Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

Refer to The exhibit showing a FortiEDR configuration.

Based on the exhibit, which statement is correct?

A.

The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy.

B.

FortiEDR Collector will not collect OS Metadata.

C.

If a malicious file is executed and attempts to establish a connection it will generate duplicate events.

D.

If an unresolved file rule is triggered, by default the file is logged but not blocked.

Full Access
Question # 5

Refer to the exhibits.

A customer is trying to restore a VPN connection configured on a FortiGate. Exhibits show output during a troubleshooting session when the VPN was working and the current baseline VPN configuration.

Which configuration parameters will restore VPN connectivity based on the diagnostic output?

A.

B.

C.

D.

Full Access
Question # 6

You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:

Given the information shown in the output, which two statements are true? (Choose two.)

A.

Enabling bandwidth control between the ISF and the NP will change the output

B.

The output is showing a packet descriptor queue accumulated counter

C.

Enable HPE shaper for the NP6 will change the output

D.

Host-shortcut mode is enabled.

E.

There are packet drops at the XAUI.

Full Access
Question # 7

Refer to the exhibit.

The Company Corp administrator has enabled Workflow mode in FortiManager and has assigned approval roles to the current administrators. However, workflow approval does not function as expected. The CTO is currently unable to approve submitted changes.

Given the exhibit, which two possible solutions will resolve the workflow approval problems with the Workflow_72 ADOM? (Choose two.)

A.

The CTO must have a defined email address for their admin user account.

B.

The CTO and CISO need to swap Approval Groups so that the highest authority is in Group #1.

C.

The CTO must have Standard access level or higher for FortiManager.

D.

The CISO must have a higher access level than "Read_Only_User" in FortiManager.

E.

The CTO needs to be added to "Email Notification" in the Workflow_72 ADOM.

Full Access
Question # 8

Refer to the exhibit, which shows diagnostic output.

A customer reports that ICMP traffic flow from 192.168.1.11 to 93.190.134.171 is not corresponding to the SD-WAN setup.

What is the problem in this scenario?

A.

SD-WAN Rule is matching only DNS traffic.

B.

Port1 is used because it has more available bandwidth.

C.

Traffic is matched by policy route.

D.

Route for the destination IP is missing in the routing table.

Full Access
Question # 9

Refer to the exhibit of a FortiNAC configuration.

In this scenario, which two statements are correct? (Choose two.)

A.

A device that is modeled in FortiNAC is connected on VLAN 4093.

B.

An unknown host is connected to port3.

C.

The IP address of the FortiSwitch is 10.12.240.2.

D.

Port8 is connected to a FortiGate in FortiLink mode.

Full Access
Question # 10

Refer to the exhibit that shows VPN debugging output.

The VPN tunnel between headquarters and the branch office is not being established.

What is causing the problem?

A.

The Phase-1 encryption algorithms are not matching.

B.

There is no matching Diffie-Hellman Group.

C.

HQ is using IKE v1 and the branch office is using with IKE v2.

D.

There is a mismatch in the ISAKMP SA lifetime.

Full Access
Question # 11

Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.

Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

A.

172.16.204.128/25

B.

172.16.201.96/29

C.

172,620,64,27

D.

172.16.204.64/27

Full Access
Question # 12

A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.

The exhibit below shows what the IT Team provided while troubleshooting this issue:

Which statement explains why the FortiGate did not install its configuration from the FortiManager?

A.

The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager

B.

The DHCP server was not configured with the FQDN of the FortiManager

C.

The DHCP server used the incorrect option type for the FortiManager IP address.

D.

The configuration was modified on the FortiGate prior to connecting to the FortiManager

Full Access
Question # 13

Refer to the CLI output:

Given the information shown in the output, which two statements are correct? (Choose two.)

A.

Geographical IP policies are enabled and evaluated after local techniques.

B.

Attackers can be blocked before they target the servers behind the FortiWeb.

C.

The IP Reputation feature has been manually updated

D.

An IP address that was previously used by an attacker will always be blocked

E.

Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored

Full Access
Question # 14

You have configured a Site-to-Site IPsec VPN tunnel between a FortiGate and a third-party device but notice that one of the error counters on the tunnel interface keeps increasing.

Which two configuration options can resolve this problem? (Choose two.)

A.

Enable Forward Error Correction (FEC) on the VPN interface for egress traffic.

B.

Adjust the MTU of the physical interface to which the IPsec tunnel is bound.

C.

Enable DF-bit honoring in the global settings.

D.

Adjust the MTU of the IPsec interface.

Full Access
Question # 15

Refer to the exhibit.

What is happening in this scenario?

A.

The user status changed at FortiClient EMS to off-net.

B.

The user is authenticating against a FortiGate Captive Portal.

C The user is authenticating against an IdP.

C.

The user has not authenticated on their external browser.

Full Access
Question # 16

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the OCSP server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which authentication scenario will FortiGate deny?

A.

The user certificate does not contain the OCSP URL.

B.

FortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.

C.

FortiAuthenticator responds to an OCSP request that the user certificate status is unknown.

Full Access
Question # 17

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Full Access
Question # 18

Refer to the exhibits.

You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below.

Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.)

A.

Disable Redirect HTTP to HTTPS in the Server Policy.

B.

Remove the Web Protection Profile from this Server Policy.

C.

Enable HTTP service in the Server Policy.

D.

Configure a TXT record of the domain and point to the IP address of the Virtual Server.

Full Access
Question # 19

Refer to the exhibit.

You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:

FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?

A.

Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.

B.

Objects from the root FortiGate will only be synchronized to FGT__2.

C.

Objects from the root FortiGate will not be synchronized to any downstream FortiGate.

D.

Objects from the root FortiGate will only be synchronized to FGT_3.

Full Access
Question # 20

A FortiGate deployment contains the following configuration:

What is the result of this configuration?

A.

Route-maps are not configurable in VDOM SERVICES

B.

Route-maps from the Root VDOM configuration are available in VDOM SERVICES

C.

Route-maps from VDOM SERVICES are available in all other VDOMs

D.

Route-maps for VDOM SERVICES are excluded from HA configuration synchronization

Full Access
Question # 21

A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

A.

Change the Adaptive Mode.

B.

Create an HA setup with a second FortiDDoS 200F

C.

Move the internet connection from the SFP interfaces to the LC interfaces

D.

Replace with a FortiDDoS 1500F

Full Access
Question # 22

Refer to the exhibit.

You need to create a base SD-WAN configuration that includes SD-WAN rules and Performance SLAs for spoke sites with various connectivity types. It needs to be done in a way that can be easily applied to new sites with a minimum amount of change. How should you create the SD-WAN zones?

A.

With members and assign overlay interfaces

B.

With members without interface assignments

C.

With no members configured

D.

With members and assign interfaces but do not specify a gateway

Full Access
Question # 23

A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the 'curl' utility:

Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)

A.

Only users with the "Full permission" role can access the REST API

B.

This API call will fail because it requires that API version 2

C.

If the REST API web service access key is lost, it cannot be retrieved and must be changed.

D.

The syntax is incorrect because the API calls needs the get method.

Full Access
Question # 24

Refer to the exhibit.

The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.

Referring to the exhibit, which two actions will fix these errors? (Choose two.)

A.

Verify that the CRL is accessible from the root FortiGate

B.

Export and import the FortiClient EMS server certificate to the root FortiGate.

C.

Install a new known CA on the Win2K16-EMS server.

D.

Authorize the root FortiGate on the FortiClient EMS

Full Access
Question # 25

Refer to the exhibit, which shows an SD-WAN configuration.

You configured the SD-WAN from Branch1 to the HUB and enabled packet duplication. You later notice that the traffic is not being duplicated. In this scenario, what is causing this problem?

A.

There is a mismatch in the FortiOS version between Branch1 and HUB.

B.

Traffic cannot be duplicated over multiple zones.

C.

Packet duplication is not enabled on the HUB side.

D.

Packet duplication did not occur because an interface is out of SLA.

Full Access
Question # 26

Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 27

A Hub FortiGate is connecting multiple branch FortiGate devices separating the traffic centrally in unique VRFs. Routing information is exchanged using BGP between the Hub and the Branch FortiGate devices.

You want to efficiently enable route leaking of specific routes between the VRFs.

Which two steps are required to achieve this requirement? (Choose two.)

A.

Create a vdom link between VRF10 and VRF12

B.

Enable Multi-VDOM mode on the Hub FortiGate and add a VDOM to connect VRF10 and VRF12

C.

Enable BGP recursive routing on the HUB FortiGate

D.

Configure route-maps to leak the selected routes using BGP

Full Access
Question # 28

A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.

Which two actions will improve performance the most without making a FortiGate license change? (Choose two.)

A.

Migrate the FortiGate to an Azure F4s_v2.

B.

Enable "Accelerated networking" on the Azure network interfaces.

C.

Enable SR-IOV on the FortiGate.

D.

Migrate the FortiGate to an Azure D8s_v3.

Full Access
Question # 29

Refer to the exhibit.

You are managing a FortiSwitch 3032E that is managed by FortiLink on a FortiGate 3960E. The 3032E is heavily utilized and there is only one port free.

The requirement is to add an additional three FortiSwitch 448E devices with 10Gbps SFP+ connectivity directly to the 3032E. The plan is to use split port (phy-mode) with QSFP28 mode to connect the new 448E switches.

In this scenario, which statement about the switch deployment is correct?

A.

Additional ports on Switch 1 can be split for a maximum of 128 interfaces.

B.

The port most of Switch 1 must be changed to QSFP.

C.

After enabling split ports and rebooting Switch 1, the new ports can be configured from the FortiGate.

D.

Switches 2-4 will connect successfully with Switch 1 split port in QSFP28 mode.

Full Access
Question # 30

Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.

The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.

What change will correct HA functionality in this scenario?

A.

Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

B.

Make the monitored IP to match on both FortiManager devices.

C.

Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.

D.

Change the priority of FMG-A to be numerically lower for higher preference

Full Access
Question # 31

Refer to the exhibit, which shows a VPN topology.

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50

Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

A.

All the session traffic will pass through the Hub

B.

The TCP port 21 must be allowed on the NAT Device2

C.

ADVPN is not supported when spokes are behind NAT

D.

Spoke1 will establish an ADVPN shortcut to Spoke2

Full Access