Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 3)
A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity.
The following troubleshooting commands are executed from the CLI:
user1 # get system interface
== [ internal ]
namE. internal modE. static ip: 10.0.1.254 255.255.255.128 status: up
netbios-forwarD. disable typE. physical mtu-overridE. disable
== [ vlan1 ]
namE. vlan1 modE. static ip: 10.0.1.1 255.255.255.128 status: up netb
ios-forwarD. disable typE. vlan mtu-overridE. disable
user1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S 10.0.0.0/8 [10/0] is a summary, Null
C 10.0.1.0/25 is directly connected, vlan1
C 10.0.1.128/25 is directly connected, internal
user1 # diagnose debug flow trace start 100
user1 # diagnose debug ena
user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1
id=20085 trace_id=277 msg="vd-root received a packet(proto=6, 10.0.1.130
:47922->10.0.1.1:443) from internal."
id=20085 trace_id=277 msg="allocate a new session-00000b21"
id=20085 trace_id=277 msg="iprope_in_check() check failed, drop"
Based on the output from these commands, which of the following is a possible cause of the problem?
A. The FortiGate unit has no route back to the PC.
B. The PC has an IP address in the wrong subnet.
C. The PC is using an incorrect default gateway IP address.
D. There is no firewall policy allowing traffic from INTERNAL -> VLAN1.
Answer: D
Q2. - (Topic 3)
In the Tunnel Mode widget of the web portal, the administrator has configured an IP Pool and enabled split tunneling.
Which of the following statements is true about the IP address used by the SSL VPN client?
A. The IP pool specified in the SSL-VPN Tunnel Mode Widget Options will override the IP address range defined in the SSL-VPN Settings.
B. Because split tunneling is enabled, no IP address needs to be assigned for the SSL VPN tunnel to be established.
C. The IP address range specified in SSL-VPN Settings will override the IP address range in the SSL-VPN Tunnel Mode Widget Options.
Answer: A
Q3. - (Topic 1)
A client can create a secure connection to a FortiGate device using SSL VPN in web-only mode.
Which one of the following statements is correct regarding the use of web-only mode SSL VPN?
A. Web-only mode supports SSL version 3 only.
B. A Fortinet-supplied plug-in is required on the web client to use web-only mode SSL VPN.
C. Web-only mode requires the user to have a web browser that supports 64-bit cipher length.
D. The JAVA run-time environment must be installed on the client to be able to connect to a web-only mode SSL VPN.
Answer: C
Q4. - (Topic 1)
The FortiGate unit can be configured to allow authentication to a RADIUS server. The RADIUS server can use several different authentication protocols during the authentication process.
Which of the following are valid authentication protocols that can be used when a user authenticates to the RADIUS server? (Select all that apply.)
A. MS-CHAP-V2 (Microsoft Challenge-Handshake Authentication Protocol v2)
B. PAP (Password Authentication Protocol)
C. CHAP (Challenge-Handshake Authentication Protocol)
D. MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol v1)
E. FAP (FortiGate Authentication Protocol)
Answer: A,B,C,D
Q5. - (Topic 3)
Which of the following DLP actions will always be performed if it is selected?
A. Archive
B. Quarantine Interface
C. Ban Sender
D. Block
E. None
F. Ban
G. Quarantine IP Address
Answer: A
Q6. - (Topic 1)
Which of the following statements best describes the proxy behavior on a FortiGate unit during an FTP client upload when FTP splice is disabled?
A. The proxy will not allow a file to be transmitted in multiple streams simultaneously.
B. The proxy sends the file to the server while simultaneously buffering it.
C. If the file being scanned is determined to be infected, the proxy deletes it from the server by sending a delete command on behalf of the client.
D. If the file being scanned is determined to be clean, the proxy terminates the connection and leaves the file on the server.
Answer: A
Q7. - (Topic 3)
Which of the following statements is correct about configuring web filtering overrides?
A. The Override option for FortiGuard Web Filtering is available for any user group type.
B. Admin overrides require an administrator to manually allow pending override requests which are listed in the Override Monitor.
C. The Override Scopes of User and User Group are only for use when Firewall Policy Authentication is also being used.
D. Using Web Filtering Overrides requires the use of Firewall Policy Authentication.
Answer: C
Q8. - (Topic 1)
Which of the following components are contained in all FortiGate units from the FG50 models and up? (Select all that apply.)
A. FortiASIC content processor.
B. Hard Drive.
C. Gigabit network interfaces.
D. Serial console port.
Answer: A,D
Q9. - (Topic 3)
Which of the following DLP actions will override any other action?
A. Exempt
B. Quarantine Interface
C. Block
D. None
Answer: A
Q10. - (Topic 1)
What are the valid sub-types for a Firewall type policy? (Select all that apply)
A. Device Identity
B. Address
C. User Identity
D. Schedule
E. SSL VPN
Answer: A,B,C
Q11. - (Topic 2)
Which of the following statements are TRUE for Port Pairing and Forwarding Domains? (Select all that apply.)
A. They both create separate broadcast domains.
B. Port Pairing works only for physical interfaces.
C. Forwarding Domains only apply to virtual interfaces.
D. They may contain physical and/or virtual interfaces.
E. They are only available in high-end models.
Answer: A,D
Q12. - (Topic 3)
When the SSL proxy inspects the server certificate for Web Filtering only in SSL Handshake mode, which certificate field is being used to determine the site rating?
A. Common Name
B. Organization
C. Organizational Unit
D. Serial Number
E. Validity
Answer: A
Q13. - (Topic 1)
A FortiGate 60 unit is configured for your small office. The DMZ interface is connected to a network containing a web server and email server. The Internal interface is connected to a network containing 10 user workstations and the WAN1 interface is connected to your ISP.
You want to configure firewall policies so that your users can send and receive email messages to the email server on the DMZ network. You also want the email server to be able to retrieve email messages from an email server hosted by your ISP using the POP3 protocol.
Which policies must be created for this communication? (Select all that apply.)
A. Internal > DMZ
B. DMZ > Internal
C. Internal > WAN1
D. WAN1 > Internal
E. DMZ > WAN1
F. WAN1 > DMZ
Answer: A,E
Q14. - (Topic 1)
You are the administrator in charge of a FortiGate unit which acts as a VPN gateway. You have chosen to use Interface Mode when configuring the VPN tunnel and you want users from either side to be able to initiate new sessions. There is only 1 subnet at either end and the FortiGate unit already has a default route.
Which of the following configuration steps are required to achieve these objectives? (Select all that apply.)
A. Create one firewall policy.
B. Create two firewall policies.
C. Add a route for the remote subnet.
D. Add a route for incoming traffic.
E. Create a phase 1 definition.
F. Create a phase 2 definition.
Answer: B,C,E,F
Q15. - (Topic 1)
Which Fortinet products & features could be considered part of a comprehensive solution to monitor and prevent the leakage of senstive data? (Select all that apply.)
A. Archive non-compliant outgoing e-mails using FortiMail.
B. Restrict unofficial methods of transferring files such as P2P using Application Control lists on a FortiGate.
C. Monitor database activity using FortiAnalyzer.
D. Apply a DLP sensor to a firewall policy.
E. Configure FortiClient to prevent files flagged as sensitive from being copied to a USB disk.
Answer: A,B,D