatures.
E. The sensor only filters which IPS signatures to apply to the selected firewall policy.
Answer: B,E
Q10. - (Topic 1)
In order to match an identity-based policy, the FortiGate unit checks the IP information. Once inside the policy, the following logic is followed:
A. First, a check is performed to determine if the user’s login credentials are valid. Next, the user is checked to determine if they belong to any of the groups defined for that policy. Finally, user restrictions are determined and port, time, and UTM profiles are applied.
B. First, user restrictions are determined and port, time, and UTM profiles are applied. Next, a check is performed to determine if the user’s login credentials are valid. Finally, the user is checked to determine if they belong to any of the groups defined for that policy.
C. First, the user is checked to determine if they belong to any of the groups defined for that policy. Next, user restrictions are determined and port, time, and UTM profiles are applied. Finally, a check is performed to determine if the user’s login credentials are valid.
Answer: A
Q11. - (Topic 1)
Examine the firewall configuration shown below; then answer the question following it.
Which of the following statements are correct based on the firewall configuration illustrated in the exhibit? (Select all that apply.)
A. A user can access the Internet using only the protocols that are supported by user authentication.
B. A user can access the Internet using any protocol except HTTP, HTTPS, Telnet, and FTP. These require authentication before the user will be allowed access.
C. A user must authenticate using the HTTP, HTTPS, SSH, FTP, or Telnet protocol before they can access any services.
D. A user cannot access the Internet using any protocols unless the user has passed firewall authentication.
Answer: A,D
Q12. - (Topic 1)
An end user logs into the full-access SSL VPN portal and selects the Tunnel Mode option by clicking on the “Connect” button. The administrator has enabled split tunneling.
Given that the user authenticates against the SSL VPN policy shown in the image below, which statement below identifies the route that is added to the client’s routing table.
A. A route to destination matching the ‘WIN2K3’ address object.
B. A route to the destination matching the ‘all’ address object.
C. A default route.
D. No route is added.
Answer: A
Q13. - (Topic 1)
Which of the following statements is correct regarding a FortiGate unit operating in NAT/Route mode?
A. The FortiGate unit applies NAT to all traffic.
B. The FortiGate unit functions as a Layer 3 device.
C. The FortiGate unit functions as a Layer 2 device.
D. The FortiGate unit functions as a router and the firewall function is disabled.
Answer: B
Q14. - (Topic 2)
The eicar test virus is put into a zip archive, which is given the password of “Fortinet” in order to open the archive. Review the configuration in the exhibits shown below; then answer the question that follows.
Exhibit A – Antivirus Profile:
Exhibit B – Non-default UTM Proxy Options Profile:
Exhibit C – DLP Profile:
Which of one the following profiles could be enabled in order to prevent the file from passing through the FortiGate device over HTTP on the standard port for that protocol?
A. Only Exhibit A
B. Only Exhibit B
C. Only Exhibit C with default UTM Proxy settings.
D. All of the Exhibits (A, B and C)
E. Only Exhibit C with non-default UTM Proxy settings (Exhibit B).
Answer: C
Q15. - (Topic 1)
Which of the following antivirus and attack definition update features are supported by FortiGate units? (Select all that apply.)
A. Manual, user-initiated updates from the FortiGuard Distribution Network.
B. Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus engine updates from the FortiGuard Distribution Network.
C. Push updates from the FortiGuard Distribution Network.
D. Update status including version numbers, expiry dates, and most recent update dates and times.
Answer: A,B,C,D