7 Efw6.4

Exam A
QUESTION 1
Which two configuration settings change the behavior for content-inspected traffic while FortiGate is in
conserve mode? (Choose two.)
A. IPS failopen
B. mem failopen
C. AV failopen
D. UTM failopen
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Refer to the exhibit, which contains the partial output of a diagnose command.
Based on the output, which two statements are correct? (Choose two.)
A. Anti-replay is enabled.
B. DPD is disabled.
C. Remote gateway IP is 10.200.4.1.
D. Quick mode selectors are disabled.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 3
Refer to the exhibit, which contains the output of a diagnose command.
Which two statements regarding the output in the exhibit are true? (Choose two.)
A. FortiGate will probe 121.111.236.179 every fifteen minutes for a response.

B. Servers with a negative TZ value are experiencing a service outage.
C. Servers with the D flag are considered to be down.
D. FortiGate used 209.222.147.36 as the initial server to validate its contract.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 4
Which two statements about application layer test commands are true? (Choose two.)
A. They are used to filter real-time debugs.

B. They display real-time application debugs.
C. Some of them can be used to restart an application.
D. Some of them display statistics and configuration information about a feature or process.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 5
Refer to the exhibits, which contain configuration on FortiGate and partial session information.
All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for
Internet traffic from a user on the internal network.
If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s
session?
A. The session would remain in the session table, but its traffic would now egress from both port1 and
port2.
B. The session would remain in the session table, and its traffic would still egress from port1.
C. The session would remain in the session table, and its traffic would start to egress from port2.
D. The session would be deleted, so the client would need to start a new session.
Correct Answer: B
Section: (none)
Explanation
QUESTION 6
Which three conditions are required for two FortiGate devices to form an OSP adjacency? (Choose three.)
A. OSPF costs match

B. OSPF peer IDs match
C. Hello and dead intervals match
D. OSPF IP MTUs match
E. IP addresses are in the same subnet
Correct Answer: CDE

Section: (none)
Explanation
QUESTION 7
Which two statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose
two.)
A. When executed on the Device Database, you must use the installation wizard to apply the changes to the
managed FortiGate.
B. When executed on the Policy Package, ADOM database, changes are applied directly to the managed
FortiGate.
C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new
revision history.
D. When executed on the Remote FortiGate directly, administrators do not have the option to review the
changes prior to installation.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 8
Refer to the exhibit, which contains a partial output of an IKE real-time debug.
Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?
A. auto-discovery-receiver
B. auto-discovery-forwarder
C. auto-discovery-sender
D. auto-discovery-shortcut
Correct Answer: C
Section: (none)
Explanation
QUESTION 9
What is the diagnose test application ipsmonitor 99 command used for?
A. To enable IPS bypass mode

B. To provide information regarding IPS sessions
C. To disable the IPS engine
D. To restart all IPS engines and monitors
Correct Answer: D
Section: (none)
Explanation
QUESTION 10
Refer to the exhibit, which contains a session table entry.
Which statement about FortiGate inspection of this session is true?
A. FortiGate applied proxy-based inspection.

B. FortiGate applied flow-based NGFW policy-based inspection.
C. FortiGate applied flow-based inspection.
D. FortiGate forwarded this session without any inspection.
Correct Answer: A
Section: (none)
Explanation
QUESTION 11
Refer to the exhibit, which contains the output of a debug command.
Which two statements about the exhibit are true? (Choose two.)
A. The local FortiGate OSPF router ID is 0.0.0.4.

B. The local FortiGate is the backup designated router.
C. In the network connected to port4, two OSPF routers are down.
D. Port4 is connected to the OSPF backbone area.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 12
Refer to the exhibit, which contains the output of diagnose sys session stat.
Which two statements about the output shown are correct? (Choose two.)
A. No sessions have been deleted because of memory pages exhaustion.

B. There are 0 ephemeral sessions.
C. There are 168 TCP sessions waiting to complete the three-way handshake.
D. All the sessions in the session table are TCP sessions.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 13
Refer to the exhibit, which contains central management configuration.
Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?
A. 10.0.1.242
B. 10.0.1.244
C. Public FortiGuard servers
D. 10.0.1.240
Correct Answer: C
Section: (none)
Explanation
QUESTION 14
Refer to the exhibit, which contains the output of diagnose sys session list.
If the HA ID for the primary unit is zero (0), which statement about the output is true?
A. This session cannot be synced with the slave unit.

B. The inspection of this session has been offloaded to the slave unit.
C. The master unit is processing this traffic.
D. This session is for HA heartbeat traffic.
Correct Answer: C
Section: (none)
Explanation
QUESTION 15
Refer to the exhibit, which contains the partial output of an IKE real-time debug.
Why did the tunnel not come up?
A. The pre-shared keys do not match

B. The remote gateway phase 1 configuration does not match the local gateway phase 1 configuration.
C. The remote gateway phase 2 configuration does not match the local gateway phase 2 configuration.
D. The remote gateway is using aggressive mode and the local gateway is configured to use main mode.
Correct Answer: B
Section: (none)
Explanation
QUESTION 16
An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the
administrator notices that some of the switches in the network continue to send traffic to the former primary
unit. The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement about this command is true?
A. It forces the former primary device to shut down all its non-heartbeat interfaces for one second while the
failover occurs.
B. It disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.
C. It sends a link failed signal to all connected devices.
D. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable
through a new master after a failover.
Correct Answer: A
Section: (none)
Explanation
QUESTION 17
What does the dirty flag mean in a FortiGate session?
A. The session must be removed from the former primary unit after an HA failover.
B. Traffic has been blocked by the antivirus inspection.
C. Traffic has been identified as from an application that is not allowed.
D. The next packet must be re-evaluated against the firewall policies.
Correct Answer: D
Section: (none)
Explanation
QUESTION 18
Refer to the exhibit, which contains partial outputs from two routing debug commands.
Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?
A. port3
B. port2
C. port1
D. Both port1 and port2
Correct Answer: C
Section: (none)
Explanation
QUESTION 19
Which statement about this FortiGate is correct?
A. It is currently in system conserve mode because of high CPU usage.

B. It is currently in extreme conserve mode because of high memory usage.
C. It is currently in proxy conserve mode because of high memory usage.
D. It is currently in memory conserve mode because of high memory usage.
Correct Answer: D
Section: (none)
Explanation
QUESTION 20
How does FortiManager handle FortiGate requests from FortiGate devices, when it is configured as a local
FDS?
A. FortiManager will respond to update requests only from a managed device.

B. FortiManager can download and maintain local copies of FortiGuard databases.
C. FortiManager supports only FortiGuard push update to managed devices.
D. FortiManager does not support web filter rating requests.
Correct Answer: B
Section: (none)
Explanation
QUESTION 21
Refer to the exhibit, which contains the output of a BGP debug command.
Which statement about the exhibit is true?
A. The local router has received a total of three BGP prefixes from all peers.
B. The local router has not established a TCP session with 100.64.3.1.
C. Since the counters were last reset, the 10.200.3.1 peer has never been down.
D. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.
Correct Answer: B
Section: (none)
Explanation
QUESTION 22
Refer to the exhibit, which contains the output of a web filtering diagnose command.
Which statement explains why the cache statistics are all zeros?
A. The FortiGate web filter cache is disabled in the FortiGate configuration.

B. FortiGate is using flow-based inspection which does not use the cache.
C. The administrator has reallocated the cache memory to a separate process.
D. There are no users making web requests.
Correct Answer: A
Section: (none)
Explanation
QUESTION 23
An administrator wants to capture ESP traffic between two FortiGate devices using the built-in sniffer.
If the administrator knows that there is no NAT device located between both FortiGate devices, which
command should the administrator execute?
A. diagnose sniffer packet any ‘esp’

B. diagnose sniffer packet any ‘udp port 4500’
C. diagnose sniffer packet any ‘udp port 500’
D. diagnose sniffer packet any ‘tcp port 500 or tcp port 4500’
Correct Answer: C A
Section: (none)
Explanation
QUESTION 24
Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)
A. The link health monitor (if configured) is up.

B. There is no other route, to the same destination, with a higher distance.
C. The outgoing interface is up.
D. The next-hop IP address is up.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 25
When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web
requests when the client browser does not provide the server name indication (SNI) extension?
A. FortiGate uses the requested URL from the user’s web browser.
B. FortiGate uses the CN information from the Subject field in the server certificate.
C. FortiGate blocks the request without any further inspection.
D. FortiGate switches to the full SSL inspection method to decrypt the data.
Correct Answer: B
Section: (none)
Explanation
QUESTION 26
Refer to the exhibit, which contains the output of a real-time debug.
Which statement regarding this output is true?
A. FortiGate found the requested URL in its local cache.

B. The requested URL belongs to category ID 52.
C. The client hostname is training.fortinet.com.
D. This web request was inspected using the root web filter profile.
Correct Answer: AB B
Section: (none)
Explanation
QUESTION 27
Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)
A. Import policy packages from managed devices.

B. Preview pending configuration changes for managed devices.
C. Add devices to FortiManager.
D. Import interface mappings from managed devices.
E. Install configuration changes to managed devices.
Correct Answer: BE
Section: (none)
Explanation
QUESTION 28
Refer to the exhibit, which contains a partial routing table.
Assuming all the appropriate firewall policies are configured, which two pings will FortiGate route? (Choose
two.)
A. Source IP address: 10.72.3.52, Destination IP address: 10.1.0.254

B. Source IP address: 10.73.9.10, Destination IP address: 10.72.3.15
C. Source IP address: 10.10.4.24, Destination IP address: 10.72.3.20
D. Source IP address: 10.1.0.10, Destination IP address: 10.64.1.52
Correct Answer: AD
Section: (none)
Explanation
QUESTION 29
Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but failed to apply any changes to the
managed device after being executed.
Why did the TCL script fail to make any changes to the managed device?
A. Changes in an interface configuration can only be done by CLI script.

B. The TCL script must start with #include <>.
C. Incomplete commands are ignored in TCL scripts.
D. The TCL command run_cmd has not been created.
Correct Answer: D
Section: (none)
Explanation
QUESTION 30
Which two statements about this debug output are correct? (Choose two.)
A. The initiator has provided remote as its IPsec peer ID.

B. The negotiation is using AES128 encryption with CBC hash.
C. The remote gateway IP address is 10.0.0.1.
D. It shows a phase 1 negotiation.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 31
Which two statements about FortiManager are true when it is deployed as a local FDS? (Choose two.)
A. It caches available firmware updates for unmanaged devices.

B. It provides VM license validation services.
C. It can be configured as an update server, or a rating server, but not both.
D. It supports rating requests from both managed and unmanaged devices.
Correct Answer: AB B&

Section: (none) D
Explanation
QUESTION 32
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator has configured the CLI script on FortiManager, which failed to apply any changes to the
managed device after being executed.
Why did the script not make any changes to the managed device?
A. There is an existing route with a lower priority value.

B. CLI scripts will add objects only if they are referenced by policies.
C. Commands that start with the #sign are not executed.
D. Static routes can only be added using TCL scripts.
Correct Answer: C
Section: (none)
Explanation
QUESTION 33
Refer to the exhibit, which contains the output of a BGP debug command.
Which statement explains why the state of the 10.200.3.1 peer is Connect?
A. The local router has received the BGP prefixes from the remote peer.
B. The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.
C. The TCP session to 10.200.3.1 has not completed the 3-way handshake.
D. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the
OpenConfirm yet.
Correct Answer: C
Section: (none)
Explanation
QUESTION 34
Refer to the exhibit, which contains a session entry.
Which statement about this session is true?
A. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

B. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
C. It is an ICMP session from 10.1.10.10 to 10.200.5.1.
D. It is an ICMP session from 10.1.10.10 to 10.200.1.1.
Correct Answer: C
Section: (none)
Explanation
QUESTION 35
Refer to the exhibit, which contains the output of get system ha status.
Which two statements about the output are true? (Choose two.)
A. The slave configuration is synchronized with the master.

B. port7 is used as the HA heartbeat on all devices in the cluster.
C. Master is selected based on the priority configured under config system ha.
D. The HA management IP is 169.254.0.2.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 36
Refer to the exhibit, which contains a screenshot of some phase-1 settings.
The VPN is not up. To diagnose, the administrator enters the following CLI commands:
However, the IKE real-time debug does not show any output. Why?
A. The log-filter setting was set incorrectly. The VPN traffic does not match this filter.
B. The administrator must enable the following real-time debug: diagnose debug application ipsec
–1.
C. The debug output only shows pre-shared key, encryption, and authentication mismatch(es).
D. The debug shows only error messages. If there is no output, then phase-1 and phase-2 configurations are
matching.
Correct Answer: A
Section: (none)
Explanation
QUESTION 37
Which statement about memory conserve mode is true?
A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.
B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold
reaches extreme.
C. A FortiGate enters conserve mode when the configured memory use threshold reaches red.
D. A FortiGate starts dropping new sessions when the configured memory use thresholds reaches red.
Correct Answer: D C
Section: (none)
Explanation
QUESTION 38
Refer to the exhibit, which contains output of diagnose vpn tunnel list.
Which command will capture ESP traffic for the VPN named DialUp_0?
A. diagnose sniffer packet any ‘port 500’

B. diagnose sniffer packet any ‘host 10.0.10.10’
C. diagnose sniffer packet any ‘ESP’
D. diagnose sniffer packet any ‘port 4500’
Correct Answer: D
Section: (none)
Explanation
QUESTION 39
Refer to the exhibit, which contains a partial web filter profile configuration.
Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File
Sharing and Storage?
A. FortiGate will exempt the connection based on the Web Content Filter configuration.
B. FortiGate will block the connection as an invalid URL.
C. FortiGate will block the connection based on the URL Filter configuration.
D. FortiGate will allow the connection based on the FortiGuard category based filter configuration.
Correct Answer: C
Section: (none)
Explanation
QUESTION 40
Which statement regarding the Weight value is true?
A. It determines which FortiGuard server is used for license validation.

B. Its initial value is statically set to 10.
C. Its value is incremented with each packet lost.
D. Its initial value is calculated based on the round trip delay (RTT).
Correct Answer: C
Section: (none)
Explanation
QUESTION 41
The administrator does not have access to the remote gateway.
Based on the debug output, which configuration change can the administrator make to the local gateway to
resolve the phase 1 negotiation error?
A. Change phase 1 encryption to 3DES and authentication to SHA256.

B. Change phase 1 encryption to 3DES and authentication to CBC.
C. Change phase 1 encryption to AESCBC and authentication to SHA128.
D. Change phase 1 encryption to AES128 and authentication to SHA512.
Correct Answer: B
Section: (none)
Explanation
QUESTION 42
In which two states is a given session categorized as ephemeral? (Choose two.)
B
A. A TCP session waiting for FIN ACK.
B. A TCP session waiting to complete the three-way handshake.
C. A UDP session with packets sent and received.
D. A UDP session with only one packet received.
Correct Answer: AC B&

Section: (none) D
Explanation
QUESTION 43
Refer to the exhibit, which contains a partial output of an IKE real-time debug.
Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?
A. auto-discovery-receiver
B. auto-discovery-forwarder
C. auto-discovery-sender
D. auto-discovery-shortcut
Correct Answer: B
Section: (none)
Explanation
QUESTION 44
Which statement describes IPS adaptive scanning?
A. Downloads signatures on demand from FDS based on scanning requirements.

B. Determines when it is secure enough to stop scanning session traffic.
C. Determines the optimal number of IPS engines required based on system load.
D. Choose a matching algorithm based on the type of inspection being performed.
A
Correct Answer: B
Section: (none)
Explanation
QUESTION 45
Which two statements about the exhibit are true? (Choose two.)
A. The OSPF routers with the IDS 0.0.0.69 and 0.0.0.117 are both designated routers for the wan1
network.
B. The interface ToRemote is a point-to-point OSPF network.
C. The local ForitGate is the backup designated router for the wan1 network.
D. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 46
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?
A. Next-hop-self
B. Route reflector
C. Neighbor group
D. Neighbor range
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
Refer to the exhibit, which contains partial outputs from two routing debug commands.
Why is the port2 default route not in the second command’s output?
A. It has a lower priority value that the default route using port1.
B. It has a higher priority value than the default route using port1.
C. It is disabled in the FortiGate configuration.
D. It has a higher distance than the default route using port1.
Correct Answer: D
Section: (none)
Explanation
QUESTION 48
Which two statements about the output are true? (Choose two.)
A. This is an expected session created by a session helper.

B. This is an expected session created by an application control profile.
C. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop
IP address 10.0.1.10.
D. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop
IP address 10.200.1.1.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 49
Refer to the exhibits, which contain configuration on FortiGate and partial session information.
All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for
Internet traffic from a user on the internal network.
If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s
session?
A. The session would remain in the session table, but its traffic would now egress from both port1 and
port2.
B. The session would remain in the session table, and its traffic would still egress from port1.
C. The session would remain in the session table, and its traffic would start to egress from port2.
D. The session would be deleted, so the client would need to start a new session.
Correct Answer: C
Section: (none)
Explanation
1. What conditions are required for two FortiGate devices to form an OSPF
adjacency? (Choose three.)
IP addresses are in the same subnet.

Hello and dead intervals match.
OSPF IP MTUs match.
OSPF peer IDs match.
OSPF costs match.
2. Anadministrator has decreased all the TCP session timers to optimize the
FortiGate memory usage. However, after the changes, one network application
started to have problems. During the troubleshooting, the administrator noticed that
the FortiGate deletes the sessions after the clients send the SYN packets, and before
the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the
unit has already deleted the respective sessions.
Which TCP session timer must be increased to fix this problem?
TCP half open.

TCP half close.
TCP time wait.
TCP session time to live.
3. Examine the output of the 'diagnose debug rating' command shown in the exhibit;
then answer the question below.
Which statement are true regarding the output in the exhibit? (Choose two.)
There are three FortiGuard servers that are not responding to the queries sent by the
FortiGate.
The TZ value represents the delta between each FortiGuard server's time zone and the
FortiGate's time zone.
FortiGate will send the FortiGuard queries to the server with highest weight.
A server's round trip delay (RTT) is not used to calculate its weight.
4. View the exhibit, which contains the output of a debug command, and then answer
the question below.
Which one of the following statements about this FortiGate is correct?
It is currently in system conserve mode because of high CPU usage.

It is currently in extreme conserve mode because of high memory usage.
It is currently in proxy conserve mode because of high memory usage.
It is currently in memory conserve mode because of high memory usage.
5. View the exhibit, which contains the output of a BGP debug command, and then
answer the question below.
Which of the following statements about the exhibit are true? (Choose two.)
The local router's BGP state is Established with the 10.125.0.60 peer.
Since the counters were last reset; the 10.200.3.1 peer has never been down.
The local router has received a total of three BGP prefixes from all peers.
The local router has not established a TCP session with 100.64.3.1.
6. View the exhibit, which contains the output of a diagnose command, and then
What statements are correct regarding the output? (Choose two.)
This is an expected session created by a session helper.

Traffic in the original direction (coming from the IP address 10.171.122.38) will be
routed to the next-hop IP address 10.0.1.10.
Traffic in the original direction (coming from the IP address 10.171.122.38) will be
routed to the next-hop IP address 10.200.1.1.
This is an expected session created by an application control profile.
7. Which two statements about FortiManager is true when it is deployed as a local
FDS? (Choose two.)
It caches available firmware updates for unmanaged devices.

It can be configured as an update server, or a rating server, but not both.
It supports rating requests from both managed and unmanaged devices.
It provides VM license validation services.
8. View the exhibit, which contains the output of a diagnose command, and then
Which statements are true regarding the output in the exhibit? (Choose two.)
FortiGate will probe 121.111.236.179 every fifteen minutes for a response.

Servers with the D flag are considered to be down.
Servers with a negative TZ value are experiencing a service outage.
FortiGate used 209.222.147.3 as the initial server to validate its contract .
9. Examine the output of the ‘diagnose sys session list expectation’ command
shown in the exhibit; than answer the question below.
Which statement is true regarding the session in the exhibit?
It was created by the FortiGate kernel to allow push updates from FotiGuard.
It is for management traffic terminating at the FortiGate.
It is for traffic originated from the FortiGate.
It was created by a session helper or ALG
10. 0.1.254. The administrator runs the debug flow while attempting the connection
using
HTTP. The output of the debug flow is shown in the exhibit:
Based on the error displayed by the debug flow, which are valid reasons for this
problem? (Choose two.)
HTTP administrative access is disabled in the FortiGate interface with the IP address
10.0.1.254.
Redirection of HTTP to HTTPS administrative access is disabled.
HTTP administrative access is configured with a port number different than 80.
The packet is denied because of reverse path forwarding check.
11. A FortiGate is configured as an explicit web proxy. Clients using this web proxy
are reposting DNS errors when accessing any website. The administrator executes
the following debug commands and observes that the n-dns-timeout counter is
increasing:
What should the administrator check to fix the problem?
The connectivity between the FortiGate unit and the DNS server.
The connectivity between the client workstations and the DNS server.
That DNS traffic from client workstations is allowed by the explicit web proxy policies.
That DNS service is enabled in the explicit web proxy interface.
12. View the exhibit, which contains the partial output of an IKE real time debug, and
then answer the question below.
The administrator does not have access to the remote gateway.
Based on the debug output, what configuration changes can the administrator make
to the local gateway to resolve the phase 1 negotiation error?
Change phase 1encryption to AESCBC and authentication to SHA128.

Change phase 1 encryption to 3DES and authentication to CB
Change phase 1 encryption to AES128 and authentication to SHA512.
Change phase 1 encryption to 3DES and authentication to SHA256.
13. An administrator has enabled HA session synchronization in a HA cluster with
two members.
Which flag is added to a primary unit’s session to indicate that it has been
synchronized to the secondary unit?
redir.
C
dirty.
synced
nds.
14. Which configuration can be used to reduce the number of BGP sessions in an
IBGP network?
Neighbor range
Route reflector
Next-hop-self
Neighbor group
15. View the exhibit, which contains the output of get sys ha status, and then answer
the question below.
Which statements are correct regarding the output? (Choose two.)
The slave configuration is not synchronized with the master.

The HA management IP is 169.254.0.2.
Master is selected because it is the only device in the cluster.
port 7 is used the HA heartbeat on all devices in the cluster.
16. How does FortiManager handle FortiGuard requests from FortiGate devices,
when it is configured as a local FDS?
FortiManager can download and maintain local copies of FortiGuard databases.

FortiManager supports only FortiGuard push to managed devices.
FortiManager will respond to update requests only if they originate from a managed
device.
FortiManager does not support rating requests.
17. View the global IPS configuration, and then answer the question below.
Which of the following statements is true regarding this configuration?
IPS will scan every byte in every session.

FortiGate will spawn IPS engine instances based on the system load.
New packets will be passed through without inspection if the IPS socket buffer runs out
of memory.
IPS will use the faster matching algorithm which is only available for units with more
than 4 GB memory.
18. Examine the following traffic log; then answer the question below.
date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx"
log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel
status=failure msg="NAT port is exhausted."
What does the log mean?
There is not enough available memory in the system to create a new entry inthe NAT
port table.
The limit for the maximum number of simultaneous sessions sharing the same NAT
port has been reached.
FortiGate does not have any available NAT port for a new connection.
The limit for the maximum number of entries in the NAT port table has been reached.
19. Which of the following statements are true regarding the SIP session helper and
the SIP application layer gateway (ALG)? (Choose three.)
SIP session helper runs in the kernel; SIP ALG runs as a user space process.
SIP ALG supports SIP HA failover; SIP helper does not.
SIP ALG supports SIP over IPv6; SIP helper does not.
SIP ALG can create expected sessions for media traffic; SIP helper does not.
SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UD
20. Two independent FortiGate HA clusters are connected to the same broadcast
domain. The administrator has reported that both clusters are using the same HA
virtual MAC address. This creates a duplicated MAC address problem in the network.
What HA setting must be changed in one of the HA clusters to fix the problem?
Group ID
Group name.
Session pickup.
Gratuitous ARPs.
21. AFortiGate's portl is connected to a private network. Its port2 is connected to the
Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can
access the Internet. Web cache is NOT enabled. An internal web proxy user is
downloading a file from the Internet via HTTP.
Which statements are true regarding the two entries in the FortiGate session table
related with this traffic? (Choose two.)
Both session have the local flag on.

The destination IP addresses of both sessions are IP addresses assigned to
FortiGate'sinterfaces.
One session has the proxy flag on, the other one does not.
One of the sessions has the IP address of port2 as the source IP address.
22. Which two configuration settings change the behavior for content-inspected
traffic while FortiGate is in conserve mode? (Choose two.)
IPS failopen
mem failopen
AV failopen
UTM failopen
23. What does the dirty flag mean in aFortiGate session?
Traffic has been blocked by the antivirus inspection.

The next packet must be re-evaluated against the firewall policies.
The session must be removed from the former primary unit after an HA failover.
Traffic has been identified as from an application that is not allowed.
24. Which two conditions must be met for a statistic route to be active in the routing
table? (Choose two.)
The link health monitor (if configured) is up.

There is no other route, to the same destination, with a higherdistance.
The outgoing interface is up.
The next-hop IP address is up.
25. View the following FortiGate configuration.
All traffic to the Internet currently egresses from port1.
The exhibit shows partial session information for Internet traffic from a user on the
internal network:
If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic
matching that user’s session?
The session would remain in the session table, and its traffic would still egress from
port1.
The session would remain in the session table, but its traffic would now egress from
both port1 and port2.
The session would remain in the session table, and its traffic would start to egress from
port2.
The session would be deleted, so the client would need to start a new session.
26. Which of the following statements are correct regarding application layer test
commands? (Choose two.)
They are used to filter real-time debugs.

They display real-time application debugs.
Some of them display statistics and configuration information about a feature or
process.
Some of them can be used to restart an application.
27. Examine the output from the 'diagnose debug authd fsso list' command; then
answer the
question below.
# diagnose debug authd fsso list―FSSO logons-IP: 192.168.3.1 User: STUDENT

Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP
address 192.168.3.1 is NOT the one used by the workstation INTERNAL2. TRAINING.
LAB.
What should the administrator check?
The IP address recorded in the logon event for the user STUDEN
The DNS name resolution for the workstation name INTERNAL2. TRAININ
LA
The source IP address of the traffic arriving to the FortiGate from the workstation
INTERNAL2. TRAININ
LA
The reserve DNS lookup for the IP address 192.168.3.1.
28. Examine the output of the ‘get router info ospf interface’ command shown in the
exhibit; then answer the question below.
Which statements are true regarding the above output? (Choose two.)
Theport4 interface is connected to the OSPF backbone area.
The local FortiGate has been elected as the OSPF backup designated router.
There are at least 5 OSPF routers connected to the port4 network.
Two OSPF routers are down in the port4 network.
29. Which of the following conditions must be met fora static route to be active in the
routing table? (Choose three.) Choose Two
The next-hop IP address is up.

There is no other route, to the same destination, with a higher distance.
The link health monitor (if configured) is up.
The next-hop IP address belongs to one of the outgoing interface subnets.
The outgoing interface is up.
30. The logs in a FSSO collector agent (CA) are showing the following error:
failed to connect to registry: PIKA1026 (192.168.12.232)
What can be the reason for this error?
The CA cannot resolve the name of the workstation.

The FortiGate cannot resolve the name of the workstation.
The remote registry service is not running in the workstation 192.168.12.232.
The CA cannot reach the FortiGate with the IP address192.168.12.232.
31. In which two states is a given session categorized as ephemeral? (Choose two.)
A TCP session waiting to complete the three-way handshake.

A TCP session waiting for FIN AC
A UDP session with packets sent and received.
A UDP session with only one packet received.
32. What events are recorded in the crashlogs of a FortiGate device? (Choose two.)
A process crash.
Configuration changes.
Changes in the status of any of the FortiGuard licenses.
System entering to and leaving from the proxy conserve mode.
33. View the exhibit, which contains a session entry, and then answer the question
below.
Which statement is correct regarding this session?
It is an ICMP session from 10.1.10.10 to 10.200.1.1.

It is an ICMP session from 10.1.10.10 to 10.200.5.1.
It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.
34. Refer to exhibit, which contains the output of a BGP debug command.
Which statement explains why the state of the 10.200.3.1 peer is Connect?
The local router is receiving BGP keepalives from the remote peer, but the local peer
has not received the OpenConfirm yet.
The TCP session to 10.200.3.1 has not completed the 3-way handshake.
The local router is receiving the BGP keepalives from the peer, but it has not received
a BGP prefix yet.
The local router has received the BGP prefixes from the remote peer.
35. A FortiGate device has the following LDAP configuration:
The administrator executed the ‘dsquery’ command in the Windows LDAp server
10.0.1.10, and got the following output:
>dsquery user Csamid administrator
“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab”
Based on the output, what FortiGate LDAP setting is configured incorrectly?
cnid.
username.
password.
dn.
this is the
correct
not
Correct

7 Efw6.4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

7 Efw6.4

Uploaded by

Copyright:

Available Formats

Exam A

A. FortiGate will probe 121.111.236.179 every fifteen minutes for a response.

A. They are used to filter real-time debugs.

A. OSPF costs match

Correct Answer: CDE

A. To enable IPS bypass mode

A. FortiGate applied proxy-based inspection.

A. The local FortiGate OSPF router ID is 0.0.0.4.

A. No sessions have been deleted because of memory pages exhaustion.

A. This session cannot be synced with the slave unit.

A. The pre-shared keys do not match

Which statement about this command is true?

Which statement about this FortiGate is correct?

A. It is currently in system conserve mode because of high CPU usage.

A. FortiManager will respond to update requests only from a managed device.

A. The FortiGate web filter cache is disabled in the FortiGate configuration.

A. diagnose sniffer packet any ‘esp’

A. The link health monitor (if configured) is up.

Which statement regarding this output is true?

A. FortiGate found the requested URL in its local cache.

A. Import policy packages from managed devices.

A. Source IP address: 10.72.3.52, Destination IP address: 10.1.0.254

A. Changes in an interface configuration can only be done by CLI script.

A. The initiator has provided remote as its IPsec peer ID.

A. It caches available firmware updates for unmanaged devices.

Correct Answer: AB B&

Refer to the exhibit, which contains a CLI script configuration on FortiManager.

A. There is an existing route with a lower priority value.

Refer to the exhibit, which contains a session entry.

Which statement about this session is true?

A. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

A. The slave configuration is synchronized with the master.

A. diagnose sniffer packet any ‘port 500’

A. It determines which FortiGuard server is used for license validation.

The administrator does not have access to the remote gateway.

A. Change phase 1 encryption to 3DES and authentication to SHA256.

Correct Answer: AC B&

A. Downloads signatures on demand from FDS based on scanning requirements.

Refer to the exhibit, which contains the output of a debug command.

Refer to the exhibit, which contains the output of a diagnose command.

A. This is an expected session created by a session helper.

IP addresses are in the same subnet.

Which TCP session timer must be increased to fix this problem?

TCP half open.

It is currently in system conserve mode because of high CPU usage.

What statements are correct regarding the output? (Choose two.)

This is an expected session created by a session helper.

It caches available firmware updates for unmanaged devices.

FortiGate will probe 121.111.236.179 every fifteen minutes for a response.

HTTP. The output of the debug flow is shown in the exhibit:

Change phase 1encryption to AESCBC and authentication to SHA128.

Which statements are correct regarding the output? (Choose two.)

The slave configuration is not synchronized with the master.

FortiManager can download and maintain local copies of FortiGuard databases.

Which of the following statements is true regarding this configuration?

IPS will scan every byte in every session.

date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx"

log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel

status=failure msg="NAT port is exhausted."

What does the log mean?

Both session have the local flag on.

Traffic has been blocked by the antivirus inspection.

The link health monitor (if configured) is up.