0

Exam NSE7_EFW-7.0
Fortinet NSE 7 -

Enterprise Firewall 7.0

[ Total Questions: 163 ]

answer the question below.

Which statement is true regarding the session in the exhibit?

A. It was created by the FortiGate kernel to allow push updates from FotiGuard.

B. It is for management traffic terminating at the FortiGate.

C. It is for traffic originated from the FortiGate.

D. It was created by a session helper or ALG.

Answer: D

2. Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?

A. FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be

modified by the administrator.

B. FortiGate limits the total number of simultaneous explicit web proxy users.

C. FortiGate limits the number of simultaneous sessions per explicit web proxy user The limit CAN be

modified by the administrator

D. FortiGate limits the number of workstations that authenticate using the same web proxy user credentials.

This limit CANNOT be modified by the administrator.

The No.1 IT Certification Dumps

1
 Certify For Sure with IT Exam Dumps
Answer: B

Explanation:

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-WAN-opt-52/web_proxy.htm#Explicit2

The explicit proxy does not limit the number of active sessions for each user. As a result the actual explicit

proxy session count is usually much higher than the number of explicit web proxy users. If an excessive

number of explicit web proxy sessions is compromising system performance you can limit the amount of

users if the FortiGate unit is operating with multiple VDOMs.

3. View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

A. Its initial value is calculated based on the round trip delay (RTT).

B. Its initial value is statically set to 10.

C. Its value is incremented with each packet lost.

D. It determines which FortiGuard server is used for license validation.

Answer: C

4. An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The

administrator runs the debug flow while attempting the connection using HTTP. The output of the debug

flow is shown in the exhibit:

The No.1 IT Certification Dumps

2
 Certify For Sure with IT Exam Dumps

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

B. Redirection of HTTP to HTTPS administrative access is disabled.

C. HTTP administrative access is configured with a port number different than 80.

D. The packet is denied because of reverse path forwarding check.

Answer: A C

5. An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the

administrator notices that some of the switches in the network continue to send traffic to the former primary

device. The administrator decides to enable the setting link-failed-signal to fix the problem.

Which statement about this setting is true?

A. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable

through a new master after a failover.

B. It sends a link failed signal to all connected devices.

C. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.

D. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the

failover occurs.

Answer: D

6. What does the dirty flag mean in a FortiGate session?

A. Traffic has been blocked by the antivirus inspection.

B. The next packet must be re-evaluated against the firewall policies.

C. The session must be removed from the former primary unit after an HA failover.

The No.1 IT Certification Dumps

3
 Certify For Sure with IT Exam Dumps
D. Traffic has been identified as from an application that is not allowed.

Answer: B

Explanation:

https://kb.fortinet.com/kb/viewContent.do?externalId=FD40119&sliceId=1

7. Which of the following statements are correct regarding application layer test commands? (Choose two.)

A. They are used to filter real-time debugs.

B. They display real-time application debugs.

C. Some of them display statistics and configuration information about a feature or process.

D. Some of them can be used to restart an application.

Answer: C D

Explanation:

Application layer test commands don’t display info in real time, but they do show statistics and configuration

info about a feature or process. You can also use some of these commands to restart a process or execute

a change in its operation.

8. Which two tasks are automated using the Import Configuration wizard on FortiManager? (Choose two.)

A. Importing firewall address objects from managed devices

B. Importing interface mappings from managed devices

C. Importing static and dynamic route configurations from managed devices

D. Importing devices to FortiManager

Answer: A B

Explanation:

https://docs.fortinet.com/document/fortimanager/7.0.5/administration-guide/337348

9. Refer to the exhibits, which show the configuration on FortiGate and partial session information for

internet traffic from a user on the internal network.

The No.1 IT Certification Dumps

4
 Certify For Sure with IT Exam Dumps

If the priority on route ID 2 were changed from 10 to 0, what would happen to traffic matching that user

session?

A. The session would remain in the session table, but its traffic would now egress from both port1 and

port2.

B. The session would remain in the session table, and its traffic would egress from port2.

C. The session would be deleted, and the client would need to start a new session.

D. The session would remain in the session table, and its traffic would egress from port1.

Answer: D

Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to-update-existing-N

AT/

The No.1 IT Certification Dumps

5
 Certify For Sure with IT Exam Dumps

10. Refer to the exhibit, which shows the output of a diagnose command.

What can be concluded about the debug output in this scenario?

A. Servers with a negative TZ value are less preferred for rating requests.

B. There is a natural correlation between the value in the Packets field and the value in the Weight field.

C. FortiGate used 64.26.151.37 as the initial server to validate its contract.

D. The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers,

was 121.111.236.179.

Answer: B

11. A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS

errors when accessing any website. The administrator executes the following debug commands and

observes that the n-d ns-timeout counter is increasing:

The No.1 IT Certification Dumps

6
 Certify For Sure with IT Exam Dumps
What should the administrator check to fix the problem?

A. The connectivity between the FortiGate unit and the DNS server.

B. The connectivity between the client workstations and the DNS server.

C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.

D. That DNS service is enabled in the explicit web proxy interface.

Answer: A

12. In which two states is a given session categorized as ephemeral? (Choose two.)

A. A TCP session waiting for FIN ACK

B. A UDP session with packets sent and received

C. A UDP session with only one packet received

D. A TCP session waiting for the SYN ACK

Answer: C D

13. View the central management configuration shown in the exhibit, and then answer the question below.

Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?

A. 10.0.1.240

B. One of the public FortiGuard distribution servers C. 10.0.1.244

The No.1 IT Certification Dumps

7
 Certify For Sure with IT Exam Dumps
D. 10.0.1.242

Answer: B

14. View the exhibit, which contains the output of a real-time debug, Which statement about this output is

true?

Which of the following statements is true regarding this output?

A. The requested URL belongs to category ID 255.

B. The server hostname Is training, fortinet.com.

C. FortiGate found the requested URL in its local cache.

D. This web request was inspected using the ftgd-allow web filler profile.

Answer: C

Explanation:

Example log for no local cache case: #id=93000 msg="pid=57 urlfilter_main-723 in main.c received

pkt:count=91 "IPS and WAD will only send request to urlfilter daemon when cache is missed. " So the WAD

process by itself found the URL rating in the local cache and didn`t ask for help from the URL process as in

the example.

15. Examine the following partial output from two system debug commands; then answer the question

below.

The No.1 IT Certification Dumps

8
 Certify For Sure with IT Exam Dumps

Which of the following statements are true regarding the above outputs? (Choose two.)

A. The unit is running a 32-bit FortiOS

B. The unit is in kernel conserve mode

C. The Cached value is always the Active value plus the Inactive value

D. Kernel indirectly accesses the low memory (LowTotal) through memory paging

Answer: A C

16. Examine the following routing table and BGP configuration; then answer the question below.

The No.1 IT Certification Dumps

9
 Certify For Sure with IT Exam Dumps

TheBGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which

configuration change will make the local peer advertise this prefix?

A. Enable the redistribution of connected routers into BGP.

B. Enable the redistribution of static routers into BGP.

C. Disable the setting network-import-check.

D. Enable the setting ebgp-multipath.

Answer: C

17. Refer to the exhibit, which contains the output of a debug command.

If the default settings are in place, what can be concluded about the conserve mode shown in the exhibit?

A. FortiGate is currently blocking all new sessions regardless of the content inspection requirements or

configuration settings due to high memory use.

B. FortiGate is currently allowing new sessions that require flow-based or proxy-based content inspection

but is not performing inspection on those sessions.

C. FortiGate is currently blocking new sessions that require flow-based or proxy-based content inspection.

The No.1 IT Certification Dumps

10
 Certify For Sure with IT Exam Dumps
D. FortiGate is currently allowing new sessions that require flow-based content inspection and blocking

sessions that require proxy-based content inspection.

Answer: C

18. View the exhibit, which contains the output of get sys ha status, and then answer the question below.

Which statements are correct regarding the output? (Choose two.)

A. The slave configuration is not synchronized with the master.

B. The HA management IP is 169.254.0.2.

C. Master is selected because it is the only device in the cluster.

D. port 7 is used the HA heartbeat on all devices in the cluster.

Answer: A D

19. Refer to the exhibit, which shows the output of a BGP debug command.

The No.1 IT Certification Dumps

11
 Certify For Sure with IT Exam Dumps

What can be concluded about the router in this scenario?

A. The router 100.64.3.1 needs to update the local AS number in its BGP configuration in order to bring up

the BGP session with the local router.

B. The State/PfxRcd for neighbor 100.64.3.1 will not change until an administrator on the local router

adjusts the inbound route filtering so that prefixes received can be added to the RIB.

C. All of the neighbors displayed are part of a single BGP configuration on the local router with the

neighbor-range set to a value of 4.

D. The BGP session with peer 10.127.0.75 is up.

Answer: D

20. Refer to the exhibit, which shows the output of get system ha status. NGFW-1 and NGFW-2 have been

up for a week.

Which two statements about the output are true? (Choose two.)

A. If FGVM...649 is rebooted, FGVM...650 will become the primary and retain that role, even after

The No.1 IT Certification Dumps

12
 Certify For Sure with IT Exam Dumps
FGVM...649 rejoins the cluster.

B. If no action is taken, the primary FortiGate will leave the cluster due to the current sync status.

C. If port7 becomes disconnected on the secondary, both FortiGate devices will elect itself the primary.

D. If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a

synchronization reset.

Answer: A C

Explanation:

* A. If FGVM...649 is rebooted, FGVM...650 will become the primary that is normal since it will be the only

active firewall and retain that role since override is disabled. Even after FGVM...649 rejoins the cluster, 650

will not fail over as slave. C. If port7 (heartbeat port) becomes disconnected on the secondary, both

FortiGate devices will elect itself the primary because when heartbeat communication fails, all cluster

members think they are the primary unit (condition referred to as Split Brain)

https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/493254/heartbeat-interfaces

21. Refer to the exhibit, which shows partial outputs from two routing debug commands.

Why is the port2 default route not in the second command output?

A. The port2 interface is disabled in the FortiGate configuration.

B. The port1 default route has a lower distance than the default route using port2.

C. The port1 default route has a higher priority value than the default route using port2.

D. The port1 default route has a lower priority value than the default route using port2.

Answer: B

The No.1 IT Certification Dumps

13
 Certify For Sure with IT Exam Dumps
22. Refer to the exhibit, which shows the output of diagnose sys session stat.

Which statement about the output shown in the exhibit is correct?

A. There are two sessions that have not been removed in case of any out-of-order packets that arrive.

B. There are 166 TCP sessions waiting to complete the three-way handshake.

C. 162 sessions have been deleted because of memory page exhaustion.

D. All the sessions in the session table are TCP sessions.

Answer: A

23. An administrator has configured a FortiGate device with two VDOMs: root and internal. The

administrator has also created and inter-VDOM link that connects both VDOMs. The objective is to have

each VDOM advertise some routes to the other VDOM via OSPF through the inter-VDOM link. What OSPF

configuration settings must match in both VDOMs to have the OSPF adjacency successfully forming?

(Choose three.)

A. Router ID.

B. OSPF interface area.

C. OSPF interface cost.

D. OSPF interface MTU.

E. Interface subnet mask.

The No.1 IT Certification Dumps

14
 Certify For Sure with IT Exam Dumps
Answer: B D E

24. Which of the following conditions must be met for a static route to be active in the routing table?

(Choose three.)

A. The next-hop IP address is up.

B. There is no other route, to the same destination, with a higher distance.

C. The link health monitor (if configured) is up.

D. The next-hop IP address belongs to one of the outgoing interface subnets.

E. The outgoing interface is up.

Answer: C D E

Explanation:

A configured static route only goes to routing table from routing database when all the following are met :

The outgoing interface is up

There is no other matching route with a lower distance

The link health monitor (if configured) is successful

The next-hop IP address belongs to one of the outgoing interface subnets

25. An administrator has been assigned the task of creating a set of firewall policies which must be

evaluated before any custom policies defined within the policy packages of managed FortiGate devices,

across all 25 ADOMSs in FortiManager.

How should the administrator accomplish this task?

A. Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first,

and then assign this footer policy to all other ADOMs.

B. Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first,

and then assign this header policy to all other ADOMs.

C. Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting

the new firewall policies at the top.

D. Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate

devices, through the FGFM tunnel.

Answer: B

The No.1 IT Certification Dumps

15
 Certify For Sure with IT Exam Dumps
Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 244

26. What is the purpose of an internal segmentation firewall (ISFW)?

A. It inspects incoming traffic to protect services in the corporate DMZ.

B. It is the first line of defense at the network perimeter.

C. It splits the network into multiple security segments to minimize the impact of breaches.

D. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

Answer: C

Explanation:

ISFW splits your network into multiple security segments. They serve as a breach containers from attacks

that come from inside.

27. View the exhibit, which contains a partial output of an IKE real-time debug, and then answer the

question below.

The No.1 IT Certification Dumps

16
 Certify For Sure with IT Exam Dumps

Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?

A. auto-discovery-sender

B. auto-discovery-forwarder

C. auto-discovery-shortcut

D. auto-discovery-receiver

Answer: B

28. Which statement about NGFW policy-based application filtering is true?

A. After the application has been identified, the kernel uses only the Layer 4 header to match the traffic.

B. The IPS security profile is the only security option you can apply to the security policy with the action set

to ACCEPT.

C. After IPS identifies the application, it adds an entry to a dynamic ISDB table.

The No.1 IT Certification Dumps

17
 Certify For Sure with IT Exam Dumps
D. FortiGate will drop all packets until the application can be identified.

Answer: D

29. A FortiGate device has the following LDAP configuration:

The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time

debug while testing the student account:

Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)

A. cnid.

B. username.

C. password.

D. dn.

Answer: B C

The No.1 IT Certification Dumps

18
 Certify For Sure with IT Exam Dumps
Explanation:

https://kb.fortinet.com/kb/viewContent.do?externalId=13141

30. An administrator has enabled HA session synchronization in a HA cluster with two members. Which flag

is added to a primary unit’s session to indicate that it has been synchronized to the secondary unit?

A. redir.

B. dirty.

C. synced

D. nds.

Answer: C

Explanation:

The synced sessions have the ‘synced’ flag. The command ‘diag sys session list’ can be used to see the

sessions on the member, with the associated flags.

31. Which two conditions would prevent a static route from being added to the routing table? (Choose two.)

A. There is another other route to the same destination, with a lower distance.

B. The route has a lower priority value than another route to the same destination.

C. The next-hop IP address is unreachable.

D. The interface specified in the route configuration is down

Answer: A D

Explanation:

The routing table contains only the static route with the lowest distance

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-and/t

a-p/

32. View the exhibit, which contains the output of diagnose sys session list, and then answer the question

below.

The No.1 IT Certification Dumps

19
 Certify For Sure with IT Exam Dumps

If the HA ID for the primary unit is zero (0), which statement is correct regarding the output?

A. This session is for HA heartbeat traffic.

B. This session is synced with the slave unit.

C. The inspection of this session has been offloaded to the slave unit.

D. This session cannot be synced with the slave unit.

Answer: B

33. An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth)

and IKE mode configuration. The administrator has also enabled the IKE real time debug:

diagnose debug application ike-1 diagnose debug enable

In which order is each step and phase displayed in the debug output each time a new dial-up user is

connecting to the VPN?

A. Phase1; IKE mode configuration; XAuth; phase 2.

B. Phase1; XAuth; IKE mode configuration; phase2.

C. Phase1; XAuth; phase 2; IKE mode configuration.

D. Phase1; IKE mode configuration; phase 2; XAuth.

Answer: B

Explanation:

The No.1 IT Certification Dumps

20
 Certify For Sure with IT Exam Dumps
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Concepts/IKE_Pa

cket

34. An administrator is running the following sniffer in a FortiGate: diagnose sniffer packet any “host

10.0.2.10” 2

What information is included in the output of the sniffer? (Choose two.)

A. Ethernet headers.

B. IP payload.

C. IP headers.

D. Port names.

Answer: B C

Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=11186

35. Which two statements about application-layer test commands are true? (Choose two.)

A. Some of them display real-time application debugs.

B. Some of them can be used to restart an application.

C. Some of them display statistics and configuration information about a feature or process.

D. Some of them only display output, after you run the diagnose debug console enable command.

Answer: B C

36. You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but

FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature

databases.

Which two settings need to be verified for these features to function? (Choose two.)

A. FortiGate needs to have the server list entry for FortiManager set to server-type update under config

system central-management.

B. FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated

AV and IPS packages.

C. Service access needs to be enabled on FortiManager under System Settings > Network.

The No.1 IT Certification Dumps

21
 Certify For Sure with IT Exam Dumps
D. FortiGate needs to have include-default-servers disabled under config system central-management.

Answer: A C

Explanation:

NSE 7.0 Guide page 184-185

37. Refer to the exhibit, which contains partial outputs from two routing debug commands.

Why is the port2 default route not in the second command's output?

A. It has a higher priority value than the default route using port1.

B. It is disabled in the FortiGate configuration.

C. It has a lower priority value than the default route using port1.

D. It has a higher distance than the default route using port1.

Answer: D

38. In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

A. It provides VM license validation services.

B. It supports rating requests from non-FortiGate devices.

C. It caches available firmware updates for unmanaged devices.

D. It can be configured as an update server, a rating server, or both.

Answer: A D

39. Refer to the exhibit, which contains the output of the diagnose vpn tunnel list. Which command will

capture ESP traffic for the VPN named DialUp_0?

A. diagnose sniffer packet any ‘esp and host 10.200.3.2’

B. diagnose sniffer packet any ‘ip proto 50’

C. diagnose sniffer packet any ‘host 10.0.10.10’

The No.1 IT Certification Dumps

22
 Certify For Sure with IT Exam Dumps
D. diagnose sniffer packet any ‘port 4500’

Answer: D

40. Refer to the exhibits, which show the configuration on FortiGate and partial internet session information

from a user on the internal network.

An administrator would like to test session failover between the two service provider connections.

What changes must the administrator make to force this existing session to immediately start using the

other interface? (Choose two.)

A. Configure set snat-route-change enable.

B. Change the priority of the port2 static route to 5.

The No.1 IT Certification Dumps

23
 Certify For Sure with IT Exam Dumps
C. Change the priority of the port1 static route to 11.

D. unset snat-route-change to return it to the default setting.

Answer: A C

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 148-149

41. What is the diagnose test application ipsmonitor 99 command used for?

A. To enable IPS bypass mode

B. To provide information regarding IPS sessions

C. To disable the IPS engine

D. To restart all IPS engines and monitors

Answer: D

42. Refer to the exhibit, which shows the output of a debug command.

What can be concluded from the debug command output?

A. The OSPF router with the ID 0.0.0.69 has its OSPF priority set to 0.

B. The local FortiGate has a different MTU value from the OSPF router with ID 0.0.0.2, based on the state

information.

C. There are more than two OSPF routers on the wan2 network.

D. The interface ToRemote is a broadcast OSPF network.

Answer: C

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 296

43. How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)

A. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a

The No.1 IT Certification Dumps

24
 Certify For Sure with IT Exam Dumps
new revision history.

B. When run on the Device Database, changes are applied directly to the managed FortiGate device.

C. When run on the Remote FortiGate directly, administrators do not have the option to review the changes

prior to installation.

D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the

changes to the managed FortiGate device

Answer: C D

Explanation:

CLI scripts can be run in three different ways:Device Database: By default, a script is executed on the

device database. It is recommend you run the changes on the device database (default setting), as this

allows you to check what configuration changes you will send to the managed device. Once scripts are run

on the device database, you can install these changes to a managed device using the installation wizard.

Policy Package, ADOM database: If a script contains changes related to ADOM level objects and policies,

you can change the default selection to run on Policy Package, ADOM database and can then be installed

using the installation wizard.

Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don’t need

to install these changes using the installation wizard. As the changes are directly installed on the managed

device, no option is provided to verify and check the configuration changes through FortiManager prior to

executing it.

44. View these partial outputs from two routing debug commands:

Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?

The No.1 IT Certification Dumps

25
 Certify For Sure with IT Exam Dumps
A. Both port1 and port2

B. port3

C. port1

D. port2

Answer: C

45. View the exhibit, which contains an entry in the session table, and then answer the question below.

Which one of the following statements is true regarding FortiGate’s inspection of this session?

A. FortiGate applied proxy-based inspection.

B. FortiGate forwarded this session without any inspection.

C. FortiGate applied flow-based inspection.

D. FortiGate applied explicit proxy-based inspection.

Answer: A

Explanation:

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

46. Which two statements about the Security Fabric are true? (Choose two.)

A. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.

B. Only the root FortiGate sends logs to FortiAnalyzer.

The No.1 IT Certification Dumps

26
 Certify For Sure with IT Exam Dumps
C. Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global

CMDB objects sent by the root FortiGate.

D. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

Answer: A C

Explanation:

FortiGate's to Root uses FortiTelemetry (TCP-8013) FortiTelemetry is also used for FortiClient

communication Root Fortigate to FortiAnalyzer uses API (TCP-443)

47. Examine the following partial output from a sniffer command; then answer the question below.

What is the meaning of the packets dropped counter at the end of the sniffer?

A. Number of packets that didn’t match the sniffer filter.

B. Number of total packets dropped by the FortiGate.

C. Number of packets that matched the sniffer filter and were dropped by the FortiGate.

D. Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Answer: D

Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=11655

48. An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover,

the administrator noticed that some of the switches in the network continue to send traffic to the former

primary unit. The administrator decides to enable the setting link-failed-signal to fix the problem. Which

statement is correct regarding this command?

A. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the

The No.1 IT Certification Dumps

27
 Certify For Sure with IT Exam Dumps
failover occurs.

B. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable

through a new master after a failover.

C. Sends a link failed signal to all connected devices.

D. Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.

Answer: A

49. Exhibits:

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

An administrator is trying to configure ADVPN with a hub-spoke VPN setup using iBGP. All the VPNs are

The No.1 IT Certification Dumps

28
 Certify For Sure with IT Exam Dumps
up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however,

the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned by one

spoke are forwarded to the other spokes?

A. Configure an individual neighbor and remove neighbor-range configuration.

B. Configure the hub as a route reflector client.

C. Change the router id to 10.1.0.254.

D. Make the configuration of remote-as different from the configuration of local-as.

Answer: B

Explanation:

Source:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-BGP-route-reflector/ta-p/191503

Source 2: RFC 4456

50. Refer to the exhibit, which contains partial output from an IKE real-time debug.

The No.1 IT Certification Dumps

29
 Certify For Sure with IT Exam Dumps

The administrator does not have access to the remote gateway.

Based on the debug output, which configuration change can the administrator make to the local gateway to

resolve the phase 1 negotiation error?

A. In the phase 1 network configuration, set the IKE version to 2.

The No.1 IT Certification Dumps

30
 Certify For Sure with IT Exam Dumps
B. In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

C. In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

D. In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

Answer: D

Explanation:

https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/238852

51. Which two statements about an auxiliary session are true? (Choose two.)

A. With the auxiliary session setting disabled, only auxiliary sessions are offloaded.

B. With the auxiliary session setting enabled, two sessions are created in case of routing change.

C. With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.

D. With the auxiliary session setting disabled, for each traffic path, FortiGate uses the same auxiliary

session.

Answer: B C

52. Refer to the exhibits.

Which contain the partial configurations of two VPNs on FortiGate.

An administrator has configured two VPNs for two different user groups. Users who are in the Users-2

group are not able to connect to the VPN. After running a diagnostics command, the administrator

discovered that FortiGate is not matching the user-2 VPN for members of the Users-2 group.

Which two changes must administrator make to fix the issue? (Choose two.)

A. Use different pre-shared keys on both VPNs

The No.1 IT Certification Dumps

31
 Certify For Sure with IT Exam Dumps
B. Enable Mode Config on both VPNs.

C. Set up specific peer IDs on both VPNs.

D. Change to aggressive mode on both VPNs.

Answer: C D

Explanation:

To set peer-id, the VPN must be set in aggressive mode -

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dialup/t

a-p

53. View the exhibit, which contains the output of a web diagnose command, and then answer the question

below.

Which one of the following statements explains why the cache statistics are all zeros?

The No.1 IT Certification Dumps

32
 Certify For Sure with IT Exam Dumps
A. The administrator has reallocated the cache memory to a separate process.

B. There are no users making web requests.

C. The FortiGuard web filter cache is disabled in the FortiGate’s configuration.

D. FortiGate is using a flow-based web filter and the cache applies only to proxy-based inspection.

Answer: C

54. Refer to the exhibit, which shows the output of a diagnose command.

What can you conclude from the output shown in the exhibit? (Choose two.)

A. This is a pinhole session created to allow traffic for a protocol that requires additional sessions to operate

through FortiGate.

B. This is an expected session created by the IPS engine.

C. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop

IP address 10.200.1.1.

D. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the

next-hop IP address 10.0.1.10.

Answer: A D

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 110, 111, 115

55. Refer to exhibit, which contains the output of a BGP debug command.

The No.1 IT Certification Dumps

33
 Certify For Sure with IT Exam Dumps

Which statement explains why the state of the 10.200.3.1 peer is Connect?

A. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received

the OpenConfirm yet.

B. The TCP session to 10.200.3.1 has not completed the three-way handshake.

C. The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.

D. The local router has received the BGP prefixes from the remote peer.

Answer: B

Explanation:

BGP neighbor states and how they change:• Idle: Initial state• Connect: Waiting for a successful three-way

TCP connection• Active: Unable to establish the TCP session• OpenSent: Waiting for an OPEN message

from the peer• OpenConfirm: Waiting for the keepalive message from the peer• Established: Peers have

successfully exchanged OPEN and keepalive messages

56. View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question

below.

The No.1 IT Certification Dumps

34
 Certify For Sure with IT Exam Dumps

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic

cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

However, the IKE real time debug does not show any output. Why?

A. The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any

more output.

B. The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.

C. The debug shows only error messages. If there is no output, then the tunnel is operating normally.

D. The debug output shows phase 1 negotiation only. After that, the administrator must enable the following

real time debug: diagnose debug application ipsec -1.

Answer: B

57. Which statement about memory conserve mode is true?

A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.

B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold

reaches extreme.

C. A FortiGate starts dropping new sessions when the configured memory use threshold reaches red

The No.1 IT Certification Dumps

35
 Certify For Sure with IT Exam Dumps
D. A FortiGate enters conserve mode when the configured memory use threshold reaches red

Answer: D

58. View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the

question below.

The administrator does not have access to the remote gateway. Based on the debug output, what

configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation

error?

A. Change phase 1 encryption to 3DES and authentication to SHA128.

The No.1 IT Certification Dumps

36
 Certify For Sure with IT Exam Dumps
B. Change phase 1 encryption to AES128 and authentication to SHA512.

C. Change phase 1 encryption to AESCBC and authentication to SHA2.

D. Change phase 1 encryption to AES256 and authentication to SHA256.

Answer: D

59. View the exhibit, which contains the output of a BGP debug command, and then answer the question

below.

Which of the following statements about the exhibit are true? (Choose two.)

A. For the peer 10.125.0.60, the BGP state of is Established.

B. The local BGP peer has received a total of three BGP prefixes.

C. Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.

D. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

Answer: A D

60. Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer

the question below.

The No.1 IT Certification Dumps

37
 Certify For Sure with IT Exam Dumps

Which statements are true regarding the output in the exhibit? (Choose two.)

A. BGP state of the peer 10.125.0.60 is Established.

B. BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.

C. Local BGP peer has not received an OpenConfirm from 10.200.3.1.

D. The local BGP peer has received a total of 3 BGP prefixes.

Answer: A C

61. What events are recorded in the crashlogs of a FortiGate device? (Choose two.)

A. A process crash.

B. Configuration changes.

C. Changes in the status of any of the FortiGuard licenses.

D. System entering to and leaving from the proxy conserve mode.

Answer: A D

Explanation:

diagnose debug crashlog read 275: 2014-08-05 13:03:53 proxy=acceptor service=imap session fail

mode=activated276: 2014-08-05 13:03:53 proxy=acceptor service=ftp session fail mode=activated277:

2014-08-05 13:03:53 proxy=acceptor service=nntp session fail mode=activated278: 2014-08-06 11:05:47

service=kernel conserve=on free=”45034 pages” red=”45874 pages” msg=”Kernel279: 2014-08-06

11:05:47 enters conserve mode”280: 2014-08-06 13:07:16 service=kernel conserve=exit free=”86704

pages” green=”68811 pages”281: 2014-08-06 13:07:16 msg=”Kernel leaves conserve mode”282:

2014-08-06 13:07:16 proxy=imd sysconserve=exited total=1008 free=349 marginenter=201283:

2014-08-06 13:07:16 marginexit=302

The No.1 IT Certification Dumps

38
 Certify For Sure with IT Exam Dumps

62. Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose

three.)

A. OSPF interface network types match.

B. OSPF router IDs are unique.

C. OSPF interface priority settings are unique.

D. Authentication settings match.

E. OSPF link costs match.

Answer: A B D

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 280

63. View the exhibit, which contains the partial output of a diagnose command, and then answer the

question below.

Based on the output, which of the following statements is correct?

A. Anti-reply is enabled.

B. DPD is disabled.

C. Quick mode selectors are disabled.

D. Remote gateway IP is 10.200.5.1.

Answer: A

64. Which two configuration commands change the default behavior for content-inspected traffic while

The No.1 IT Certification Dumps

39
 Certify For Sure with IT Exam Dumps
FortiGate is in conserve mode? (Choose two.)

A. set av-failopen off

B. set av-failopen pass

C. set fail-open enable

D. set ips fail-open disable

Answer: A C

Explanation:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/194558/conserve-mode

65. Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

A. The remote gateway has quick mode selectors containing a destination subnet of 10.1.2.0/24.

B. The remote gateway IP is 10.200.5.1.

C. DPD is disabled.

D. Anti-replay is enabled.

Answer: A D

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 427, 444

Since the local subnet is 10.1.2.0/24, the remote gateway has the destination subnet as 10.1.2.0. The

remote gateway IP is 10.200.4.1. DPD is enabled (dpd-link=on)

The No.1 IT Certification Dumps

40
 Certify For Sure with IT Exam Dumps

66. A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have

Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug

authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access

the Internet without problems. What should the administrator check? (Choose two.)

A. The user student must not be listed in the CA’s ignore user list.

B. The user student must belong to one or more of the monitored user groups.

C. The student workstation’s IP subnet must be listed in the CA’s trusted list.

D. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

Answer: A D

Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

67. The logs in a FSSO collector agent (CA) are showing the following error: failed to connect to registry:

PIKA1026 (192.168.12.232)

What can be the reason for this error?

A. The CA cannot resolve the name of the workstation.

B. The FortiGate cannot resolve the name of the workstation.

C. The remote registry service is not running in the workstation 192.168.12.232.

D. The CA cannot reach the FortiGate with the IP address 192.168.12.232.

Answer: C

Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30548

68. View the exhibit, which contains the output of a debug command, and then answer the question below.

The No.1 IT Certification Dumps

41
 Certify For Sure with IT Exam Dumps

Which of the following statements about the exhibit are true? (Choose two.)

A. In the network on port4, two OSPF routers are down.

B. Port4 is connected to the OSPF backbone area.

C. The local FortiGate’s OSPF router ID is 0.0.0.4

D. The local FortiGate has been elected as the OSPF backup designated router.

Answer: B C

69. Refer to the exhibit, which contains a TCL script configuration on FortiManager.

An administrator has configured the TCL script on FortiManager, but failed to apply any changes to the

managed device after being executed.

Why did the TCL script fail to make any changes to the managed device?

A. Changes in an interface configuration can only be done by CLI script.

B. The TCL script must start with #include <>.

C. Incomplete commands are ignored in TCL scripts.

The No.1 IT Certification Dumps

42
 Certify For Sure with IT Exam Dumps
D. The TCL command run_cmd has not been created.

Answer: D

70. Which action will FortiGate take when using the default settings for SSL certificate inspection, where the

server name indication (SNI) does not match either the common name (CN) or any of the subject altemative

names (SAN) in the server certificate?

A. FortiGate uses the CN information from the Subject field in the server certificate.

B. FortiGate uses the first entry listed in the SAN field in the server certificate.

C. FortiGate uses the SNI from the user's web browser.

D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.

Answer: A

Explanation:

#Config firewall ssl-ssh-profile

edit <profile_name> config https

set sni-server-cert-check [enable* | strict | disable]

Enable: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG uses the

CN field instead of the SNI to obtain the FQDN.

Strict: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG closes the

connection.

Disable: FG does not check the SNI.

71. When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web

requests when the browser client does not provide the server name indication (SNI) extension?

A. FortiGate uses CN information from the Subject field in the server’s certificate.

B. FortiGate switches to the full SSL inspection method to decrypt the data.

C. FortiGate blocks the request without any further inspection.

D. FortiGate uses the requested URL from the user’s web browser.

Answer: A

72. Refer to the exhibit, which shows a partial routing table.

The No.1 IT Certification Dumps

43
 Certify For Sure with IT Exam Dumps

Assuming all the appropriate firewall policies are configured, which two pings will FortiGate route? (Choose

two.)

A. Source IP address: 10.1.0.10. Destination IP address: 10.64.1.52

B. Source IPaddress: 10.72.3.52. Destination IP address: 10.1.0.254

C. Source IPaddress: 10.10.4.24, Destination IPaddress: 10.72.3.20

D. Source IPaddress: 10.73.9.10, Destination IPaddress: 10.72.3.15

Answer: A B

73. What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)

A. Reduce the session time to live.

B. Increase the TCP session timers.

C. Increase the FortiGuard cache time to live.

D. Reduce the maximum file size to inspect.

Answer: A D

74. Refer to the exhibit, which shows the output of a diagnose command

The No.1 IT Certification Dumps

44
 Certify For Sure with IT Exam Dumps

What can you conclude from the RTT value?

A. Its value represents the time it takes to receive a response after a rating request is sent to a particular

server.

B. Its value is incremented with each packet lost.

C. It determines which FortiGuard server is used for license validation.

D. Its initial value is statically set to 10.

Answer: A

75. What does the dirty flag mean in a FortiGate session configured for NGFW policy mode?

A. The existing session table entry has been updated with the app_id and the firewall policy table needs to

be checked for a match.

B. The application or URL category is unknown and needs to be rescanned by the IPS engine to try to

identify the Layer 7 details.

C. The URL category for this session has been updated by FortiGuard and the session needs to be

checked against the policy again to ensure proper web filtering is applied.

D. Traffic has been identified as coming from an application that is not allowed and the relevant

replacement message needs to be displayed to the user, if configured.

Answer: A

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 99

The No.1 IT Certification Dumps

45
 Certify For Sure with IT Exam Dumps

76. Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

A. Installing configuration changes to managed devices

B. Importing interface mappings from managed devices

C. Adding devices to FortiManager

D. Previewing pending configuration changes for managed devices

Answer: A D

77. Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

A. Anti-replay is enabled.

B. DPD is disabled.

C. Remote gateway IP is 10.200.4.1.

D. Quick mode selectors are disabled.

Answer: A C

78. Examine the output from the 'diagnose debug authd fsso list' command; then answer the question

below.

# diagnose debug authd fsso list —FSSO logons-IP: 192.168.3.1 User: STUDENT Groups:

TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is

NOT the one used by the workstation INTERNAL2. TRAINING. LAB.

The No.1 IT Certification Dumps

46
 Certify For Sure with IT Exam Dumps
What should the administrator check?

A. The IP address recorded in the logon event for the user STUDENT.

B. The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.

C. The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2.

TRAINING. LAB.

D. The reserve DNS lookup forthe IP address 192.168.3.1.

Answer: C

79. Which real time debug should an administrator enable to troubleshoot RADIUS authentication

problems?

A. Diagnose debug application radius -1.

B. Diagnose debug application fnbamd -1.

C. Diagnose authd console –log enable.

D. Diagnose radius console –log enable.

Answer: B

Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD32838

80. Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF

multi-access network is true?

A. FortiGate first checks the OSPF ID to elect a DR.

B. Non-DR and non-BDR routers will form full adjacencies to DR and BDR only.

C. BDR is responsible for forwarding link state information from one router to another.

D. Only the DR receives link state information from non-DR routers.

Answer: B

81. Which two statements about conserve mode are true? (Choose two.)

A. FortiGate starts taking the configured action for new sessions requiring content inspection when the

system memory reaches the configured red threshold.

B. FortiGate starts dropping all new sessions when the system memory reaches the configured red

The No.1 IT Certification Dumps

47
 Certify For Sure with IT Exam Dumps
threshold.

C. FortiGate enters conserve mode when the system memory reaches the configured extreme threshold.

D. FortiGate exits conserve mode when the system memory goes below the configured green threshold.

Answer: A D

82. Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer

the question below.

Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?

A. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP

prefix yet.

B. The TCP session for the BGP connection to 10.200.3.1 is down.

C. The local peer has received the BGP prefixed from the remote peer.

D. The local peer is receiving the BGP keepalives from the remote peer but it has not received the

OpenConfirm yet.

Answer: B

Explanation: http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

83. Two independent FortiGate HA clusters are connected to the same broadcast domain. The

administrator has reported that both clusters are using the same HA virtual MAC address. This creates a

duplicated MAC address problem in the network. What HA setting must be changed in one of the HA

clusters to fix the problem?

A. Group ID.

B. Group name.

C. Session pickup.

The No.1 IT Certification Dumps

48
 Certify For Sure with IT Exam Dumps
D. Gratuitous ARPs.

Answer: A

Explanation:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverVMAC.htm

84. Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

A. Preview pending configuration changes for managed devices.

B. Add devices to FortiManager.

C. Import policy packages from managed devices.

D. Install configuration changes to managed devices.

E. Import interface mappings from managed devices.

Answer: A D

Explanation:

https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/1200

_ins

There are 4 main wizards:Add Device: is used to add devices to central management and import their

configurations.

Install: is used to install configuration changes from Device Manager or Policies & Objects to the managed

devices. It allows you to preview the changes and, if the administrator doesn’t agree with the changes,

cancel and modify them.

Import policy: is used to import interface mapping, policy database, and objects associated with the

managed devices into a policy package under the Policy & Object tab. It runs with the Add Device wizard by

default and may be run at any time from the managed device list.

Re-install policy: is used to perform a quick install of the policy package. It doesn’t give the ability to preview

the changes that will be installed to the managed device.

85. Which statement about IKE and IKE NAT-T is true?

A. IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local

FortiGate is using NAT on the IPsec interface.

B. IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.

The No.1 IT Certification Dumps

49
 Certify For Sure with IT Exam Dumps
C. They both use UDP as their transport protocol and the port number is configurable.

D. They each use their own IP protocol number.

Answer: C

Explanation:

IKE without NAT-T runs over UDP port 500. IKE with NAT-T runs over UDP port 4500. It can be

configurable - https://docs.fortinet.com/document/fortigate/7.0.0/new-features/33578/configurable-ike-port

86. Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)

A. Primary unit stops sending HA heartbeat keepalives.

B. The FortiGuard license for the primary unit is updated.

C. One of the monitored interfaces in the primary unit is disconnected.

D. A secondary unit is removed from the HA cluster.

Answer: A C

87. Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, what two changes would an administrator

need to make if they wanted to send traffic from a client directly connected to port3, to a server directly

connected to port4? (Choose two.)

A. Configure route leaking between VRF 12 and VRF 21.

B. Disable auto-asic-offload as this is not supported between VRF instances.

C. Configure RIPv2 to exchange route information between the VRF instances.

The No.1 IT Certification Dumps

50
 Certify For Sure with IT Exam Dumps
D. Configure route leaking between port3 and port4.

E. Enable SNAT on the relevant firewall policies to prevent RPF check drops.

Answer: A E

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 148, 159

88. Examine the output of the ‘get router info ospf neighbor’ command shown in the exhibit; then answer

the question below.

Which statements are true regarding the output in the exhibit? (Choose two.) Refer to the exhibit, which

shows the output of a debug command.

Which statement about the output is true?

A. TheOSPF routers with the IDs 0.0.0.69 and 0.0.0.117 are both designated routers for the war. l network.

B. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.

C. The local FortiGate is the designated router for the wan1 network.

D. The interface ToRemote is a point-to-point OSPF network.

Answer: D

Explanation:

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13685-13.html

89. View the exhibit, which contains a partial routing table, and then answer the question below.

The No.1 IT Certification Dumps

51
 Certify For Sure with IT Exam Dumps

Assuming all the appropriate firewall policies are configured, which of the following pings will FortiGate

route? (Choose two.)

A. Source IP address 10.1.0.24, Destination IP address 10.72.3.20.

B. Source IP address 10.72.3.27, Destination IP address 10.1.0.52.

C. Source IP address 10.72.3.52, Destination IP address 10.1.0.254.

D. Source IP address 10.73.9.10, Destination IP address 10.72.3.15.

Answer: B C

90. View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the

question below.

The No.1 IT Certification Dumps

52
 Certify For Sure with IT Exam Dumps

Why didn’t the tunnel come up?

A. The pre-shared keys do not match.

B. The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.

C. The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.

D. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Answer: C

91. Refer to the exhibit, which shows the output of a web filtering diagnose command.

The No.1 IT Certification Dumps

53
 Certify For Sure with IT Exam Dumps

Which configuration change would result in non-zero results in the cache statistics section?

A. set server-type rating under config system central-management

B. set webfilter-cache enable under config system fortiguard

C. set webfilter-force-off disable under config system fortiguard

D. set ngfw-mode policy-based under config system settings

Answer: B

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 362

92. View the following FortiGate configuration.

The No.1 IT Certification Dumps

54
 Certify For Sure with IT Exam Dumps

All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for

Internet traffic from a user on the internal network:

If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s

session?

A. The session would remain in the session table, and its traffic would still egress from port1.

B. The session would remain in the session table, but its traffic would now egress from both port1 and

port2.

C. The session would remain in the session table, and its traffic would start to egress from port2.

D. The session would be deleted, so the client would need to start a new session.

Answer: A

The No.1 IT Certification Dumps

55
 Certify For Sure with IT Exam Dumps
Explanation:

http://kb.fortinet.com/kb/documentLink.do?externalID=FD40943

93. An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the

administrator notices that some of the switches in the network continue to send traffic to the former primary

device.

What can the administrator do to fix this problem?

A. Configure remote link monitoring to detect an issue in the forwarding path.

B. Configure set send-garp-on-failover enable under config system ha on both cluster members.

C. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected

switch ports.

D. Configure set link-failed-signal enable under config system ha on both cluster members.

Answer: D

Explanation:

Virtual MAC Address and Failover - The new primary broadcasts Gratuitous ARP packets to notify the

network that each virtual MAC is now reachable through a different switch port. - Some high-end switches

might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its

interfaces for one second when the failover happens (excluding heartbeat and reserved management

interfaces): #Config system ha set link-failed-signal enable end - This simulates a link failure that clears the

related entries from MAC table of the switches.

94. Refer to the exhibit, which shows a FortiGate configuration.

The No.1 IT Certification Dumps

56
 Certify For Sure with IT Exam Dumps

An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a web

filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is passing

through the policy.

What must the administrator change to fix the issue?

A. Increase webfilter-timeout.

B. Change protocol to TCP.

C. Enable fortiguard-anycast.

D. Disable webfilter-force-off.

Answer: D

95. Refer to the exhibit, which contains the debug output of diagnose dvm device list.

The No.1 IT Certification Dumps

57
 Certify For Sure with IT Exam Dumps

Which two statements about the output shown in the exhibit are correct? (Choose two.)

A. ADOMs are disabled on the FortiManager

B. The FortiGate configuration is in sync with latest running revision history.

C. There are pending device-level changes yet to be installed on Local-FortiGate.

D. The policy package has been modified for Local-FortiGate.

Answer: B C

96. Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF

multi-access network is true?

A. Only the DR receives link state information from non-DR routers.

B. Non-DR and non-BDR routers form full adjacencies to DR only.

C. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6.

D. FortiGate first checks the OSPF ID to elect a DR.

Answer: C

Explanation:

Some special IP multicast addresses are reserved for OSPF: 224.0.0.5: All OSPF routers must be able to

transmit and listen to this address. 224.0.0.6: All DR and BDR routers must be able to transmit and listen to

this address. https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/7039-1.html

97. View the exhibit, which contains the output of a debug command, and then answer the question below.

The No.1 IT Certification Dumps

58
 Certify For Sure with IT Exam Dumps
Which one of the following statements about this FortiGate is correct?

A. It is currently in system conserve mode because of high CPU usage.

B. It is currently in extreme conserve mode because of high memory usage.

C. It is currently in proxy conserve mode because of high memory usage.

D. It is currently in memory conserve mode because of high memory usage.

Answer: D

98. A FortiGate device has the following LDAP configuration:

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the

following output:

>dsquery user –samid administrator

“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab” Based on the output, what FortiGate

LDAP setting is configured incorrectly?

A. cnid.

B. username.

C. password.

D. dn.

Answer: B

Explanation:

https://kb.fortinet.com/kb/viewContent.do?externalId=FD37516

99. Which statement is true regarding File description (FD) conserve mode?

A. IPS inspection is affected when FortiGate enters FD conserve mode.

B. A FortiGate enters FD conserve mode when the amount of available description is less than 5%.

The No.1 IT Certification Dumps

59
 Certify For Sure with IT Exam Dumps
C. FD conserve mode affects all daemons running on the device.

D. Restarting the WAD process is required to leave FD conserve mode.

Answer: B

100. Examine the following traffic log; then answer the question below.

date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event

subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."

What does the log mean?

A. There is not enough available memory in the system to create a new entry in the NAT port table.

B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been

reached.

C. FortiGate does not have any available NAT port for a new connection.

D. The limit for the maximum number of entries in the NAT port table has been reached.

Answer: B

101. What are two functions of automation stitches? (Choose two.)

A. Automation stitches can be configured on any FortiGate device in a Security Fabric environment.

B. An automation stitch configured to execute actions sequentially can take parameters from previous

actions as input for the current action.

C. Automation stitches can be created to run diagnostic commands and attach the results to an email

message when CPU or memory usage exceeds specified thresholds.

D. An automation stitch configured to execute actions in parallel can be set to insert a specific delay

between actions.

Answer: B C

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 23, 26

102. A FortiGate has two default routes:

The No.1 IT Certification Dumps

60
 Certify For Sure with IT Exam Dumps

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of

Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the first default route (IDd1)

were changed from 5 to 20?

A. The session would be deleted, and the client would need to start a new session.

B. The session would remain in the session table, and its traffic would start to egress from port2.

C. The session would remain in the session table, but its traffic would now egress from both port1 and

port2.

D. The session would remain in the session table, and its traffic would still egress from port1.

Answer: D

The No.1 IT Certification Dumps

61
 Certify For Sure with IT Exam Dumps
103. Refer to the exhibit, which shows the output of a debug command.

Which two statements about the output are true? (Choose two.)

A. In the network connected to port 4, two OSPF routers are down.

B. Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.5.

C. Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.6.

D. There are a total of 5 OSPF routers attached to the Port4 network segment.

Answer: B D

104. When does a RADIUS server send an Access-Challenge packet?

A. The server does not have the user credentials yet.

B. The server requires more information from the user, such as the token code for two-factor authentication.

C. The user credentials are wrong.

D. The user account is not found in the server.

Answer: B

105. Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question

below.

The No.1 IT Certification Dumps

62
 Certify For Sure with IT Exam Dumps

Why didn’t the tunnel come up?

A. IKE mode configuration is not enabled in the remote IPsec gateway.

B. The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration.

C. The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration.

D. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

Answer: C

106. An administrator has created a VPN community within VPN Manager on FortiManager. They also

added gateways to the VPN community and are now trying to create firewall policies to permit traffic over

the tunnel; however, the VPN interfaces are not listed as available options.

The No.1 IT Certification Dumps

63
 Certify For Sure with IT Exam Dumps
What step must the administrator take to resolve this issue?

A. Install the VPN community and gateway configuration to the FortiGate devices, in order for the interfaces

to be displayed within Policy & Objects on FortiManager

B. Set up all of the phase 1 settings in the VPN community that they neglected to set up initially. The

interfaces will be automatically generated after the administrator configures all of the required settings.

C. Refresh the device status from the Device Manager so that FortiGate will populate the IPsec interfaces.

D. Create interface mappings for the IPsec VPN interfaces, before they can be used in a policy.

Answer: A

Explanation:

* - Create a VPN Community 2- Install VPN Configuration 3- Add IPsec Firewall Policies 4- Install the

Policies

107. Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the

question below.

Which statement are true regarding the output in the exhibit? (Choose two.)

A. There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

B. The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time

zone.

C. FortiGate will send the FortiGuard queries to the server with highest weight.

D. A server's round trip delay (RTT) is not used to calculate its weight.

Answer: B C

The No.1 IT Certification Dumps

64
 Certify For Sure with IT Exam Dumps

108. Refer to the exhibit, which shows a session entry. Which statement about this session is true?

A. It is an ICMP session from 10.1.10.10 to 10.200.5. 1.

B. It is a TCP session in close_wait state, from 10. l. 10.10 to 10.200.1.1.

C. It is an ICMP session from 10.1.10.10 to 10.200.1.1.

D. It is a TCP session in the established state, from 10.1.10.10 to 10.200.5.1.

Answer: A

Explanation:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/1

969

109. Refer to the exhibit, which shows the output of a BGP debug command.

Which statement explains why the state of the 10.200.3.1 peer is Connect?

A. The local router has a different AS number than the remote peer.

B. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received

the openConfirm yet.

C. The local router initiated the BGP session to 10.200.3.1 but did not receive a response.

The No.1 IT Certification Dumps

65
 Certify For Sure with IT Exam Dumps
D. The router 10.200.3.1 has authentication configured for BGP and the local router does not.

Answer: C

110. A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web

proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT

enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are

true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

A. Both session have the local flag on.

B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.

C. One session has the proxy flag on, the other one does not.

D. One of the sessions has the IP address of port2 as the source IP address.

Answer: A D

111. Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

A. Neighbor range

B. Route reflector

C. Next-hop-self

D. Neighbor group

Answer: B

Explanation:

Route reflectors help to reduce the number of IBGP sessions inside an AS. A route reflector forwards the

routers learned from one peer to the other peers. If you configure route reflectors, you dont’ need to

create a full mesh IBGP network. All clients in a cluster only talck to route reflector to get sync routing

updates. Route reflectors pass the routing updates to other route reflectors and border routers within the

AS.

112. View the global IPS configuration, and then answer the question below.

The No.1 IT Certification Dumps

66
 Certify For Sure with IT Exam Dumps

Which of the following statements is true regarding this configuration?

A. IPS will scan every byte in every session.

B. FortiGate will spawn IPS engine instances based on the system load.

C. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.

D. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Answer: A

113. An administrator added the following Ipsec VPN to a FortiGate configuration:

configvpn ipsec phasel -interface edit "RemoteSite"

set type dynamic

set interface "portl"

set mode main

set psksecret ENC LCVkCiK2E2PhVUzZe next

end

config vpn ipsec phase2-interface edit "RemoteSite"

set phasel name "RemoteSite" set proposal 3des-sha256

next end

However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while

attempting the Ipsec connection. The output is shown in the exhibit.

The No.1 IT Certification Dumps

67
 Certify For Sure with IT Exam Dumps

What is causing the IPsec problem in the phase 1 ?

A. The incoming IPsec connection is matching the wrong VPN configuration

B. The phrase-1 mode must be changed to aggressive

C. The pre-shared key is wrong

D. NAT-T settings do not match

Answer: C

114. Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

The No.1 IT Certification Dumps

68
 Certify For Sure with IT Exam Dumps

Based on the output, which two statements are correct? (Choose two.)

A. The npu_flag for this tunnel is 03.

B. Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.

C. Anti-replay is enabled.

D. The npu_flag for this tunnel is 02.

Answer: A C

115. Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

A. route-reflector enable

B. route-reflector-server enable

C. route-reflector-client enable

D. route-reflector-peer enable

Answer: C

Explanation:

The No.1 IT Certification Dumps

69
 Certify For Sure with IT Exam Dumps
https://docs.fortinet.com/document/fortigate/7.0.11/cli-reference/572620/config-router-bgp set

route-reflector-client [enable|disable]

116. Which of the following statements are true regarding the SIP session helper and the SIP application

layer gateway (ALG)? (Choose three.)

A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.

B. SIP ALG supports SIP HA failover; SIP helper does not.

C. SIP ALG supports SIP over IPv6; SIP helper does not.

D. SIP ALG can create expected sessions for media traffic; SIP helper does not.

E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.

Answer: B C D

117. View the exhibit, which contains the output of a debug command, and then answer the question below.

What statement is correct about this FortiGate?

A. It is currently in system conserve mode because of high CPU usage.

B. It is currently in FD conserve mode.

C. It is currently in kernel conserve mode because of high memory usage.

D. It is currently in system conserve mode because of high memory usage.

Answer: D

118. View the exhibit, which contains the output of diagnose sys session stat, and then answer the question

below.

The No.1 IT Certification Dumps

70
 Certify For Sure with IT Exam Dumps

Which statements are correct regarding the output shown? (Choose two.)

A. There are 0 ephemeral sessions.

B. All the sessions in the session table are TCP sessions.

C. No sessions have been deleted because of memory pages exhaustion.

D. There are 166 TCP sessions waiting to complete the three-way handshake.

Answer: A C

Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD40578

119. Examine the output of the ‘get router info ospf interface’ command shown in the exhibit; then answer

the question below.

The No.1 IT Certification Dumps

71
 Certify For Sure with IT Exam Dumps

Which statements are true regarding the above output? (Choose two.)

A. The port4 interface is connected to the OSPF backbone area.

B. The local FortiGate has been elected as the OSPF backup designated router.

C. There are at least 5 OSPF routers connected to the port4 network.

D. Two OSPF routers are down in the port4 network.

Answer: A C

Explanation:

on BROADCAST network there are 4 neighbors, among which 1*DR +1*BDR. So our FG has 4 neighbors,

but create adjacency only with 2 (with DR and BDR). 2 neighbors DRother (not down).

120. Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

A. This session cannot be synced with the slave unit.

B. The inspection of this session has been offloaded to the slave unit.

The No.1 IT Certification Dumps

72
 Certify For Sure with IT Exam Dumps
C. The master unit is processing this traffic.

D. This session is for HA heartbeat traffic.

Answer: C

121. View the exhibit, which contains the output of a diagnose command, and then answer the question

below.

Which statements are true regarding the output in the exhibit? (Choose two.)

A. FortiGate will probe 121.111.236.179 every fifteen minutes for a response.

B. Servers with the D flag are considered to be down.

C. Servers with a negative TZ value are experiencing a service outage.

D. FortiGate used 209.222.147.3 as the initial server to validate its contract.

Answer: A D

Explanation:

* A – because flag is Failed so fortigate will check if server is available every 15 minD-state is I , contact to

validate contract info

122. What is the diagnose test application ipsmenitor 5 command used for?

A. To enable IPS bypass mode

B. To disable the IPS engine

C. To restart all IPS engines and monitors

The No.1 IT Certification Dumps

73
 Certify For Sure with IT Exam Dumps
D. To provide information regarding IPS sessions

Answer: A

Explanation:

# diagnose test application ipsmonitor 5: Toggle bypass status

* 13: IPS session list

* 98: Stop all IPS engines

* 99: Restart all IPS engines and monitor

123. Which statement about protocol options is true?

A. Protocol options allows administrators a streamlined method to instruct FortiGate to block all sessions

corresponding to disabled protocols.

B. Protocol options allows administrators the ability to configure the Any setting for all enabled protocols

which provides the most efficient use of system resources.

C. Protocol options allow administrators to configure a maximum number of sessions for each configured

protocol.

D. Protocol options allows administrators to configure which Layer 4 port numbers map to upper-layer

protocols, such as HTTP, SMTP, FTP, and so on.

Answer: D

124. An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output

shown in the exhibit when the user attempted the authentication; then answer the question below.

Based on the output in the exhibit, what can cause this authentication problem?

The No.1 IT Certification Dumps

74
 Certify For Sure with IT Exam Dumps
A. User student is not found in the LDAP server.

B. User student is using a wrong password.

C. The FortiGate has been configured with the wrong password for the LDAP administrator.

D. The FortiGate has been configured with the wrong authentication schema.

Answer: A

125. Examine the partial output from two web filter debug commands; then answer the question below:

Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?

A. Finance and banking

B. General organization.

C. Business.

D. Information technology.

Answer: C

126. Which two statements about OCVPN are true? (Choose two.)

A. Only root vdom supports OCVPN.

B. OCVPN supports static and dynamic IPs in WAN interface.

C. OCVPN offers only Hub-Spoke VPNs.

D. FortiGate devices under different FortiCare accounts can be used to form OCVPN.

Answer: A B

127. View the exhibit, which contains a session entry, and then answer the question below.

The No.1 IT Certification Dumps

75
 Certify For Sure with IT Exam Dumps

Which statement is correct regarding this session?

A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.

B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.

C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.

D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Answer: B

128. Refer to the exhibit, which contains partial output from an IKE real-time debug.

The No.1 IT Certification Dumps

76
 Certify For Sure with IT Exam Dumps

Why did the tunnel not come up?

A. The local gateway has configured less secure encryption and hashing algorithms compared to the

remote gateway.

B. The Diffie-Hellman group does not match on the local and remote gateways.

C. The proposal ID does not match between local and remote gateways.

D. The encapsulation method for phase 2 is set to none on local and remote gateways.

Answer: A

Explanation:

local gateway: encryption AES-128, hash SHA remote gateway: encryption AES-256, hash SHA-256 So

local gateway has less secure settings

129. Examine the output of the ‘diagnose ips anomaly list’ command shown in the exhibit; then answer the

question below.

The No.1 IT Certification Dumps

77
 Certify For Sure with IT Exam Dumps

Which IP addresses are included in the output of this command?

A. Those whose traffic matches a DoS policy.

B. Those whose traffic matches an IPS sensor.

C. Those whose traffic exceeded a threshold of a matching DoS policy.

D. Those whose traffic was detected as an anomaly by an IPS sensor.

Answer: A

130. Refer to the exhibit, which contains a CLI script configuration on FortiManager.

An administrator configured the CLI script on FortiManager, but the script failed to apply any changes to the

The No.1 IT Certification Dumps

78
 Certify For Sure with IT Exam Dumps
managed device after being executed.

What are two reasons why the script did not make any changes to the managed device? (Choose two.)

A. Static routes can be added using only TCL scripts.

B. The commands that start with the # sign did not run.

C. CLI scripts must start with #!.

D. Incomplete commands can cause CLI scripts to fail.

Answer: B D

Explanation:

ref CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not

“#!” as it is for Tcl scripts.

https://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1000_Device%20Manager/2400

_Sc

131. View the IPS exit log, and then answer the question below.

# diagnose test application ipsmonitor 3 ipsengine exit log”

pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017 code = 11, reason: manual

What is the status of IPS on this FortiGate?

A. IPS engine memory consumption has exceeded the model-specific predefined value.

B. IPS daemon experienced a crash.

C. There are communication problems between the IPS engine and the management database.

D. All IPS-related features have been disabled in FortiGate’s configuration.

Answer: D

Explanation:

The command diagnose test application ipsmonitor includes many options that are useful for

troubleshooting purposes.Option 3 displays the log entries generated every time an IPS engine process

stopped. There are various reasons why these logs are generated:Manual: Because of the configuration,

IPS no longer needs to run (that is, all IPS-releated features have been disabled)

132. View the exhibit, which contains the output of a diagnose command, and then answer the question

below.

The No.1 IT Certification Dumps

79
 Certify For Sure with IT Exam Dumps

What statements are correct regarding the output? (Choose two.)

A. This is an expected session created by a session helper.

B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop

IP address 10.0.1.10.

C. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop

IP address 10.200.1.1.

D. This is an expected session created by an application control profile.

Answer: A C

133. Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

The No.1 IT Certification Dumps

80
 Certify For Sure with IT Exam Dumps

Based on the output, which two statements are correct? (Choose two.)

A. Phase 2 authentication is set to sha1 on both sides.

B. Anti-replay is disabled.

C. Hub2Spoke1 is a policy-based VPN.

D. Hub2Spoke1 is configured on interface wan2.

Answer: A D

134. View the exhibit, which contains a partial web filter profile configuration, and then answer the question

below.

The No.1 IT Certification Dumps

81
 Certify For Sure with IT Exam Dumps

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as

File Sharing and Storage?

A. FortiGate will exempt the connection based on the Web Content Filter configuration.

B. FortiGate will block the connection based on the URL Filter configuration.

C. FortiGate will allow the connection based on the FortiGuard category based filter configuration.

D. FortiGate will block the connection as an invalid URL.

Answer: B

Explanation:

fortigate does it in order Static URL -> FortiGuard – > Content -> Advanced (java, cookie removal..)so block

it in first step

135. Refer to the exhibit, which contains partial output from an IKE real-time debug.

The No.1 IT Certification Dumps

82
 Certify For Sure with IT Exam Dumps

Based on the debug output, which phase 1 setting is enabled in the configuration of this VPN?

A. auto-discovery-shortcut

B. auto-discovery-forwarder

C. auto-discovery-sender

D. auto-discovery-receiver

Answer: D

136. An administrator wants to capture encrypted phase 2 traffic between two FortiGate devices using the

built-in sniffer.

If the administrator knows that there is no NAT device located between both FortiGate devices, which

command should the administrator run?

A. diagnose sniffer packet any ‘ah’

B. diagnose sniffer packet any ‘ip proto 50’

C. diagnose sniffer packet any ‘udp port 4500’

D. diagnose sniffer packet any ‘udp port 500’

Answer: B

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p. 443 Phase 2 : ESP => IP protocol 50

This command will capture any packets that use the IP protocol number 50, which is ESP (Encapsulating

Security Payload). ESP is used to encrypt and authenticate the phase 2 traffic between two FortiGate

device1s.

The No.1 IT Certification Dumps

83
 Certify For Sure with IT Exam Dumps
137. Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

A. Anti-replay is enabled

B. The remote gateway IP is 10.200.4.1.

C. DPD is disabled.

D. Quick mode selectors are disabled.

Answer: A B

138. Which two statements about the Security Fabric are true? (Choose two.)

A. Only the root FortiGate collects network information and forwards it to FortiAnalyzer.

B. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

C. All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity.

D. Branch FortiGate devices must be configured first.

Answer: B C

139. Refer to the exhibit, which shows a partial web filter profile configuration.

The No.1 IT Certification Dumps

84
 Certify For Sure with IT Exam Dumps

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as

File Sharing and Storage?

A. FortiGate will block the connection, based on the FortiGuard category based filter configuration.

B. FortiGate will block the connection as an invalid URL.

C. FortiGate will exempt the connection, based on the Web Content Filter configuration.

D. FortiGate will allow the connection, based on the URL Filter configuration.

Answer: A

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 351 url filter -> FortiGuard Web Filter -> Web Content

Filter -> Advanced Filter Options Allow -> Block

140. Refer to the exhibit, which contains partial output from an IKE real-time debug.

The No.1 IT Certification Dumps

85
 Certify For Sure with IT Exam Dumps

Which two statements about this debug output are correct? (Choose two.)

A. The remote gateway IP address is 10.0.0.1.

B. The initiator provided remote as its IPsec peer ID.

C. It shows a phase 1 negotiation.

D. The negotiation is using AES128 encryption with CBC hash.

Answer: B C

141. Refer to the exhibit, which contains a screenshot of some phase 1 settings.

The No.1 IT Certification Dumps

86
 Certify For Sure with IT Exam Dumps

The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands to an SSH

session on FortiGate: diagnose vpn ike log-filter dst-addr4 10.0.10.1 diagnose debug application ike -1

However, the IKE real-time debug does not show any output. Why?

A. The administrator must also run the command diagnose debug enable.

B. The administrator must enable the following real-time debug: diagnose debug application ipsec -1.

C. The log-filter setting is incorrect. The VPN traffic does not match this filter.

D. The debug shows only error messages. If there is no output, then the phase 1 and phase 2

configurations match.

Answer: A

Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-Diagnostics-Possible-reasons/ta-p/1

920

142. View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the

question below.

The No.1 IT Certification Dumps

87
 Certify For Sure with IT Exam Dumps

Which statements about this debug output are correct? (Choose two.)

A. The remote gateway IP address is 10.0.0.1.

B. It shows a phase 1 negotiation.

C. The negotiation is using AES128 encryption with CBC hash.

D. The initiator has provided remote as its IPsec peer ID.

Answer: B D

143. Refer to the exhibit, which shows partial outputs from two routing debug commands.

Which change must an administrator make on FortiGate to route web traffic from internal users to the

The No.1 IT Certification Dumps

88
 Certify For Sure with IT Exam Dumps
internet, using ECMP?

A. Set the priority of the static default route using port1 to 10. Most Voted

B. Set the priority of the static default route using port2 to 1.

C. Set preserve-session-route to enable.

D. Set snat-route-change to enable.

Answer: A

Explanation:

ECMP pre-requisite is "routes must have the same destination and costs. In the case of static routes, costs

include distance and priority". In this case traffic is routed through port 1 because of the lower priority. If we

raise priority on port 1 to the value of 10 the traffic should be routed through both ports 1 and 2.

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/25967/equal-cost-multi-path

144. How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a

local FDS?

A. FortiManager can download and maintain local copies of FortiGuard databases.

B. FortiManager supports only FortiGuard push to managed devices.

C. FortiManager will respond to update requests only if they originate from a managed device.

D. FortiManager does not support rating requests.

Answer: A

145. Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is

elected as the designated router The second unit is elected as the backup designated router Under normal

operation, how many OSPF full adjacencies are formed to each of the other two units?

A. 1

B. 2

C. 3

D. 4

Answer: B

146. Refer to the exhibit, which contains a TCL script configuration on FortiManager.

The No.1 IT Certification Dumps

89
 Certify For Sure with IT Exam Dumps
An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any

changes to the managed device after being run.

Why did the TCL script fail to make any changes to the managed device?

A. The TCL command run_cmd has not been created.

B. The TCL script must start with tinclude <>.

C. Incomplete commands are ignored in TCL scripts.

D. Changes to an interface configuration can be made only by a CLI script.

Answer: A

Explanation:

https://docs.fortinet.com/document/fortimanager/7.2.2/administration-guide/914165/tcl-scripts

147. The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning

behavior. Which of the following statements describes IPS adaptive scanning?

A. Determines the optimal number of IPS engines required based on system load.

B. Downloads signatures on demand from FDS based on scanning requirements.

C. Determines when it is secure enough to stop scanning session traffic.

D. Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer: C

Explanation:

Configuring IPS intelligenceStarting with FortiOS 5.2, intelligent-mode is a new adaptive detection method.

This command is enabled the default and it means that the IPS engine will perform adaptive

The No.1 IT Certification Dumps

90
 Certify For Sure with IT Exam Dumps
scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or

kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans

every single byte.

config ips globalset intelligent-mode {enable|disable}end

148. Which ADVPN configuration must be configured using a script on FortiManager, when using VPN

Manager to manage FortiGate VPN tunnels?

A. Set protected network to all

B. Enable AD-VPN in IPsec phase 1

C. Configure IP addresses on IPsec virtual interfaces

D. Disable add-route on hub

Answer: B

149. A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could

an administrator use to get more information about the problem? (Choose two.)

A. Firewall monitor.

B. Policy monitor.

C. Logs.

D. Crashlogs.

Answer: C D

150. An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage.

However, after the changes, one network application started to have problems. During the troubleshooting,

the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets,

and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has

already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?

A. TCP half open.

B. TCP half close.

C. TCP time wait.

D. TCP session time to live.

The No.1 IT Certification Dumps

91
 Certify For Sure with IT Exam Dumps
Answer: A

Explanation:

http://docs-legacy.fortinet.com/fos40hlp/43prev/wwhelp/wwhimpl/common/html/wwhe

lp.htm?context=fgt&file=CLI_get_Commands.58.25.html

The tcp-halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACKremains in

the table.

The tcp-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACKremains in the

table.

The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in thetable. A

closed session remains in the session table for a few seconds more to allow any out-of-sequence packet.

151. Refer to the exhibit, which contains partial output from an IKE real-time debug.

Which two statements about this debug output are correct? (Choose two.)

A. The initiator provided remote as its IPsec peer ID.

B. It shows a phase 2 negotiation.

C. Perfect Forward Secrecy (PFS) is enabled in the configuration.

D. The local gateway IP address is 10.0.0.1.

Answer: A D

The No.1 IT Certification Dumps

92
 Certify For Sure with IT Exam Dumps
Explanation:

A because : received peer identifier FQDN 'remote' D because : ike 0: comes 10.0.0.2:500 -> 10.0.0.1:500

152. Refer to the exhibit, which shows the output of diagnose sys session list.

If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the

primary?

A. Traffic for this session continues to be permitted on the new primary device after failover, without

requiring the client to restart the session with the server.

B. The secondary device has this session synchronized; however, because application control is applied,

the session will be marked dirty and have to be re-evaluated after failover.

C. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being

applied.

D. The session will be removed from the session table of the secondary device due to the presence of

allowed error packets, which will force the client to restart the session with the server.

Answer: A

Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-see-if-a-session-is-synced-in-HA/ta-p/1

941

153. Refer to the exhibit, which contains the output of a BGP debug command.

The No.1 IT Certification Dumps

93
 Certify For Sure with IT Exam Dumps

Which statement about the exhibit is true?

A. The local router has received a total of three BGP prefixes from all peers.

B. The local router has not established a TCP session with 100.64.3.1.

C. Since the counters were last reset, the 10.200.3.1 peer has never been down.

D. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.

Answer: B

154. Refer to the exhibit, which shows a central management configuration.

Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?

A. Public FortiGuard servers

B. 10.0.1.243

The No.1 IT Certification Dumps

94
 Certify For Sure with IT Exam Dumps
C. 10.0.1.242

D. 10.0.1.244

Answer: D

Explanation:

by default,( include-default-servers ) enabled .this allows fortigate to communicate with the public fortiguard

servers , if the fortimanger devices (configured in server-list) are unavailable .

155. Refer to the exhibit, which shows a session table entry.

Which statement about FortiGate behavior relating to this session is true?

A. FortiGate redirected the client to the captive portal to authenticate, so that a correct policy match could

be made.

B. FortiGate forwarded this session without any inspection.

C. FortiGate is performing security profile inspection using the CPU.

D. FortiGate applied only IPS inspection to this session.

Answer: C

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 91, 92 First digit of "proto_state" value at 1 and

considering all counters are at 0 for HW acceleration means CPU usage

156. Which two configuration settings change the behavior for content-inspected traffic while FortiGate is in

conserve mode? (Choose two.)

The No.1 IT Certification Dumps

95
 Certify For Sure with IT Exam Dumps
A. IPS failopen

B. mem failopen

C. AV failopen

D. UTM failopen

Answer: A C

157. An administrator has configured the following CLI script on FortiManager, which failed to apply any

changes to the managed device after being executed.

Why didn’t the script make any changes to the managed device?

A. Commands that start with the # sign are not executed.

B. CLI scripts will add objects only if they are referenced by policies.

C. Incomplete commands are ignored in CLI scripts.

D. Static routes can only be added using TCL scripts.

Answer: A

Explanation:

https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/2400

_Sc

A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line

starts with the number sign (#). A comment line will not be executed.

158. Examine the IPsec configuration shown in the exhibit; then answer the question below.

The No.1 IT Certification Dumps

96
 Certify For Sure with IT Exam Dumps

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:

diagnose vpn ike log-filter src-addr4 10.0.10.1

diagnose debug application ike -1 diagnose debug enable

The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged

between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t

there any output?

A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once

the tunnel is up.

B. The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter.

C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator

must use the IPsec real time debug instead: diagnose debug application ipsec -1.

D. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that

the tunnel is operating normally.

Answer: B

The No.1 IT Certification Dumps

97
 Certify For Sure with IT Exam Dumps
159. Which two statements about bulk configuration changes made using FortiManager CLI scripts are

correct? (Choose two.)

A. When run on the Device Database, you must use the installation wizard to apply the changes to the

managed FortiGate device.

B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes

prior to installation.

C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a

new revision history.

D. When run on the Policy Package, ADOM database, changes are applied directly to the managed

FortiGate device.

Answer: A B

160. Examine the following partial outputs from two routing debug commands; then answer the question

below.

# get router info kernel

tab=254 vf=0 scope=0type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.200.1.254

dev=2(port1)

tab=254 vf=0 scope=0type=1 proto=11 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.200.2.254

dev=3(port2)

tab=254 vf=0 scope=253type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/.->10.0.1.0/24 pref=10.0.1.254

gwy=0.0.0.0 dev=4(port3)

# get router info routing-table all s*0.0.0.0/0 [10/0] via 10.200.1.254, portl [10/0] via 10.200.2.254, port2,

[10/0] dO.0.1.0/24 is directly connected, port3 dO.200.1.0/24 is directly connected, portl d0.200.2.0/24 is

directly connected, port2

Which outbound interface or interfaces will be used by this FortiGate to route web traffic from internal users

to the Internet?

A. port!

B. port2.

C. Both portl and port2.

D. port3.

The No.1 IT Certification Dumps

98
 Certify For Sure with IT Exam Dumps
Answer: B

161. View the exhibit, which contains the output of a BGP debug command, and then answer the question

below.

Which of the following statements about the exhibit are true? (Choose two.)

A. The local router's BGP state is Established with the 10.125.0.60 peer.

B. Since the counters were last reset; the 10.200.3.1 peer has never been down.

C. The local router has received a total of three BGP prefixes from all peers.

D. The local router has not established a TCP session with 100.64.3.1.

Answer: A D

162. Examine the output from the BGP real time debug shown in the exhibit, then the answer the question

below:

Which statements are true regarding the output in the exhibit? (Choose two.)

The No.1 IT Certification Dumps

99
 Certify For Sure with IT Exam Dumps
A. BGP peers have successfully interchanged Open and Keepalive messages.

B. Local BGP peer received a prefix for a default route.

C. The state of the remote BGP peer is OpenConfirm.

D. The state of the remote BGP peer will go to Connect after it confirms the received prefixes.

Answer: A B

163. Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

A. The link health monitor (if configured) is up.

B. There is no other route, to the same destination, with a higher distance.

C. The outgoing interface is up.

D. The next-hop IP address is up.

Answer: A C

The No.1 IT Certification Dumps

100