TEST BORRADO, QUIZÁS LE INTERESE: completans_v01
COMENTARIOS | ESTADÍSTICAS | RÉCORDS |
---|
REALIZAR TEST
Título del Test:
completans_v01 Descripción: segundaposta Autor:
Fecha de Creación: 10/09/2024 Categoría: Animación Número Preguntas: 100 |
COMPARTE EL TEST
Comentar
No hay ningún comentario sobre este test.
Temario:
YOU DEPLOYED A FULL LOADED FG-7121F IN THE DATA CENTER AND ENABLED SSLVPN-LOAD-BALANCE.
BASED ON THE BEHAVIOR OF THIS FEATURE WHICH STATEMENT IS CORRECT? YOU CAN USE SRC-IP OR DST-IP-DPORT ON DP-LOAD-DISTRIBUTION-METHOD TO MAKE SSL VPN LOAD BALANCING WORK AS EXPECTED. IF A FPM GOES DOWN, SSL VPN IP POOL IP ADDRESS WILL BE RE-ALLOCATED TO THE REMAINING FPMS. ENABLING SSL VPN LOAD BALANCING WILL CLEAR THE SESSION TABLE. TO HAVE BETTER TRAFFIC DISTRIBUTION YOU SHOULD USE IP POOLS THAT INCREMENT IN MULTIPLES OF 12. REFER TO THE EXHIBITS. YOU MUST INTEGRATE A FORTIMAIL AND FORTISANDBOX ENHANCED CLOUD SOLUTION FOR A CUSTOMER WHO IS CONCERNED ABOUT THE E-MAIL BEING DELAYED FOR TOO LONG. ACCORDING TO THE CONFIGURATION SHOW IN THE EXHIBITS, WHICH WOULD BE AN EXPECTED BEHAVIOR? FORTIMAIL WILL IGNORE THE TIMEOUT VALUE IF CONTENT DISARM AND RECONSTRUTION (CDR) IS ENABLED. FORTIMAIL WILL REALLY VALID E-MAILS SERVER AS SOON AS IT IS DONE WITH OTHER LOCAL INSPECTIONS IF AN ATTACHMENT IS SENT TO THE FORTISANDBOX WHILE THE JOB QUEUE IS FULL, THE EMAIL MIGHT BE DELAYED FOR UP TO 30 MINUTES, AFTER THAT E-MAIL WILL BE RELAYED TO THE MAIL SERVER FORTIMAIL WILL NOT WAIT FOR RESULT ONLY FOR ATTACHMENTS THAT HAVE BEEN ALREADY SUBMITTED TO THE FORTISANDBOX IN THE LAST 60 MINUTES. refer to the exhibit, which shows a topology diagram. A customer wants to use SD-WAN for traffic generated from the data center towards Branches. SD-WAN on HUB should follow the underlay condition on each Branch and the solution should be scalable for hundreds of Branches. Which SD WAN-Rules strategy should be used? Lowest Cost SLA Manual Based on route-tags Best Quality based on route-tags Auto Based on link quality . Refer to the exhibit showing a FortiEDR configuration. Based on the exhibit, which statement is correct? FortiEDR collector will not collect OS Metadata. The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy. if an unresolved file rule is triggered, by default the file is logged but not blocked. if a malicious file is executed and attempts to establish a connection it will generate duplicate events. A customer has FortiAP devices in three offices managed from a FortiGate in the HQ. Each FortiAP is connected to a dedicated management VLAN. The customer wants the users connected to the FortiAP SSIDs to use the branch local internet connection, but each branch uses a different VLAN ID for the bridge. HQ users travel to different branches and connect to the same SSID. Which configuration option will solve this requirement? Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN na use set dynamic-vlan enable on the VAP configuration. Use set vlan-pooling hash on the VAP configuration with the corresponding vlan-pool. Use set vlan-pooling round-robin on the VAP configuration with the corresponding vlan-pool. Set each FortiAP to a wtp-group and use set vlan-pooling wtp-group on the VAP configuration with the corresponding VLAN ID configuration for each group. A FortiGate must be configured to accept Voip traffic which will include session initiation protocol (SIP) traffic. Which statement about VoIP configuration options is correct? By default VoIP traffic will be processed using the SIP Session Helper Restricting SIP requests is only possible when using the SIP Session Helper FortiOS cannot accept SIP traffic if both the SIP Session Helper and the application layer gateway (ALG) are disabled. Rate tracking of SIP requests is only possibel when the application layer gateway (ALG) is set to Flow mode. Review the Application control Log: which configuration causes the IPS engine to generate this log? config ips global set exclude-signatures none config ips global set database extended config ips global set inspect-mode full config ips global set anomaly-mode continuous. Which two statements about bounce address tagging and verification (BATV) on Fortmail are true?(Choose two.) FortiMail will insert the BATV tag to the sender address in the envelolpe. Emails with an empty sender address will be subjected to bounce verification. You must publish the BATV public key as a DNS TXT record. BATV must be enabled in a session profile applied to an inbound IP policy. Refer to the exhibit. Company Corp was visited by an external risk assessment auditor and informed that change control and auditing must be enabled in Fortimanager to meet new compliance procedures. The administrator has enabled Workflow mode in FortiManger and has assigned approval roles to the current administrators. However, workflow approval does not function as expected. The CTO is currently unable to appove submitted changes. Given the exhibit, which two possible solutions will resolve the workflow approval problems with the Workflow_72 ADOM? (Choose two.) The CTO must have a defined email address for the admin user account. The CISO must have a higher access level than Read_Only_User in FortiManager. The CTO and CISO need to swap Approval Groups so that the highest authority is in Group #1. The CTO needs to be added to "Email Notification" in the Workflow_72 ADOM. The CTO must have Standard level or higher for FortiMananger. You have configured a Site-to-Site IPsec VPN tunnel between a FortiGate and a third-party device but notice that one of the error counters on the tunnel interface keeps increasing. VPN-TUNNEL Link encap: Unknown UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets: 337 errors: 4 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen: 0 RX bytes: 451856798 (430.9 MB) TX bytes:266756340 (254.4 MB) Which three configuration options can resolve this problem? (Choose three.) Enable Forward Error Correction (FEC) on the VPN interface for ingress traffic. Enable Forward Error Correction (FEC) on the VPN interface for egress traffic. Adjust the MTU of the IPsec interface. Disable DF-bit honoring in the global settings. Adjust the MTU of the physical interface to which the IPsec tunnel is bound. You configured a FortiADC in a one-arm deployment load balancing two IIS Windows servers in a DMZ behind an existing FortiGate. The Virtual IP and firewall policy in the FortiGate has been properly configured to point incoming web traffic to the correct FortiADC virtual server IP. The FortiADC and IIS server logs shows incoming traffic, but the client devices did not receive any response traffic. Which two options are possible reasons for this behavior? (Choose two.) Packet Forwarding Method is set to DNAT on the FortiADC but the FortiGate is blocking asymmetric traffic. Packet Forwarding Method is set to Full NAT on the FortiADC but the NAT Source Pool List is set to the FortiADC interface IP. Packet Forwarding Method is set to Full NAT on the FortiADC but X-Forwarded-For is not enabled. Packet Forwarding Method is set to Direct Routing on the FortiADC but DSR is not configured on the IIS Server. Refer to the exhibits, which show a topology and diagnostic commands. Which two statements about the path resolution are true? (Choose two.) Packet-loss is the quality criteria. Latency is the quality criteria. wan1 is currently used as an outgoing interface. wan2 is currently used as an outgoing interface. Refer to the exhibit, which shows diagnostic output. A customer reports that ICMP traffic flow is not corresponding to the SD-WAN setup. What is the problem in this scenario? Route for the destination IP is missing in the routing table O Port1 is used because has more available bandwidth O Traffic is matched by policy route OSD-WAN Rule is matching only DNS traffic. Refer to the exhibits. You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below. Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.) Enable HTTP service in the Server Policy. Configure a TXT record of the domain and point to the IP address of the Virtual Server. Disable Redirect HTTP to HTTPS in the Server Policy. Remove the Web Protection Profile from this Server Policy. Refer to the exhibit. An administrator discovers that CPU utilization of a FortiGate-200F is high and determines that no traffic is being accelerated by hardware. Given the exhibit, why is no traffic being accelerated by hardware? Oper-session-accounting is enabled under np6xlite config. Ostrict-dirty-session-check is enabled in global config. O delay-top-npu-session is enabled under the firewall policy. O check-protocol-header is set to strict in the global config. Refer to the exhibits. The exhibits show the configuration and debug output from a FortiGate Public SDN Connector. What is a possible reason for this dynamic address object to be empty? O Only Private IP is in the scope of the predefined Owner role. O The Application ID and Client secret are incorrect. O The App registration does not have a role with necessary read permissions on the resource group. O The Filter should be set to Category=Servers. Refer to the exhibit, which shows an SD-WAN configuration. You configured the SD-WAN from Branch1 to the HUB and enabled packet duplication. You later notice that the traffic is not being duplicated. In this scenario, what is causing this problem? O Packet duplication is not enabled on the HUB side. O Packet duplication did not occur because an interface is out of SLA. There is a mismatch in the FortiOS version between Branch1 and HUB. O Traffic cannot be duplicated over multiple zones. A FortiGate running FortiOS 7.2.0 GA is configured in multi-vdom mode with a vdom set to vdom type Admin and another vdom set to vdom type Traffic, Which two GUI sections are available on both VDOM types? (Choose two.) Security Fabric topology and external connectors Interface configuration Packet capture Certificates FortiClient configuration. Refer to the exhibits. The exhibit shows a FortiGate model device that will be used for zero touch provisioning and a CLI Template. To facilitate a more efficient roll out of FortiGate devices, you are tasked with using meta fields with the CLI Template to configure the DHCP server on the "office1" FortiGate. Given this scenario, what would be the output of the CLI Template once it has been applied to the "office1" FortiGate? config system dhcp server edit 1 set dns-service default set default-gateway 10.10.1.1 set netmask 255.255.255.0 set interface "internal" config ip-range edit 1 set start-ip 10.10.1.10 set end-ip 10.10.1.111 next end next end config system dhcp server edit 1 set dns-service default set default-gateway 10.10.1.1 set netmask 255.255.255.0 set interface "internal" config ip-range edit 1 set start-ip 10.10.1.3 set end-ip 10.10.1.5 next end next end config system dhcp server edit 1 set dns-service default set default-gateway 10.10.1.1 set netmask 255.255.255.0 set interface "internal" config ip-range edit 1 set start-ip 10.10.1.11 set end-ip 10.10.1.111 next end next end. Your organization wants you to create a base SD-WAN configuration for spoke sites, including SD-WAN rules and Performance SLAS. It needs to be done in a way that can be easily ported to new sites with the minimum amount of change. How should you create the SD-WAN zones? With members without interface assignments With no members configured With members and assign interfaces but do not specify a gateway With members and assign overlay interfaces. Refer to the exhibit. A customer wants to automate the creation and configuration of FortiGate VM instances in a VMware vCenter environment using Terraform. They have the creation part working with the code shown in the exhibit. Which code snippet will allow Terraform to automatically connect to a newly deployed FortiGate if its IP was dynamically assigned by VMware NSX-T? provider "fortinet_fortigate" { hostname = module.vsphere_virtual_machine.default_ip_address token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb" insecure = "true" } provider "fortios" { hostname = module.vsphere_virtual_machine.default_ip_address token = "jn3t3Nw7qckQzt 955Htkfj5hwQ6jdb" insecure = "true" } provider "fortinet_fortigate" { hostname = vsphere_virtual_machine.vm.default_ip_address token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb" insecure="true" } provider "fortios" { hostname = vsphere_virtual_machine.vm.default_ip_address token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb" insecure "true". Refer to the exhibit, which shows a FortiGate configuration snippet. A customer in Costa Rica has a FortiGate with SD-WAN configured to use a VPN connection to the United States to browse the internet using a public IP from that country. They would like to enable the SD-WAN rule using a webhook. Which configuration must be added to the FortiGate, and which curl command must be used to accomplish that? (Choose two.) Add to the FortiGate the configuration: config system automation-trigger edit "Enable USA Browsing webhook" set event-type incoming-webhook next end config system automation-stitch edit "Enable USA Browsing" set trigger "Enable USA Browsing webhook" config actions edit 1 set action "Enable USA Browsing script" set required enable next end next end On the web server use the command: curl -X GET https://192.168.1.99/api/v2/monitor/system/automation- stitch/webhook/Enable%20USA%20Browsing' -H 'Authorization: Bearer HNOpffsbgggayn3dHcshQQkg5nklff' Add to the FortiGate the configuration: config system automation-trigger edit "Enable USA Browsing" set event-type incoming-webhooknextend config system automation-stitch edit "Enable USA Browsing stitch" set trigger "Enable USA. Browsing" config actions. edit 1 set action "Enable USA Browsing script" set required enable next end next end On the web server use the command: curl -X POST 'https://192.168.1.99/api/v2/monitor/system/automation- stitch/webhook/Enable%20USA%20Browsing' -H 'Authorization: Bearer HNOpffsbgggayn3dHcshQQkg5nklff'. Refer to the exhibits. The exhibits show a routing scenario and a debug output. A customer reports that if the Spoke-1 stops working on ISP-2 and the Spoke-2 stops working on ISP-1, traffic between clients stops passing through the VPN. Based on debug output in Exhibit B, what should you do to correct the situation? Enable iBGP multipath Enable next-hop-self feature on the DC Enable additional-path feature Enable recursive resolution for BGP routes. Refer to the exhibit showing a FortiView monitor screen. After a Secure SD-WAN implementation a customer reports that in FortiAnalyzer under FortiView Secure SD-WAN Monitor there is No Device for selection. What can cause this issue? Extended logging is not enabled on FortiGate Upload option from FortiGate to FortiAnalyzer is not set as a real time sla-fail-log-period and sla-pass-log-period on FortiGate health check is not set ADOM 1 is set as a Fabric ADOM. You are performing a packet capture on a FortiGate 2600F with the hyperscale licensing installed. You need to display on screen all egress/ingress packets from the port16 interface that have been offloaded to the NP7. Which three commands need to be run? (Choose three.) diagnose npu sniffer filter dir 2 diagnose sniffer packet port16 diagnose npu sniffer filter dir 0 diagnose sniffer packet npudbg. A FortiGate deployment contains the following configuration: config system vdom-exception edit 1 set object router.route-map set scope inclusive set vdom SERVICES next end What is the result of this configuration? Route-maps from VDOM SERVICES are available in all other VDOMS Route-maps for VDOM SERVICES are excluded from HA configuration synchronization Route-maps from the Root VDOM configuration are available in VDOM SERVICES Route-maps are not configurable in VDOM SERVICES. Refer to the exhibit. You are managing a FortiSwitch 3032E that is managed by FortiLink on a FortiGate 3960E. The 3032E is heavily utilized and there is only one port free. The requirement is to add an additional three FortiSwitch 448E devices with 10Gbps SFP+ connectivity directly to the 3032E. The plan is to use split port (phy-mode) with QSFP28 mode to connect the new 448E switches. In this scenario, which two statements about the switch deployment are correct? (Choose two.) The port mode of Switch 1 must be changed to QSFP. Additional ports on Switch 1 can be split for a maximum of 128 interfaces. Switches 2-4 will connect successfully with Switch 1 split port in QSFP28 mode. FortiLink must be changed to Layer 2 for Switch 1. After enabling split ports and rebooting Switch 1, the new ports can be configured from the FortiGate. Refer to the exhibit that shows VPN debugging output. The VPN tunnel between headquarters and the branch office is not being established. What is causing the problem? There is no matching Diffie-Hellman Group HQ is using IKE v1 and the branch office is using with IKE v2 There is a mismatch in the ISAKMP SA lifetime The Phase-1 encryption algorithms are not matching. Refer to the exhibit. The exhibit shows a FortiGate high-availability (HA) cluster deployed in FortiGate Session Life Support Protocol (FGSP) mode. Standalone configuration sync mode is enabled. Given the exhibit, which two statements about FortiGate FGSP HA cluster behavior are correct? (Choose two.) You can selectively synchronize only specific sessions between FGSP cluster members. Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2. You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously. Cluster members will upgrade one at a time and failover during firmware upgrades. Refer to the exhibit. The exhibit shows a FortiGate high-availability (HA) cluster deployed in FortiGate Session Life Support Protocol (FGSP) mode. Standalone configuration sync mode is enabled. Given the exhibit, which two statements about FortiGate FGSP HA cluster behavior are correct? (Choose two.) You can selectively synchronize only specific sessions between FGSP cluster members. Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2. You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously. Cluster members will upgrade one at a time and failover during firmware upgrades. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVink. A FortiGate is configured to perform outbound firewall authentication with Azure AD as a SAML IdP. What are two valid interactions that occur when the client attempts to access the internet? (Choose two.) The Microsoft SAML IdP sends the SAML response to the FortiGate SP. The client browser forwards the SAML response received from Microsoft SAML IdP to the FortiGate SP. FortiGate SP sends a SAML request to the IdP. FortiGate SP redirects the client browser to the local captive portal and then redirects to the Microsoft SAML IdP. Refer to the exhibit. A customer needs to create a multi-tier MCLAG set up with the topology as shown in the exhibit. A1/A2 B1/B2 C1/C2 Which command snippet should be applied to it, to allow active/active links in this topology? A1 # config switch auto-isl-port-group A1 (auto-isl-port-g~o) # edit aggregate-port10 A1 (aggregate-port10) # set members port10 A1 (aggregate-port10) # next A1 (auto-isl-port-g~o) # end A1 # config switch auto-isl-port-group A1 (auto-isl-port-g-o) # edit aggregate-port11 A1 (aggregate-port11) # set members port11 A1 (aggregate-port11) # next A1 (auto-isl-port-g-o) # end A1 # config switch auto-isl-port-group A1 (auto-isl-port-g~o) edit aggregate-port1-2 A1 (aggregate-port1-2) # set members port1 port2 A1 (aggregate-port1-2) # next Al (auto-isl-port-g~o) # end A2 # config switch auto-isl-port-group A2 (auto-isl-port-g~o) # edit aggregate-port1 A2 (aggregate-port1) # set members port1 A2 (aggregate-port1) # next A2 (auto-isl-port-g~o) # end A1 # config switch auto-isl-port-group A1 (auto-isl-port-g~o) # edit aggregate-port2 A1 (aggregate-port2) # set members port2 A1 (aggregate-port2) # next A1 (auto-isl-port-g~o) # end A1 # config switch auto-isl-port-group A1 (auto-isl-port-g~o) # edit aggregate-port10-11 A1 (aggregate-port10-port11) # set members port10 port11 A1 (aggregate-port10-port11) # next A1 (auto-isl-port-g~o) # end A2 # config switch auto-isl-port-group A2 (auto-isl-port-g~o) # edit aggregate-port10-11 A2 (aggregate-port10-11) # set members port10 port11 A2 (aggregate-port10-11) # next A2 (auto-isl-port-g~o) # end. Refer to the exhibits. During the implementation of a Fortinet Security Fabric configuration, CLI commands were issued in the order shown in the exhibit. On the next day, the local admin for FGTC issues the following command: FGTC # config system csf set configuration-sync default end In this scenario, which outcome is true regarding the "subnet_1" firewall address object on FGTC? The object is automatically created. The object is not automatically created. The object will only be automatically created on FGTC if it is modified on FGTA-1. The object needs to be recreated on FGTA-1 before it is automatically created on FGTC. Refer to the exhibit. An HTTPS access proxy is configured to demonstrate its function as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context, before granting access to the protected source. It is assumed that the FortiGate EMS fabric connector has already been successfully connected. You need to ensure that ZTNA access through the FortiGate will redirect users to the FortiAuthenticator to perform username/password and multifactor authentication to validate access prior to accessing resources behind the FortiGate. In this scenario, which two further steps need to be taken on the FortiGate? (Choose two.) Create an authentication scheme with the "method" as SAML Create a SAML user/server object referring to the FortiAuthenticator. Create an authentication rule that sets the sso-auth-method to the FortiAuthenticator. Create a firewall rule that allows access from the remote endpoint to the resources behind the FortiGate. Refer to the exhibit. A customer is trying to setup a Playbook automation using a FortiAnalyzer, FortiWeb and FortiGate. The intention is to have the FortiGate quarantine any source of SQL Injection detected by the FortiWeb. They got the automation stitch to trigger on the FortiGate when simulating an attack to their website, but the quarantine object was created with the IP 0.0.0.0. Referring to the configuration and logs in the exhibits, which two statements are true? (Choose two.) FortiSOC Playbooks combining FortiWeb and FortiGate are not supported. To diagnose this issue, you need to use the command diagnose test application of tpd 22. The Group By option in the handler should be different to src, so src can be used on the Playbook configuration. To fix the issue the parameter for script on the Playbook configuration should be epip. The FortiAnalyzer ADOM Type must be Fabric. Refer to the exhibit. FortiGate 2200E is using multiple VRFs to isolate the traffic from different departments. You want to enable route leaking of specific routes to allow direct traffic between the VRFs in a scalable way. Which two steps are required to achieve this requirement in this scenario? (Choose two.) Configure route-maps to leak the selected routes between the VRFS Enable Multi-VDOM Create an additional VRF to interconnect the VRFs using VDOM Links Use OSPF or BGP as a routing protocol. Refer to the exhibit of a FortiNAC configuration. In this scenario, which two statements are correct? (Choose two.) Port8 is connected to a FortiGate in FortiLink mode. An unknown host is connected to port3. The IP address of the FortiSwitch is 10.12.240.2. A device that is modeled in FortiNAC is connected on VLAN 4093. Refer to the exhibit. What is happening in this scenario? The user is authenticating against a FortiGate Captive Portal. The user status changed at FortiClient EMS to off-net. The user is authenticating against an IdP. The user has not authenticated on their external browser. A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license. Which two actions will improve performance the most without making a FortiGate license change? (Choose two.) Migrate the FortiGate to an Azure D8s v3. Enable "Accelerated networking" on the Azure network interfaces. Enable SR-IOV on the FortiGate. Migrate the FortiGate to an Azure F4s_v2. SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high. You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure? A. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server. B. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address. C. Configure two DNS servers and use DNS servers recommended by the two internet providers. D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. Review the VPN configuration shown in the exhibit. What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has '? 1 redundant packet for every 10 base packets 3 redundant packet for every 5 base packets 2 redundant packet for every 8 base packets 3 redundant packet for every 9 base packets. You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output: Enabling bandwidth control between the ISF and the NP will change the output The output is showing a packet descriptor queue accumulated counter Enable HPE shaper for the NP6 will change the output Host-shortcut mode is enabled. There are packet drops at the XAUI. Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.) Report FTP API SCP. What is the benefit of using FortiGate NAC LAN Segments? It provides support for multiple DHCP servers within the same VLAN. It provides physical isolation without changing the IP address of hosts It provides support for IGMP snooping between hosts within the same VLAN It allows for assignment of dynamic address objects matching NAC policy. You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail. What are two possible reasons for this problem? (Choose two.) The FortiMail access control rule to relay from Office 365 servers FQDN is missing The FortiMail DKIM key was not set using the Auto Generation option. The FortiMail access control rules to relay from Office 365 servers public IPs are missing. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN. Refer to the exhibit. FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit. Which two statements correctly describe the expected behavior when running this template? (Choose two.) The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate. The template will work if you change the variable format to $(WAN). The template will work if you change the variable format to {{ WAN }}. The administrator must first manually map the interface for each device with a meta field. The template will fail because this configuration can only be applied with a CLI or TCL script. SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high. You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure? Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address Configure two DNS servers and use DNS servers recommended by the two internet providers. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity? config vpn ipsec phase1-interface edit "vpn-hub02-1" set ike-version 1 set authmethod signature set certificate "BR01FGTLOCAL" set peer "vpn-hub02-1_peer" next end config vpn ipsec phase1-interface edit "vpn-hub02-1" set ike-version 2 set net-device enable set psksecret fortinet next end config vpn ipsec phase1-interface edit "vpn-hub02-1" set ike-version 2 set authmethod signature set npu-offload disable set certificate "BR01FGTLOCAL" set peer "vpn-hub02-1_peer" next end config vpn ipsec phase1-interface edit "vpn-hub02-1" set ike-version 2 set authmethod signature set certificate "BR01FGTLOCAL" set peer "vpn-hub02-1_peer" next end. An HA topology is using the following configuration: Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member? 100ms 200ms 300ms 600ms. Refer to the exhibit. You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration: FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects? Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate. Objects from the root FortiGate will only be synchronized to FGT__2. Objects from the root FortiGate will not be synchronized to any downstream FortiGate. Objects from the root FortiGate will only be synchronized to FGT_3. Refer to the exhibit. You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection. What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election? config router ospf config ospf-interface edit "port2" set priority 0 set network-type point-to-multipoint next end end config router ospf config ospf-interface edit "port2" set priority 255 set network-type point-to-multipoint next end end config router ospf config ospf-interface edit "port2" set priority 0 set network-type broadcast next end end config router ospf config ospf-interface edit "port2" set priority 255 set network-type broadcast next end end. A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine. CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%. Which two options can resolve this situation? (Choose two.) Change the persistence rule to LB_PERSIS_SSL_SESSJD. Add more web servers to the real server poof Disable SSL between the FortiADC and the web servers Add a connection-pool to the FortiADC virtual server. Refer to the CLI output: Given the information shown in the output, which two statements are correct? (Choose two.) Geographical IP policies are enabled and evaluated after local techniques. Attackers can be blocked before they target the servers behind the FortiWeb. The IP Reputation feature has been manually updated An IP address that was previously used by an attacker will always be blocked Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored. Refer to the exhibit. You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port. You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined. How should the initial connection be made? Connect the switch on any interface between ports 21 to 24 Connect the switch on any interface between ports 25 to 28 Connect the switch on any interface between ports 1 to 4 Connect the switch on any interface between ports 5 to 8. 15.Which feature must you enable on the BGP neighbors to accomplish this goal? Graceful-restart Deterministic-med Synchronization Soft-reconfiguration. In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available. In this scenario, which configuration change will meet this requirement? Change the load-balance-mode to source-ip-based. Create a new static route with the internet sdwan-zone only Configure the cost in each overlay member to 10. Configure the priority in each overlay member to 10. .Refer to the exhibits. An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this? On FG-1 port1, the ftm access protocol must be enabled. FAC-1 must have an internet routable IP address for push notifications. On FG-1 CLI, the ftm-push server setting must point to 100.64.141. On FAC-1, the FortiToken public IP setting must point to 100.64.1 41. Refer to the exhibit. A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode. Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.) A. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode B. Traffic on AccountVInk and SalesVInk will not be accelerated. C. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides. D. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. E. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode Traffic on AccountVInk and SalesVInk will not be accelerated The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk. You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend? Native ESXi Networking with E1000 Virtual Function (VF) PCI Passthrough Native ESXi Networking with VMXNET3 Physical Function (PF) PCI Passthrough. You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic. Which action achieves the requirement in this scenario? Add a switch between the FortiGate and FEX Enable CAPWAP connectivity between the FortiGate and the FortiExtender. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode Add a VLAN under the FEX-WAN interface on the FortiGate. A customer wants to deploy 12 FortiAP 431F devices on high density conference center, but they do not currently have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy From the FortiSwitch models and sample retail prices shown in the exhibit, which build of materials would have the lowest cost, while fulfilling the customer's requirements? 1x FortiSwitch 248EFPOE 2x FortiSwitch 224E-POE 2x FortiSwitch 248E-FPOE 2x FortiSwitch 124E-FPOE. Refer to the exhibits A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E. Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.) FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication. Devices connected directly to ports 3 and 4 can perform 802 1X authentication. Ports 3 and 4 can be part of different switch interfaces. Client devices must have 802 1X authentication enabled. You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true? The configuration of the MTA Adapter Local Interface is different than on port1. The MTA adapter is only available in the primary node. The MTA adapter mode is only detection mode. The configuration is different than on a standalone device. Refer to the exhibit showing the history logs from a FortiMail device. Which FortiMail email security feature can an administrator enable to treat these emails as spam? DKIM validation in a session profile Sender domain validation in a session profile Impersonation analysis in an antispam profile Soft fail SPF validation in an antispam profile. An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages. Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com? FortiGate will fall-back to the default Fortinet_CA_SSL certificate. FortiGate will reject the connection since no certificate is defined. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection, FortiGate will use the first certificate in the server-cert list—the abc.com certificate. Refer to the exhibits. A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2. The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1. Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.) config firewall profile-protocol-options edit SSL-offload config http set ssl-offloaded yes end next end config firewall profile-protocol-options edit SSL-offload config https set options splice end next end config application list edit SSL-offload-App-Detect set force-inclusion-ssl-di-sigs enable next end config application list edit SSL-offload-App-Detect set deep-app-inspection enable next end. You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network. After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments. Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase? No change in design is needed as even small FortiGate devices have a large memory capacity. Acquire a FortiGate model with more capacity, considering the next 5 years growth. Implement network-id, neighbor-group and increase the advertisement-interval Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP. You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs: The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled • The FortiGate is at GMT-1000. • The FortiAnalyzer is at GMT-0800 • Your browser local time zone is at GMT-03.00 You want to review this log on FortiAnalyzer GUI, what time should you use as a filter? 20:37:08 10:37:08 17:37:08 12.37:08. A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center. They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority. Which two design options are true based on these requirements? (Choose two.) Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure. Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge. Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1). Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)? FAC2 can only process requests when FAC1 fails. FAC2 can have its HA interface on a different network than FAC1. The FortiToken license will need to be installed on the FAC2. FSSO sessions from FAC1 will be synchronized to FAC2. Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.) The FortiGuard VOS can be used only with proxy-base policy inspections. If third-party AV database returns a match the scanned file is deemed to be malicious The antivirus database queries FortiGuard with the hash of a scanned file The AV engine scan must be enabled to use the FortiGuard VOS feature The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic. Which two statements are true regarding the requirements? (Choose two.) FortiGate can perform SSH access proxy host-key validation. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic. SSH traffic is tunneled between the client and the access proxy over HTTPS Traffic is discarded as ZTNA does not support SSH connection rules. On a FortiGate Configured in Transparent mode, which configuration option allows you to control Multicast traffic passing through the? config system settings set multicast-skip-policy disable end config system settings set multicast-forward enable end config system settings set multicast-forward disable end config system settings set multicast-skip-policy enable end. Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server: Based on the information shown, what is the expected behavior when an HTTP/2 request comes in? FortiGate will reject all HTTP/2 ALPN headers. FortiGate will strip the ALPN header and forward the traffi FortiGate will rewrite the ALPN header to request HTTP/1. FortiGate will forward the traffic without modifying the ALPN header. Refer to the exhibits. The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate. Given this information, which statement is correct? The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892 The cluster mode can support a maximum of four (4) FortiGate VMs The cluster members are on the same network and the IP addresses were statically assigned. FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address. Refer to the exhibit showing an SD-WAN configuration. According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used? port16 and port1 port1 and port1 port16 and port15 port1 and port15. A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs. Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.) Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster. Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements: SSLVPN Portal must be accessible on standard HTTPS port (TCP/443) • Public IP address (129.11.1.100) is assigned to portl • Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing. Reviewing the requirement and the exhibit, which configuration change below will resolve this issue? config vpn ssl settings set https-redirect disable end config system acme set interface "port2" end config firewall policy edit 1 append dstaddr "h-fortigate_public" next end config system global set admin-port 8080 end. Refer to the exhibit. The exhibit shows the forensics analysis of an event detected by the FortiEDR core. In this scenario, which statement is correct regarding the threat? This is an exfiltration attack and has been stopped by FortiEDR. This is an exfiltration attack and has not been stopped by FortiEDR This is a ransomware attack and has not been stopped by FortiEDR. This is a ransomware attack and has been stopped by FortiEDR. An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown: data: '{ "hostname": "bad_host_1", "ip": ["1.1.1.1"] }' url: http://192.168.226.129/api/v2/monitor/system/automation- stitch/webhook/my_incoming_webhook data: '{ "hostname": "bad_host_1", "ip": "1.1.1.1" }' url: http://192.168.226.129/api/v2/monitor/system/automation- stitch/webhook/my_incoming_webhook data: '{ "hostname": "bad_host_1", "ip": ["1.1.1.1"] }' url: http://192.168.226.129/api/v2/cmdb/system/automation- stitch/webhook/my_incoming_webhook data: { "hostname": "bad_host_1", "ip": "1.1.1.1" } url: http://192.168.226.129/api/v2/cmdb/system/automation- stitch/webhook/my_incoming_webhook. A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the 'curl' utility: Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.) Only users with the "Full permission" role can access the REST API This API call will fail because it requires that API version 2 If the REST API web service access key is lost, it cannot be retrieved and must be changed. The syntax is incorrect because the API calls needs the get method. Refer to the exhibit. A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM. Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted. What are the two reasons for this behavior? (Choose two.) The private-data-encryption key entered on the primary did not match the value that the TPM expected. Configuration for TPM is not synchronized between FortiGate HA cluster members. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet. TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager. Refer to the exhibits. The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile. You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path. All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again. Which three configuration tasks must be performed to meet these requirements? (Choose three.) Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host. Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list. Change the scan order in FML-GW to antispam-sandbox-content. Refer to the exhibit showing a FortiSOAR playbook. You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention. What should be your next step? Go to the Incident Response tasks dashboard and run the pending actions Click on the notification icon on FortiSOAR GUI and run the pending input action Run the Mark Drive by Download playbook action Reply to the e-mail with the requested Playbook action. Review the following FortiGate-6000 configuration excerpt: Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior? It dynamically distributes SNAT source ports to operating FPCs or FPMs. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down. It statically distributes SNAT source ports to operating FPCs or FPMs It equally distributes SNAT source ports across chassis slots. Refer to the exhibit. You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology. Which two actions are correct regarding the replacement process? (Choose two.) After replacing the FortiSwitch unit, the automatically created trunk name does not change CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate After replacing the FortiSwitch unit, the automatically created trunk name changes. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate. A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two) Change the Adaptive Mode. Create an HA setup with a second FortiDDoS 200F Move the internet connection from the SFP interfaces to the LC interfaces Replace with a FortiDDoS 1500F. Refer to the exhibit. The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server. Referring to the exhibit, which two actions will fix these errors? (Choose two.) Verify that the CRL is accessible from the root FortiGate Export and import the FortiClient EMS server certificate to the root FortiGate. Install a new known CA on the Win2K16-EMS server. Authorize the root FortiGate on the FortiClient EMS. An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server. Part of the FortiGate configuration is shown below: Based on this configuration, which two statements are true? (Choose two.) OCSP checks will always go to the configured FortiAuthenticator The OCSP check of the certificate can be combined with a certificate revocation list. OCSP certificate responses are never cached by the FortiGate. If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA. Refer to the exhibit. To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels. Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phaseiinterface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.) set net-device disable set mode-cfg enable set ike-version 1 set add-route enable set mode-cfg-allow-client-selector enable. Refer to the exhibit showing a firewall policy configuration. To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1. What change does the administrator need to make? config user setting set auth-on-demand always end config user setting set auth-secure-http enable set auth-http-basic disable end config firewall policy edit 1 set ntlm-guest disable next end config firewall policy edit 1 set fsso enable next end. Refer to the exhibit. A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server. Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.) If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority You can only deploy initial installations to Windows clients. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy. Refer to the exhibit showing FortiGate configurations. FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment. The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary. What change will correct HA functionality in this scenario? Change the FortiManager IP address on the managed FortiGate to 10.3.106.65. Make the monitored IP to match on both FortiManager devices. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary. Change the priority of FMG-A to be numerically lower for higher preference. A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed. The exhibit below shows what the IT Team provided while troubleshooting this issue: Which statement explains why the FortiGate did not install its configuration from the FortiManager? The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager The DHCP server was not configured with the FQDN of the FortiManager The DHCP server used the incorrect option type for the FortiManager IP address. The configuration was modified on the FortiGate prior to connecting to the FortiManager. Refer to the exhibit. A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit. How will the sessions be load balanced between server 1 and server 2 during normal operation? Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions. Refer to the exhibit, which shows a VPN topology. The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment? All the session traffic will pass through the Hub The TCP port 21 must be allowed on the NAT Device2 ADVPN is not supported when spokes are behind NAT Spoke1 will establish an ADVPN shortcut to Spoke2. Refer to the exhibits. A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ. Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.) 172.16.204.128/25 172.16.201.96/29 172,620,64,27 172.16.204.64/27. .You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG. Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener. In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.) disable on ICL trunks enable on ICL trunks disable on the ISL and FortiLink trunks enable on the ISL and FortiLink trunks. Refer to the exhibits. The exhibits show a diagram of a requested topology and the base IPsec configuration. A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate. In this scenario, which feature should be implemented to achieve this requirement? Use network-overlay id Change advpn2 to IKEv1 Use local-id Use peer-id. You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch. The current configuration is: Which configuration do you use for the Performance SLA members? set members any set members 0 current configuration already fulfills the requirement set members all. |
Denunciar Test