Question 1
An administrator applied a block-all IPS profile for client and server targets to secure the server, but
the database team reported the application stopped working immediately after.
How can an administrator apply IPS in a way that ensures it does not disrupt existing applications in
the network?
- A. Use an IPS profile with all signatures in monitor mode and verify patterns before blocking.
- B. Limit the IPS profile to server targets only to avoid blocking connections from the server to clients.
- C. Select flow mode in the IPS profile to accurately analyze application patterns.
- D. Set the IPS profile signature action to default to discard all possible false positives.
Answer:
A
Explanation:
Applying an aggressive IPS profile without prior testing can disrupt legitimate applications by
incorrectly identifying normal traffic as malicious. To prevent disruptions while still monitoring for
threats:
● Enable IPS in "Monitor Mode" first:
● This allows FortiGate to log and analyze potential threats without actively blocking traffic.
● Administrators can review logs and fine-tune IPS signatures to minimize false positives before
switching to blocking mode.
● Verify and adjust signature patterns:
● Some signatures might trigger unnecessary blocks for legitimate application traffic.
● By analyzing logs, administrators can disable or modify specific rules causing false positives.
Comments
Question 2
An administrator is extensively using VXLAN on FortiGate.
Which specialized acceleration hardware does FortiGate need to improve its performance?
- A. NP7
- B. SP5
- C. СР9
- D. NTurbo
Answer:
A
Explanation:
VXLAN (Virtual Extensible LAN) is an overlay network technology that extends Layer 2 networks over
Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial
for maintaining performance.
● NP7 (Network Processor 7) is Fortinet’s latest network processor designed to accelerate high-
performance networking features, including:
● VXLAN encapsulation/decapsulation
● IPsec VPN offloading
● Firewall policy enforcement
● Advanced threat protection at wire speed
NP7 significantly reduces latency and improves throughput when handling VXLAN traffic, making it
the best choice for large-scale VXLAN deployments.
Comments
Question 3
Refer to the exhibit, which shows a partial enterprise network.
An administrator would like the area 0.0.0.0 to detect the external network.
What must the administrator configure?
- A. Enable RIP redistribution on FortiGate B.
- B. Configure a distribute-route-map-in on FortiGate B.
- C. Configure a virtual link between FortiGate A and B.
- D. Set the area 0.0.0.l type to stub on FortiGate A and B.
Answer:
A
Explanation:
The diagram shows a multi-area OSPF network where:
● FortiGate A is in OSPF Area 0 (Backbone area).
● FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network.
To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B must
redistribute RIP routes into OSPF.
Steps to achieve this:
1. Enable route redistribution on FortiGate B to inject RIP-learned routes into OSPF.
2. This allows OSPF Area 0.0.0.1 to forward RIP routes to OSPF Area 0 (0.0.0.0), making the external
network visible.
Comments
Question 4
Refer to the exhibit, which shows the ADVPN network topology and partial BGP configuration.
Which two parameters must an administrator configure in the config neighbor range for spokes
shown in the exhibit? (Choose two.)
- A. set max-neighbor-num 2
- B. set neighbor-group advpn
- C. set route-reflector-client enable
- D. set prefix 172.16.1.0 255.255.255.0
Answer:
B, D
Explanation:
In the given ADVPN (Auto-Discovery VPN) topology, BGP is being used to dynamically establish
routes between spokes. The neighbor-range configuration is crucial for simplifying BGP peer setup by
automatically assigning neighbors based on their IP range.
set neighbor-group advpn
● The neighbor-group parameter is used to apply pre-defined settings (such as AS number) to
dynamically discovered BGP neighbors.
● The advpn neighbor-group is already defined in the configuration, and assigning it to the neighbor-
range ensures consistent BGP settings for all spoke neighbors.
set prefix 172.16.1.0 255.255.255.0
● This command allows dynamic BGP peer discovery by defining a range of potential neighbor IPs
(172.16.1.1 - 172.16.1.255).
● Since each spoke has a unique /32 IP within this subnet, this ensures that any spoke within the
172.16.1.0/24 range can automatically establish a BGP session with the hub.
Comments
Question 5
Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the
VPN topology? (Choose two.)
- A. It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
- B. It supports interoperability with devices using IKEv1.
- C. It exchanges a minimum of two messages to establish a secure tunnel.
- D. It supports the extensible authentication protocol (EAP).
Answer:
A, D
Explanation:
IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security,
efficiency, and flexibility in VPN configurations.
It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
IKEv2 supports stronger cryptographic algorithms, including Elliptic Curve Diffie-Hellman (ECDH)
groups such as ECP256 and ECP384, providing improved security compared to IKEv1.
It supports the extensible authentication protocol (EAP).
IKEv2 natively supports EAP authentication, which allows integration with external authentication
mechanisms such as RADIUS, certificates, and smart cards. This is particularly useful for remote
access VPNs where user authentication must be flexible and secure.
Comments
Question 6
An administrator must enable direct communication between multiple spokes in a company's
network. Each spoke has more than one internet connection.
The requirement is for the spokes to connect directly without passing through the hub, and for the
links to automatically switch to the best available connection.
How can this automatic detection and optimal link utilization between spokes be achieved?
- A. Set up OSPF routing over static VPN tunnels between spokes.
- B. Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization.
- C. Establish static VPN tunnels between spokes with predefined backup routes.
- D. Implement SD-WAN policies at the hub to manage spoke link quality.
Answer:
B
Explanation:
ADVPN (Auto-Discovery VPN) 2.0 is the optimal solution for enabling direct spoke-to-spoke
communication without passing through the hub, while also allowing automatic link selection based
on quality metrics.
● Dynamic Direct Tunnels:
● ADVPN 2.0 allows spokes to establish direct IPsec tunnels dynamically based on traffic patterns,
reducing latency and improving performance.
● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.
● Automatic Link Optimization:
● ADVPN 2.0 monitors the quality of multiple internet connections on each spoke.
● It automatically switches to the best available connection when the primary link degrades or
fails.
● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.
Comments
Question 7
What does the command set forward-domain <domain_ID> in a transparent VDOM interface do?
- A. It configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs.
- B. It isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID.
- C. It restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic.
- D. It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.
Answer:
B
Explanation:
In a transparent mode Virtual Domain (VDOM) configuration, FortiGate operates as a Layer 2 bridge
rather than performing Layer 3 routing. The set forward-domain <domain_ID> command is used to
control how traffic is forwarded between interfaces within the same transparent VDOM.
A forward-domain acts as a broadcast domain, meaning only interfaces with the same forward-
domain ID can exchange traffic. This setting is commonly used to separate different VLANs or
network segments within the transparent VDOM while still allowing FortiGate to apply security
policies.
Comments
Question 8
Refer to the exhibit, which shows a physical topology and a traffic log.
The administrator is checking on FortiAnalyzer traffic from the device with IP address 10.1.10.1,
located behind the FortiGate ISFW device.
The firewall policy in on the ISFW device does not have UTM enabled and the administrator is
surprised to see a log with the action Malware, as shown in the exhibit.
What are the two reasons FortiAnalyzer would display this log? (Choose two.)
- A. Security rating is enabled in ISFW.
- B. ISFW is in a Security Fabric environment.
- C. ISFW is not connected to FortiAnalyzer and must go through NGFW-1.
- D. The firewall policy in NGFW-1 has UTM enabled.
Answer:
B, D
Explanation:
From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In
this architecture, FortiGate devices share security intelligence, including logs and detected threats.
ISFW is in a Security Fabric environment:
● Security Fabric allows devices like ISFW to receive threat intelligence from NGFW-1, even if UTM is
not enabled locally.
● If NGFW-1 detects malware from IP 10.1.10.1 to 89.238.73.97, this information can be propagated
to ISFW and FortiAnalyzer.
The firewall policy in NGFW-1 has UTM enabled:
● Even though ISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the
external network) does have UTM enabled and is scanning traffic.
● Since NGFW-1 detects malware in the session, it logs the event, which is then sent to
FortiAnalyzer.
Comments
Question 9
Refer to the exhibit, which contains a partial VPN configuration.
What can you conclude from this VPN IPsec phase 1 configuration?
- A. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
- B. Peer IDs are unencrypted and exposed, creating a security risk.
- C. FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated.
- D. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.
Answer:
A
Explanation:
This IPsec Phase 1 configuration defines a dynamic VPN tunnel that can accept connections from
multiple peers. The settings chosen here suggest a configuration optimized for networks with
intermittent traffic patterns while ensuring resources are used efficiently.
Key configurations and their impact:
● set type dynamic → This allows multiple peers to establish connections dynamically without
needing predefined IP addresses.
● set ike-version 2 → Uses IKEv2, which is more efficient and supports features like EAP
authentication and reduced rekeying overhead.
● set dpd on-idle → Dead Peer Detection (DPD) is triggered only when the tunnel is idle, reducing
unnecessary keep-alive packets and improving resource utilization.
● set add-route enable → FortiGate automatically adds the route to the routing table when the
tunnel is established, ensuring connectivity when needed.
● set proposal aes128-sha256 aes256-sha256 → Uses strong encryption and hashing algorithms,
ensuring a secure connection.
● set keylife 28800 → Sets a longer key lifetime (8 hours), reducing the frequency of rekeying, which
is beneficial for stable connections.
Because DPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still
ensure connectivity when traffic is detected. This makes the configuration ideal for networks with
regular but non-continuous traffic, balancing security and resource efficiency.
Comments
Question 10
A company's users on an IPsec VPN between FortiGate A and B have experienced intermittent issues
since implementing VXLAN. The administrator suspects that packets exceeding the 1500-byte default
MTU are causing the problems.
In which situation would adjusting the interface’s maximum MTU value help resolve issues caused by
protocols that add extra headers to IP packets?
- A. Adjust the MTU on interfaces only if FortiGate has the FortiGuard enterprise bundle, which allows MTU modification.
- B. Adjust the MTU on interfaces in all FortiGate devices that support the latest family of Fortinet SPUs: NP7, CP9 and SP5.
- C. Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes.
- D. Adjust the MTU on interfaces only in wired connections like PPPoE, optic fiber, and ethernet cable.
Answer:
C
Explanation:
When using IPsec VPNs and VXLAN, additional headers are added to packets, which can exceed the
default 1500-byte MTU. This can lead to fragmentation issues, dropped packets, or degraded
performance.
To resolve this, the MTU (Maximum Transmission Unit) should be adjusted only if all devices in the
network path support it. Otherwise, some devices may still drop or fragment packets, leading to
continued issues.
Why adjusting MTU helps:
● VXLAN adds a 50-byte overhead to packets.
● IPsec adds additional encapsulation (ESP, GRE, etc.), increasing the packet size.
● If packets exceed the MTU, they may be fragmented or dropped, causing intermittent connectivity
issues.
● Lowering the MTU on interfaces ensures packets stay within the supported size limit across all
network devices.
Comments
Page 1 out of 5
Viewing questions 1-10 out of 57
page 2