Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based nextgeneration firewall (NGFW)?
A. Full content inspection
B. Proxy-based inspection
C. Certificate inspection
D. Flow-based inspection
Explanation:
When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority.
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
A. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
B. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
C. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
D. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
Explanation:
When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.
Which statement is a characteristic of automation stitches?
A. They can be run only on devices in the Security Fabric.
B. They can be created only on downstream devices in the fabric.
C. They can have one or more triggers.
D. They can run multiple actions at the same time.
Explanation:
Automation stitches on FortiGate can have one or more triggers, which are conditions or events that activate the automation stitch. The trigger defines when the automation stitch should execute the defined actions. Actions within a stitch can be executed sequentially or in parallel, depending on the configuration.
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
A. Remote Access
B. Site to Site
C. Dial up User
D. iHub-and-Spoke
Explanation:
For configuring an IPsec VPN tunnel for a sales employee traveling abroad, the "Remote Access" template is the most appropriate choice. This template is designed to allow remote users to securely connect to the internal network of an organization from any location using FortiClient or a compatible client. The other options, such as "Site to Site," "Dial up User," and "iHub-and-Spoke," are used for connecting different networks or sites, not individual remote users.
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
A. The host field in the HTTP header.
B. The server name indication (SNI) extension in the client hello message.
C. The subject alternative name (SAN) field in the server certificate.
D. The subject field in the server certificate.
E. The serial number in the server certificate.
Explanation:
When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:
Server Name Indication (SNI) extension in the client hello message (B): The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server's hostname during the SSL handshake.
Subject Alternative Name (SAN) field in the server certificate (C): The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.
Subject field in the server certificate (D): The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.
The other options are not used in SSL certificate inspection for hostname identification: Host field in the HTTP header (A): This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.
Serial number in the server certificate (E): The serial number is used for certificate management and revocation, not for hostname identification.
What are two features of the NGFW profile-based mode? (Choose two.)
A. NGFW profile-based mode can only be applied globally and not on individual VDOMs.
B. NGFW profile-based mode must require the use of central source NAT policy
C. NGFW profile-based mode policies support both flow inspection and proxy inspection.
D. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy.
Explanation:
NGFW (Next Generation Firewall) profile-based mode in FortiGate allows policies to use both flow-based and proxy-based inspection modes, providing flexibility depending on security and performance requirements. Additionally, profile-based mode supports applying applications and web filtering profiles directly in a firewall policy, allowing granular control over the traffic.
Which method allows management access to the FortiGate CLI without network connectivity?
A. SSH console
B. CLI console widget
C. Serial console
D. Telnet console
Explanation:
The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.
Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)
A. Checksums of devices are compared against each other to ensure configurations are the same.
B. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.
C. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster.
D. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.
Explanation:
In FortiGate HA (High Availability) configuration, checksums of device configurations are compared to ensure they are synchronized and identical across the cluster. Incremental synchronization can only happen from changes made on the primary device to ensure consistency and integrity across the cluster members. Changes made on non-primary devices do not initiate synchronization.
A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?
A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
C. The browser does not recognize the certificate in use as signed by a trusted CA.
D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
Explanation:
The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.
An administrator manages a FortiGate model that supports NTurbo. How does NTurbo enhance performance for flow-based inspection?
A. NTurbo offloads traffic to the content processor.
B. NTurbo creates two inspection sessions on the FortiGate device.
C. NTurbo buffers the whole file and then sends it to the antivirus engine.
D. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
Explanation:
NTurbo enhances performance for flow-based inspection by offloading traffic to the content processor.
Copyright © - All Rights Reserved