Question 1
Refer to the exhibit.
You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3
needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not
establishing any OSPF connection.
What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors
without affecting the DR/BDR election?
A)
B)
C)
D)
- A. Option A
- B. Option B
- C. Option C
- D. Option D
Answer:
B
Explanation:
The OSPF configuration shown in the exhibit is using the default priority value of 1 for the interface
port1. This means that FGT_3 will participate in the DR/BDR election process with the other OSPF
routers on the same LAN segment. However, this is not desirable because FGT_3 is a new device that
needs to be added to the OSPF network without affecting the existing DR/BDR election. Therefore, to
make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election, the priority
value of the interface port1 should be changed to 0. This will prevent FGT_3 from becoming a DR or
BDR and allow it to form OSPF adjacencies with the current DR and BDR. Option B shows the correct
configuration that changes the priority value to 0. Option A is incorrect because it does not change
the priority value. Option C is incorrect because it changes the network type to point-to-point, which
is not suitable for a LAN segment with multiple OSPF routers. Option D is incorrect because it
changes the area ID to 0.0.0.1, which does not match the area ID of the other OSPF routers on the
same LAN segment. Reference:
https://docs.fortinet.com/document/fortigate/7.0.0/administration-
guide/358640/basic-ospf-example
Comments
Question 2
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is
receiving reports of users not able to access their website during a sale event. But for clients that
were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able
to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)
- A. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
- B. Add more web servers to the real server poof
- C. Disable SSL between the FortiADC and the web servers
- D. Add a connection-pool to the FortiADC virtual server
Answer:
A, D
Comments
Question 3
Refer to the CLI output:
Given the information shown in the output, which two statements are correct? (Choose two.)
- A. Geographical IP policies are enabled and evaluated after local techniques.
- B. Attackers can be blocked before they target the servers behind the FortiWeb.
- C. The IP Reputation feature has been manually updated
- D. An IP address that was previously used by an attacker will always be blocked
- E. Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored
Answer:
BE
Explanation:
The CLI output shown in the exhibit indicates that FortiWeb has enabled IP Reputation feature with
local techniques enabled and geographical IP policies enabled after local techniques (set geoip-
policy-order after-local). IP Reputation feature is a feature that allows FortiWeb to block or allow
traffic based on the reputation score of IP addresses, which reflects their past malicious activities or
behaviors. Local techniques are methods that FortiWeb uses to dynamically update its own blacklist
based on its own detection of attacks or violations from IP addresses (such as signature matches, rate
limiting, etc.). Geographical IP policies are rules that FortiWeb uses to block or allow traffic based on
the geographical location of IP addresses (such as country, region, city, etc.). Therefore, based on the
output, one correct statement is that attackers can be blocked before they target the servers behind
the FortiWeb. This is because FortiWeb can use IP Reputation feature to block traffic from IP
addresses that have a low reputation score or belong to a blacklisted location, which prevents them
from reaching the servers and launching attacks. Another correct statement is that reputation from
blacklisted IP addresses from DHCP or PPPoE pools can be restored. This is because FortiWeb can use
local techniques to remove IP addresses from its own blacklist if they stop sending malicious traffic
for a certain period of time (set local-techniques-expire-time), which allows them to regain their
reputation and access the servers. This is useful for IP addresses that are dynamically assigned by
DHCP or PPPoE and may change frequently. Reference:
https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/ip-reputation
https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/geographical-ip-
policies
https://docs.fortinet.com/document/fortiweb/7.4.2/administration-guide/608374/ip-reputation-
blocklisting-source-ips-with-poor-reputation Fortinet compiles a reputation for each public IP
address. Clients will have poor reputations if they have been participating in attacks, willingly or
otherwise. Because blacklisting innocent clients is equally undesirable, Fortinet also restores the
reputations of clients that improve their behavior. This is crucial when an infected computer is
cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was
previously leased by an attacker.
Comments
Question 4
Refer to the exhibit.
You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the
future, a new hardware module providing higher speed will be installed in the switch, and the
connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other
port when the new module is installed and the new port speed is defined.
How should the initial connection be made?
- A. Connect the switch on any interface between ports 21 to 24
- B. Connect the switch on any interface between ports 25 to 28
- C. Connect the switch on any interface between ports 1 to 4
- D. Connect the switch on any interface between ports 5 to 8.
Answer:
B
Explanation:
Reference:
FortiGate 6000F Front Panel Interfaces: https://docs.fortinet.com/document/fortigate-
6000/hardware/fortigate-6000f-system-guide/827055/front-panel-interfaces
https://docs.fortinet.com/document/fortigate-6000/7.0.12/fortigate-6000-
handbook/633498/interface-groups-and-changing-data-interface-speeds
Comments
Question 5
Which feature must you enable on the BGP neighbors to accomplish this goal?
- A. Graceful-restart
- B. Deterministic-med
- C. Synchronization
- D. Soft-reconfiguration
Answer:
A
Explanation:
Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a
BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful-
restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper
routers) that it is about to restart or failover, and request them to preserve their routing information
and forwarding state for a certain period of time (the restart time). The helper routers then mark the
routes learned from the restarting router as stale, but keep them in their routing table and continue
forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router
or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing
instability during a BGP restart or failover event. Reference:
https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/bgp-graceful-restart
Comments
Question 6
Refer to the exhibit, which shows a Branch1 configuration and routing table.
In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when
all members are available.
In this scenario, which configuration change will meet this requirement?
- A. Change the load-balance-mode to source-ip-based.
- B. Create a new static route with the internet sdwan-zone only
- C. Configure the cost in each overlay member to 10.
- D. Configure the priority in each overlay member to 10.
Answer:
D
Explanation:
The default load balancing mode for the SD-WAN implicit rule is source IP based. This means that
traffic will be load balanced evenly between the overlay members, regardless of the member's
priority.
To prevent traffic from being load balanced, you can configure the priority of each overlay member
to 10. This will make the member ineligible for load balancing.
The other options are not correct. Changing the load balancing mode to source-IP based will still
result in traffic being load balanced. Creating a new static route with the internet sdwan-zone only
will not affect the load balancing of the overlay interface. Configuring the cost in each overlay
member to 10 will also not affect the load balancing, as the cost is only used when the implicit rule
cannot find a match for the destination IP address.
https://docs.fortinet.com/document/fortigate/6.4.0/sd-wan-deployment-for-
mssps/775385/defining-interface-members
Comments
Question 7
Refer to the exhibits.
An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication
with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the
administrator has discovered that the customers can manually type in their two-factor code and
authenticate but push notifications do not work
Based on the information given in the exhibits, what must be done to fix this?
- A. On FG-1 port1, the ftm access protocol must be enabled.
- B. FAC-1 must have an internet routable IP address for push notifications.
- C. On FG-1 CLI, the ftm-push server setting must point to 100.64.141.
- D. On FAC-1, the FortiToken public IP setting must point to 100.64.1 41
Answer:
D
Explanation:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-
FortiAuthenticator-operation/ta-p/190810
Comments
Question 8
Refer to the exhibit.
A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-
VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1
and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM
links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)
- A. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode
- B. Traffic on AccountVInk and SalesVInk will not be accelerated.
- C. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.
- D. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.
- E. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk
Answer:
AB
Comments
Question 9
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on
an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is
not a factor. Which adapter type for the NICs will you recommend?
- A. Native ESXi Networking with E1000
- B. Virtual Function (VF) PCI Passthrough
- C. Native ESXi Networking with VMXNET3
- D. Physical Function (PF) PCI Passthrough
Answer:
D
Explanation:
The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi,
Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and
compatibility of the network interface cards with the hypervisor and the physical network. There are
different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If
performance is the main concern and cost is not a factor, one option is to use native ESXi networking
with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor.
VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual
machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large
Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking
means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch
(dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can
provide high performance and compatibility for NICs on a FortiGate VM without requiring additional
hardware or software components. Reference:
https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-
esxi/19662/installing-fortigate-vm-on-vmware-esxi
https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-
esxi/19662/networking
Comments
Question 10
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the
FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device
for WAN traffic.
Which action achieves the requirement in this scenario?
- A. Add a switch between the FortiGate and FEX.
- B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
- C. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
- D. Add a VLAN under the FEX-WAN interface on the FortiGate.
Answer:
C
Explanation:
VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate than CAPWAP Mode.
This is because VLAN Mode does not require the FortiExtender to send additional control traffic to
the FortiGate.
The other options are not correct.
A . Add a switch between the FortiGate and FEX. This will add overhead to the network, as the switch
will need to process the traffic.
B . Enable CAPWAP connectivity between the FortiGate and the FortiExtender. This will increase the
overhead on the FortiGate, as it will need to process additional control traffic.
D . Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect the overhead on
the FortiGate.
http://docs.fortinet.com/document/fortiextender/7.0.3/admin-guide-fgt-managed/394272/vlan-
mode
http://docs.fortinet.com/document/fortiextender/7.0.3/admin-guide-fgt-managed/618684/vlan-
mode-and-performance
Comments
Page 1 out of 10
Viewing questions 1-10 out of 105
page 2