Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 3)
An issue could potentially occur when clicking Connect to start tunnel mode SSL VPN. The tunnel will start up for a few seconds, then shut down.
Which of the following statements best describes how to resolve this issue?
A. This user does not have permission to enable tunnel mode. Make sure that the tunnel mode widget has been added to that user's web portal.
B. This FortiGate unit may have multiple Internet connections. To avoid this problem, use the appropriate CLI command to bind the SSL VPN connection to the original incoming interface.
C. Check the SSL adaptor on the host machine. If necessary, uninstall and reinstall the adaptor from the tunnel mode portal.
D. Make sure that only Internet Explorer is used. All other browsers are unsupported.
Answer: B
Q2. - (Topic 1)
Which of the following options can you use to update the virus definitions on a FortiGate unit? (Select all that apply.)
A. Push update
B. Scheduled update
C. Manual update
D. FTP update
Answer: A,B,C
Q3. - (Topic 2)
With FSSO, a domain user could authenticate either against the domain controller running the Collector Agent and Domain Controller Agent, or a domain controller running only the Domain Controller Agent.
If you attempt to authenticate with the Secondary Domain Controller running only the Domain Controller Agent, which of the following statements are correct? (Select all that apply.)
A. The login event is sent to the Collector Agent.
B. The FortiGate unit receives the user information from the Domain Controller Agent of the Secondary Controller.
C. The Collector Agent performs the DNS lookup for the authenticated client’s IP address.
D. The user cannot be authenticated with the FortiGate device in this manner because each Domain Controller Agent requires a dedicated Collector Agent.
Answer: A,C
Q4. - (Topic 2)
Examine the static route configuration shown below; then answer the question following it.
config router static
edit 1
set dst 172.20.1.0 255.255.255.0
set device port1
set gateway 172.11.12.1
set distance 10
set weight 5
next
edit 2
set dst 172.20.1.0 255.255.255.0
set blackhole enable
set distance 5
set weight 10
next
end
Which of the following statements correctly describes the static routing configuration provided? (Select all that apply.)
A. All traffic to 172.20.1.0/24 will always be dropped by the FortiGate unit.
B. As long as port1 is up, all the traffic to 172.20.1.0/24 will be routed by the static route number 1. If the interface port1 is down, the traffic will be routed using the blackhole route.
C. The FortiGate unit will NOT create a session entry in the session table when the traffic is being routed by the blackhole route.
D. The FortiGate unit will create a session entry in the session table when the traffic is being routed by the blackhole route.
E. Traffic to 172.20.1.0/24 will be shared through both routes.
Answer: A,C
Q5. - (Topic 1)
Which of the following pieces of information can be included in the Destination Address field of a firewall policy? (Select all that apply.)
A. An IP address pool.
B. A virtual IP address.
C. An actual IP address or an IP address group.
D. An FQDN or Geographic value(s).
Answer: B,C,D
Q6. - (Topic 1)
A FortiGate unit can provide which of the following capabilities? (Select all that apply.)
A. Email filtering
B. Firewall
C. VPN gateway
D. Mail relay
E. Mail server
Answer: A,B,C
Q7. - (Topic 3)
Based on the web filtering configuration illustrated in the exhibit,
which one of the following statements is not a reasonable conclusion?
A. Users can access both the www.google.com site and the www.fortinet.com site.
B. When a user attempts to access the www.google.com site, the FortiGate unit will not perform web filtering on the content of that site.
C. When a user attempts to access the www.fortinet.com site, any remaining web filtering will be bypassed.
D. Downloaded content from www.google.com will be scanned for viruses if antivirus is enabled.
Answer: B
Q8. - (Topic 3)
Bob wants to send Alice a file that is encrypted using public key cryptography.
Which of the following statements is correct regarding the use of public key cryptography in this scenario?
A. Bob will use his private key to encrypt the file and Alice will use her private key to decrypt the file.
B. Bob will use his public key to encrypt the file and Alice will use Bob's private key to decrypt the file.
C. Bob will use Alice's public key to encrypt the file and Alice will use her private key to decrypt the file.
D. Bob will use his public key to encrypt the file and Alice will use her private key to decrypt the file.
E. Bob will use Alice's public key to encrypt the file and Alice will use Bob's public key to decrypt the file.
Answer: C
Q9. - (Topic 2)
Which of the following represents the correct order of criteria used for the selection of a Master unit within a FortiGate High Availability (HA) cluster when master override is disabled?
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number
B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number
C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number
D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number
Answer: B
Q10. - (Topic 3)
The following diagnostic output is displayed in the CLI:
diag firewall auth list
policy iD. 9, srC. 192.168.3.168, action: accept, timeout: 13427
user: forticlient_chk_only, group:
flag (80020): auth timeout_ext, flag2 (40): exact
group iD. 0, av group: 0
----- 1 listed, 0 filtered ------
Based on this output, which of the following statements is correct?
A. Firewall policy 9 has endpoint compliance enabled but not firewall authentication.
B. The client check that is part of an SSL VPN connection attempt failed.
C. This user has been associated with a guest profile as evidenced by the group id of 0.
D. An auth-keepalive value has been enabled.
Answer: A
Q11. - (Topic 1)
When firewall policy authentication is enabled, only traffic on supported protocols will trigger an authentication challenge.
Select all supported protocols from the following:
A. SMTP
B. SSH
C. HTTP
D. FTP
E. SCP
Answer: C,D
Q12. - (Topic 1)
An administrator wants to assign a set of UTM features to a group of users. Which of the following is the correct method for doing this?
A. Enable a set of unique UTM profiles under "Edit User Group".
B. The administrator must enable the UTM profiles in an identity-based policy applicable to the user group.
C. When defining the UTM objects, the administrator must list the user groups which will use the UTM object.
D. The administrator must apply the UTM features directly to a user object.
Answer: B
Q13. - (Topic 1)
A FortiAnalyzer device could use which security method to secure the transfer of log data from FortiGate devices?
A. SSL
B. IPSec
C. direct serial connection
D. S/MIME
Answer: B
Q14. - (Topic 1)
Which of the following statements best describes the green status indicators that appear next to different FortiGuard Distribution Network services as illustrated in the exhibit?
A. They indicate that the FortiGate unit is able to connect to the FortiGuard Distribution Network.
B. They indicate that the FortiGate unit has the latest updates that are available from the FortiGuard Distribution Network.
C. They indicate that updates are available and should be downloaded from the FortiGuard Distribution Network to the FortiGate unit.
D. They indicate that the FortiGate unit is in the process of downloading updates from the FortiGuard Distribution Network.
Answer: A
Q15. - (Topic 3)
Which of the following statements best decribes the proxy behavior on a FortiGate unit during an FTP client upload when FTP splice is disabled?
A. The proxy buffers the entire file from the client, only sending the file to the server if the file is clean. One possible consequence of buffering is that the server could time out.
B. The proxy sends the file to the server while simultaneously buffering it.
C. The proxy removes the infected file from the server by sending a delete command on behalf of the client.
D. If the file being scanned is determined to be clean, the proxy terminates the connection and leaves the file on the server.
Answer: A