Practice Test
How can you modify the security settings of a VPN tunnel created from a template in FortiGate? *Choose a different template for the tunnel *Use the custom tunnel creation option *Convert the template to a custom tunnel *Edit the template directly
*
Which two additional features and settings can you apply to traffic after it is accepted by a firewall policy? (Choose two) *Antivirus scanning *User authentication x *Application control *Packet filtering
Antivirus scanning
Which action can you take to improve the security rating provided by the Fortinet Security Fabric? *Upgrade FortiGate to the latest mature version available *Run the integrity check on all end devices *Apply one or more of the suggested best practices *Create a configuration revision or back up the configuration
Apply one or more of the suggested best practices
Which two steps are involved in configuring web filtering based on FortiGuard category filters? *Create a web filtering security profile using FortiGuard category-based filters *Apply the web filter security profile to the appropriate firewall policy *Identify the specific websites to be blocked or allowed *Upgrade FortiOS to obtain the latest database from FortiGuard
Apply the web filter security profile to the appropriate firewall policy
What is a scenario where automation is used in the Fortinet Security Fabric? *Assigning security ratings to newly added devices *Monitoring disk space utilization on FortiAnalyzer *Generating weekly reports for management review *Automatically quarantining a computer with malicious activity
Automatically quarantining a computer with malicious activity
How can administrators track successful authentication attempts in FortiGate? *By utilizing advanced threat intelligence feeds *By reviewing the logs and dashboards *By analyzing network traffic patterns *By monitoring security events in real-time
By reviewing the logs and dashboards
What are some of the features provided by IPSec VPNs? *Bandwidth optimization and antireplay protection *Data authentication and data integrity *Network segmentation and packet inspection *Data encryption and load balancing
Data authentication and data integrity
Which two options can you use for centralized logging when you configure the Fortinet Security Fabric? (choose two) *FortiSOAR *FortiGate Cloud *Syslog server x *FortiAnalyzer
FortiGate Cloud
Which two configuration settings are global settings? *FortiGuard settings *User & Device settings *HA settings *Firewall policies
HA settings -
Which two security profiles are handled by the IPS engine? *Application Control *IPS *AntiVirus X *Web Filter
IPS -
Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode, are true? (Choose two) *A file does not need to be buffered completely before it is moved to the antivirus engine for scanning X *FortiGate sends a reset packet to the client if antivirus reports the file as infected *If a virus is detected, a block replacement message is displayed immediately.
If a virus is detected, a block replacement message is displayed immediately. -
Which two items should you configure as the source of a firewall policy, to allow all internal users in a small office to access the internet? (Choose two) *Users or user groups *Application signatures *The IP subnet of the LAN *Security profiles x
Users or user groups
What functionality does FortiGate provide to establish secure connections between a main office and its remote branches, over the internet? *Virtual Private networks *Monitoring and logging *Firewall authentication *Security scanning
Virtual private networks
Which statement about the HA override setting in FortiGate HA clusters is true? *It synchronizes device priority on all cluster members *You must configure override settings manually and separately for each cluster member *It enables monitored ports *It reboots FortiGate
You must configure override settings manually and separately for each cluster member
What is the potential security risk associated with HTTPS? *Increased network latency *Certificate errors during the SSL handshake *Incompatibility with certain web browsers *Encrypted malicious traffic
encrypted malicious traffic
What is the purpose of firewall policies on FortiGate *To encrypt network traffic *To block all incoming traffic *To monitor network traffic *To control network traffic
to control network traffic
How are websites filtered using FortiGuard category filters? *By scanning the website for malware in real time *By denying access based on the website IP address *By blocking access based on the website content *By examining the HTTP headers from the website
By blocking access based on the website content
How does FortiGate application control address evasion techniques used by peer-to-peer protocols? *By analyzing flow-based inspection *By examining a URL block list *By monitoring traffic for known patterns *By allowing traffic from only well-known ports
By monitoring traffic for known patterns
Which two statements about advanced AD access mode for the FSSO collector agent, are true? (Choose two) *It uses Windows convention for naming; that is, Domain\Username *FortiGate can act as an LDAP client to configure the group filters *It is only supported if DC agents are deployed. *It supports monitoring of nested groups
FortiGate can act as an LDAP client to configure the group filters It supports monitoring of nested groups
What is a characteristic of a firewall policy used to allow the traffic from Secure Socket Layer Virtual Private Network (SSL VPN)? *It uses a virtual tunnel interface in the source field *It encapsulates the traffic using the VPN settings configured *It defines the port number used for the SSL VPN portal *It assigns SSL certificates to user groups trying to connect
It uses a virtual tunnel interface in the source field
Which two statements about the application control profile mode are true? (Choose two) *It can be selected in either flow-based or proxy-based firewall policy *It cannot be used in conjunction with IPS scanning X *It can scan only unsecure protocols *It uses flow-based scanning techniques, regardless of the inspection mode used
It uses flow-based scanning techniques, regardless of the inspection mode used -
What are two benefits of performing regular maintenance on FortiGate firewalls? *Minimize costs during upgrades *Ensure you have the latest hardware *Prevent security breaches in your organization *Meet compliance and legal requirements
Prevent security breaches in your organization Meet compliance and legal requirements
Which two statements about FortiGate antivirus databases are true? *The quick scan database is part of the normal database *The extended database is available only if AI scanning is enabled x *The extreme database is available only on certain FortiGate models *The extended database is available on all FortiGate models
The extended database is available on all FortiGate models -
Which two statements correctly describe the differences between IPSec main mode and IPSec aggressive mode? *The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not *Main Mode cannot be used for dialup VPNs, while aggressive mode can *Agressive mode supports XAuth, while main mode does not *Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode
The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not -
Why is it recommended that you use user groups instead of individual user accounts in a firewall policy? *User groups provide stronger encryption for authentication *User groups contain all individual user accounts by default *User groups make it easier to monitor authenticated users *User groups simplify the firewall configuration
User groups simplify the firewall configuration
What is the security rating in the Fortinet Security Fabric, and how is it calculated? *It indicates the level of compatibility with third-party devices *It represents the current level of network performance *It is calculated based on the number of security logs generated *It is a numerical value based on device settings and best practices
It is a numerical value based on device settings and best practices
What are two consequences of allowing a FortiGate license to expire? (choose two) *Disruption of network services and potential legal issues *Inability to monitor system logs and generate network reports *Loss of access to software updates and technical support *Reduced FortiGate performance and increased vulnerability to security threats x
Loss of access to software updates and technical support
Which actions can you apply to application categories in the Application Control profile? *Monitor, optimize, redirect, or shape *Authenticate, log, encrypt, or back up *Monitor, allow, block, or quarantine *Allow, encrypt, compress, or redirect
Monitor, allow, block, or quarantine
In addition to central processing unit (CPU) and memory usage, what are two other key performance parameters you should monitor on FortiGate (choose two) *Number of SSL sessions *Number of days for licenses to expire x *Number of active VPN tunnels *Number of local users and user groups
Number of SSL sessions
What is the key difference between SSL certificate inspection and SSL deep inspection? *SSL certificate inspection requires a trusted certificate authority (CA), while SSL deep inspection uses the FortiGate CL certificate *SSL certificate inspection applies to only HTTPS traffic, while SSL deep inspection applies to multiple SSL encrypted protocols *SSL certificated inspection decrypts and inspects encrypted content, while SSL deep inspection verifies the identity of the web server *SSL certificate inspection introduces certificate errors, while SSL deep inspection prevents certificate warnings
SSL certificate inspection applies to only HTTPS traffic, while SSL deep inspection applies to multiple SSL encrypted protocols
Why is SSL inspection necessary for the intrusion prevention system (IPS) to detect threats in encrypted traffic? *Without SSL inspection, encrypted traffic is automatically blocked by IPS *SSL inspection improves network performance by bypassing encrypted traffic *The IPS engine can inspect only legacy encryption algorithms, by default. *SSL inspection allows the IPS to detect and analyze encrypted threats
SSL inspection allows the IPS to detect and analyze encrypted threats
Which statement about traffic, flow in an active-active HA cluster is true? *The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client *All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions. *The SYN packet from the client always arrives at the primary device first. *The ACK from the client is received on the physical MAC address of the primary device
The SYN packet from the client always arrives at the primary device first. -
When configuring a static route on FortiGate, what does the destination represent? *The IP address of the next-hop router *The IP address of the remote DNS server *The local interface on FortiGate for the outgoing traffic *The network or host to which traffic will be forwarded
The network or host to which traffic will be forwarded
Which piece of information does FortiGate know about the user without firewall authentication? *The originating domain name *The source IP address *The user login name *The application being used
The source IP address
FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt. *The user is using a super user admin account *The user was authenticated using passive authentication *The user is using a guest account profile *No matching user account exists for this user
The user was authenticated using passive authentication
What is the purpose of the FortiGuard Labs signature database? *To provide secure configuration templates to FortiGate firewalls *To keep FortiGate firewalls protected against the latest malware variants *To identify and correct vulnerabilities in FortiGate firewalls *To give FortiGate firewalls the ability to track network traffic and usage patterns
To keep FortiGate firewalls protected against the latest malware variants
What are two reasons why organizations and individuals use web filtering? (choose two) *To increase network bandwidth *To prevent network congestion *To preserve employee productivity *To To enhance their users' experience
To prevent network congestion To preserve employee productivity
Why is it important to back up FortiGate System configurations regularly? *To prevent unexpected configuration changes *To save time and effort in case of a hardware failure *To avoid errors while upgrading FortiOS *To ensure optimal performance of FortiGate
To save time and effort in case of a hardware failure
What is grayware? *Unsolicited programs installed without user consent *New and unknown malware variants *Known malware with existing signatures *Malicious files sent to the sandbox for inspection
Unsolicited programs installed without user consent
How does FortiGate handle blocked websites in web filtering using FortiGuard category filters? *Users are prompted to provide a valid username and password for access *Users receive a warning message but can choose to continue accessing the website *Users are allowed to access the website, but their activity is recorded in the FortiGate logs *Users are redirected to a replacement message indicating the website is blocked
Users are redirected to a replacement message indicating the website is blocked