FortiGate is integrated with FortiAnalyzer and FortiManager. When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?
A. Log ID
B. Policy ID
C. (Sequence ID
D. Universally Unique Identifier
Explanation:
When a firewall policy is created in FortiGate integrated with FortiAnalyzer and FortiManager, a Universally Unique Identifier (UUID) is added to the policy to support logging and management.
What is the primary FortiGate election process when the HA override setting is disabled?
A. Connected monitored ports > Priority > System uptime > FortiGate serial number
B. Connected monitored ports > System uptime > Priority > FortiGate serial number
C. Connected monitored ports > Priority > HA uptime > FortiGate serial number
D. Connected monitored ports > HA uptime > Priority > FortiGate serial number
Explanation:
When the HA override setting is disabled, FortiGate uses the primary election process based on the following criteria:
Connected monitored ports: The unit with the most monitored ports up is preferred.
Priority: The unit with the highest priority is preferred.
System uptime: The unit with the longest uptime is preferred.
FortiGate serial number: Used as the final criterion to break any remaining ties.
References:
FortiOS 7.4.1 Administration Guide: HA election process
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
A. It uses UDP 8888.
B. It uses DNS over HTTPS.
C. It uses DNS over TLS.
D. It uses UDP 53.
Explanation:
By default, DNS queries to FortiGuard servers use UDP port 53.
What are two features of collector agent advanced mode? (Choose two.)
A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
B. Advanced mode supports nested or inherited groups.
C. In advanced mode, security profiles can be applied only to user groups, not individual users.
D. Advanced mode uses the Windows convention —NetBios: Domain\Username.
Explanation:
Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.
Which two statements describe how the RPF check is used? (Choose two.)
A. The RPF check is run on the first sent packet of any new session.
B. The RPF check is run on the first reply packet of any new session.
C. The RPF check is run on the first sent and reply packet of any new session.
D. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
Explanation:
The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet.
When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate. Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)
A. Allow & Warning
B. Trust & Allow
C. Allow
D. Block & Warning
E. Block
Explanation
When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:
Allow & Warning: This action allows the session but generates a warning.
Block & Warning: This action blocks the session and generates a warning.
Block: This action blocks the session without generating a warning.
Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
A. Manual with load balancing
B. Lowest Cost (SLA) with load balancing
C. Best Quality with load balancing
D. Lowest Quality (SLA) with load balancing
E. Lowest Cost (SLA) without load balancing
Explanation:
FortiGate's SD-WAN rule strategies for member selection include the following:
Manual with load balancing: This strategy allows an administrator to manually configure which SDWAN member interfaces to use for specific traffic.
Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets the SLA requirements.
Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as latency, jitter, or packet loss.
Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without load balancing" contradicts the requirement for load balancing in the strategy name.
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN
B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
D. The client FortiGate requires a manually added route to remote subnets.
Explanation:
For SSL VPN to function correctly between two FortiGate devices, the following settings are required:
B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate must have a Certificate Authority (CA) certificate installed to authenticate and verify the certificate presented by the client FortiGate device.
C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate: The client FortiGate must have a client certificate that is signed by the same CA that the server FortiGate uses for verification. This ensures a secure SSL VPN connection between the two devices.
The other options are not directly necessary for establishing SSL VPN:
A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: This is incorrect as SSL VPN does not require a specific tunnel interface type; it typically uses an SSL VPN client profile.
D. The client FortiGate requires a manually added route to remote subnets: While routing may be necessary, it is not specifically required for the SSL VPN functionality between two FortiGates.
An employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?
A. SSL VPN idle-timeout
B. SSL VPN login-timeout
C. SSL VPN dtls-hello-timeout
D. SSL VPN session-ttl
Explanation:
For a high-latency internet connection, the SSL VPN setting that should be adjusted is:
C. SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.
The other options are not suitable:
A. SSL VPN idle-timeout: This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment.
B. SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.
D. SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency.
Which three methods are used by the collector agent for AD polling? (Choose three.)
A. WinSecLog
B. WMI
C. NetAPI
D. FSSO REST API
E. FortiGate polling
Explanation:
The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information:
WinSecLog: Monitors Windows Security Event Logs for login events.
WMI: Uses Windows Management Instrumentation to poll user login sessions.
NetAPI: Utilizes the Netlogon API to query domain controllers for user session data.
These methods allow the FortiGate to gather user logon information and enforce user-based policies effectively.
| Page 2 out of 9 Pages |
| Previous |
Copyright © - All Rights Reserved