Professional Documents
Culture Documents
Fortinet NSE4 FGT Jan 2024
Fortinet NSE4 FGT Jan 2024
Video Course
118 Lectures
$19.99
Buy Now
Question #1 Topic 1
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
A. It limits the scanning of application traffic to the browser-based technology category only.
Correct Answer: A
Selected Answer: A
NSE4 7.2 Security page 317: You can configure the URL Category within the same security policy; however, adding a URL filter causes application
control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website.
upvoted 14 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct is A
upvoted 1 times
Selected Answer: A
A. It limits the scanning of application traffic to the browser-based technology category only.
You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in
only the browser-based technology category, for example, Facebook Messenger on the Facebook website.
upvoted 1 times
When using a URL list and application control in the same firewall policy in NGFW policy-based mode, the firewall may be limited in its ability to
fully inspect and control application traffic. This is because the URL list only controls access to specific websites or domains, while the application
control inspects and controls the specific applications or services being used.
By combining both features, the firewall may only be able to inspect and control traffic based on the application category, rather than the specific
application being used. This could potentially allow certain applications or services to bypass security measures if they are not categorized
correctly, or if they are categorized under a broader category that is not being blocked.
Therefore, it is important to carefully consider the limitations and potential gaps in security when using both URL lists and application control in
the same firewall policy.
upvoted 2 times
Al tener un filtrado web y un control de aplicaciones en las mismas políticas, agotamos los recursos, lo cual hace que no haya un buen análisis en
la categorías basada en navegador
upvoted 1 times
"You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications
in only the browser based technology category, for example, Facebook Messenger on the Facebook website"
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.
A. Policy with ID 4.
B. Policy with ID 5.
D. Policy with ID 4.
Correct Answer: A
Selected Answer: B
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to
facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are
evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based
on the Policy Lookup criteria, Policy ID 5 will be highlighted.
upvoted 7 times
Selected Answer: B
B. Policy with ID 5.
Selected Answer: B
Answer: B
upvoted 1 times
Correct is B
upvoted 1 times
Policy ID 5
upvoted 1 times
Selected Answer: B
Origen Port3 Objeto LOCAL_CLIENT, destino facebook.com servicios web por lo cual esta implicito el 443, tiene que ser ID5 respuesta B
upvoted 1 times
Question #3 Topic 1
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
Correct Answer: CD
This Question has been asked on 7.0 and 6.4 NSE 4. It’s always been a one answer question. So it’s only C.
upvoted 1 times
Selected Answer: BC
Selected Answer: BC
b and c
upvoted 1 times
Selected Answer: BC
b and c
upvoted 1 times
Selected Answer: C
I think there's some confusion it could just be a mis type under choose two answers because the other answers do not really make sense. Found
an old reference which only uses different vlan IDs as the answer.
https://vceguide.com/which-statements-about-the-vlan-sub-interfaces-can-have-the-same-vlan-id-only-if-they-have-ip-addresses-in-different-
subnets/
upvoted 1 times
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VLAN/ta-p/192843?externalID=FD43883
Selected Answer: BC
VLAN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interface/ta-p/197640
Selected Answer: BC
Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as long as they are not asign to the same
VDOM.
upvoted 2 times
Selected Answer: BC
Correct is B and C
upvoted 3 times
Selected Answer: BC
A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session.
Correct Answer: C
Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table. That is, if the route in table contains a
matching route for the source address and the incoming interface, but there is a better route for the source address through another interface the
the rpf check fails.
upvoted 1 times
B definitely
upvoted 1 times
Selected Answer: B
B. Strict RPF checks the best route back to the source using the incoming interface.
So in short if there is a best route out of its incoming interface then strict will pass. If there is a route from the incoming interface but a better route
out of another Strict will deny.
upvoted 1 times
Selected Answer: B
Correct answer: B
upvoted 1 times
Selected Answer: B
Correct is B
upvoted 1 times
Selected Answer: B
B is correct
upvoted 1 times
Packet is dropped if its ingressing interface does not match the interface selected by the routing lookup.
upvoted 1 times
Selected Answer: B
Answer is B. "The default feasible RPF mode checks only for the existence of at least one active route back to the source using the incoming
interface. The strict RPF check ensures the best route back to the source is used as the incoming interface."
upvoted 3 times
Infra guide Page 39: "In strict mode, FortiGate checks that the best route to the source IP is through the incoming interface. The route not only has
to be active (as in the case of loose mode), but it also has to be the best"'
upvoted 2 times
Question #5 Topic 1
end
set block-session-timer 30
end
Correct Answer: AB
Selected Answer: CD
Selected Answer: CD
Correct Answer: CD
upvoted 1 times
Selected Answer: CD
C & D correct
upvoted 1 times
Selected Answer: CD
Correct is C and D
upvoted 1 times
We enable denied session to be added into the session table to reduce the CPU processing due to denied session from same source/destination ip
address, port and protocol.
Solution
Below are the commands to enable denied session to be added into the session table:
#config system settings
#set ses-denied-traffic enable
#end
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478
upvoted 2 times
set block-session-timer <integer 1 – 300> (this determines in seconds how long, in seconds, the session is kept in the table)
upvoted 1 times
Selected Answer: CD
Correct C and D
upvoted 1 times
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?
D. Get the additional application signatures required to add to the security policy.
Correct Answer: B
Selected Answer: B
Selected Answer: B
FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect encrypted traffic.
upvoted 1 times
Selected Answer: B
Correct is B
upvoted 2 times
Selected Answer: B
Correct: B
upvoted 1 times
Selected Answer: B
B is correct
upvoted 1 times
Necesita realizar una inspección profunda de las acciones que se están haciendo en la página de Facebook para poder denegar las reacciones.
upvoted 3 times
Selected Answer: B
B is correct
This indicate that the rule are partially working as they can watch video but cant react, i.e. liking the content. So must be an issue with the SSL
inspection rather then adding an app rule.
upvoted 4 times
Selected Answer: B
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is
Correct Answer: D
Selected Answer: D
The correct answer is D. When both devices are configured with set downstream-access-disable (answer in C) then the newly created address
objects are still replicated. However, when I configure the root with set fabric-object-unification local the address object is no longer replicated to
the downstream FortiGates. I believe that the Exhibit B is wrong!
upvoted 9 times
JakubCh Highly Voted 5 months ago
Selected Answer: C
D - not correct
Fortigate Security guide 7.2 - page 434
The CLI command "set fabric-object-unification" is only available on the root FortiGate.
upvoted 7 times
Selected Answer: C
Answer C is correct.
upvoted 1 times
Selected Answer: C
A is wrong, "if set configuration-sync is set to local, the downstream device does not participate in synchronization"
B wrong, as the connection has been established and no need to authenticate
D is wrong, the command is already there on the root
C is the only one left
upvoted 1 times
Selected Answer: C
Selected Answer: D
On the config output set fabric-object-unification is se to local, which means the device does not synchronize objects from the root but will send
the synchronized objects downstream. So it must be changed back to default ( which is the default setting) and Global CMDB objects will be
synchronized in the Security Fabric.
https://www.coursehero.com/file/p6s6q0dr/An-administrator-creates-a-new-address-object-on-the-root-FortiGate-Local/
upvoted 1 times
Selected Answer: D
Selected Answer: D
Exhibit B is wrong, check the same question from previous exam version:
https://www.examtopics.com/exams/fortinet/nse4_fgt-70/view/5/
The correct answer is D. Exhibit B is wrong. It should say "set fabric-object-unification local", which will cause the problem described. None of the
other choices fix the problem.
upvoted 2 times
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage
thresholds.
Based on the system performance output, which two results are correct? (Choose two.)
Correct Answer: BD
Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the
configuration.
FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources
and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization.
Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the
configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may
require additional resources that are not available.
It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access
FortiGate through other means besides the console port.
upvoted 11 times
Selected Answer: BC
If the memory usage goes above the percentage defined as the red threshold, the FortiGate enters conserve mode. While in conserve mode;
system configuration cannot be changed, skips quarantine actions (including FortiSandbox analysis).
upvoted 2 times
Admins cannot change the configuration when the FortiGate is in conserve mode.
upvoted 1 times
Correct is B and C
upvoted 2 times
Selected Answer: BC
Al fortigate llegar al umbral de memoria establecido este entra en modo conservador, su configuración la puede cambiar solo el administrador
desde la consola.
upvoted 1 times
Selected Answer: BC
What actions does FortiGate take to preserve memory while in conserve mode?
• FortiGate does not accept configuration changes, because they might increase memory usage.
• FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.
• You can configure the fail-open setting under config ips global to control how the IPS engine
behaves when the IPS socket buffer is full.
upvoted 2 times
Selected Answer: BC
Selected Answer: BC
Selected Answer: BC
What two conclusions can you make from the debug flow output? (Choose two.)
Correct Answer: AC
Selected Answer: AC
AC
100%
upvoted 1 times
Selected Answer: AC
Selected Answer: AC
Correct answers
upvoted 1 times
Selected Answer: AC
ICMP proto 1
New sesion
upvoted 1 times
ICMP proto: 1
new session
upvoted 1 times
Selected Answer: AC
proto = 1 = ICMP
"allocate a new session...."
upvoted 1 times
Correct answers
upvoted 1 times
Answer correct!
upvoted 1 times
Al crearse una nueva sesion, se tiene que verificar si hay problemas en la transmision de los datos.
upvoted 1 times
Selected Answer: AC
A & C correct
upvoted 1 times
Selected Answer: AC
AC is correct.
upvoted 1 times
Question #10 Topic 1
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static
IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
A. 192.168.2.0/24
B. 192.168.0.0/8
C. 192.168.1.0/24
D. 192.168.3.0/24
Correct Answer: C
For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the
remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach
the 192.168.2.0/24 subnet at site B.
To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the
same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at
site B to reach the 192.168.1.0/24 subnet at site A.
Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.
upvoted 14 times
Selected Answer: A
A. 192.168.2.0/24
Selected Answer: A
Correct answer is A
upvoted 1 times
Selected Answer: A
192.168.2.0/24
upvoted 1 times
Selected Answer: A
Si configuro primero el A, colocando un local y un remoto, debe copiar lo mismo en el B. Pero invertido.
upvoted 2 times
erawemk 5 months, 2 weeks ago
Selected Answer: A
SiteA: local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24
SiteB: local quick mode selector is 192.168.2.0/24 and the remote quick mode selector is 192.168.1.0/24
This is set to make a working Phase 2 VPN configuration, the tricky words are local and SiteB
upvoted 3 times
Selected Answer: A
Has to be mirrored
upvoted 1 times
This logic must flip when considering site B, which now becomes the local site, 192.168.2.0. This means the remote site must now become Site A,
192.168.1.0
upvoted 1 times
Selected Answer: A
Correct Answer.
upvoted 1 times
Selected Answer: A
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
Correct Answer: BC
Selected Answer: CD
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
Selected Answer: CD
This configuration requires proper CA certificate installatin as the SSL VPN cliente FortiGate/user uses PSK and a PKI client certificate to
authenticate. The FG devices must have the proper CA certificaate installed to verity the certificate chain to the root CA that signed the certificate.
link: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/508779/fortigate-as-ssl-vpn-client
The SSL VPN server has a custom server certificate defined, and the SSL VPN client user uses PSK and a PKI client certificate to authenticate. The
FortiGates must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
upvoted 2 times
santi1509 9 months, 4 weeks ago
Selected Answer: BC
El cliente debe instalar en su maquina local el software de autenticación el cual es el encargado de establecer la firma HA, este mismo es enviado
al FortiGate el cual almacena el certificado HA. Cada vez que se vaya a hacer una conexión o petición el FortiGate compara los dos certificados, y
si concuerdan, deja pasar la petición
upvoted 2 times
C: This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to
authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the
certificate.
D: The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.
upvoted 1 times
Selected Answer: CD
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/508779/fortigate-as-ssl-vpn-client
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.
The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
upvoted 3 times
Selected Answer: CD
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
To establish an SSL VPN connection between two FortiGate devices, the following two settings are required:
The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate will use a CA (Certificate Authority)
certificate to verify the client FortiGate certificate, ensuring that the client device is trusted and allowed to establish an SSL VPN connection.
The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: The client FortiGate must have an SSL VPN tunnel interface
type configured in order to establish an SSL VPN connection. This interface type will be used to connect to the server FortiGate over the SSL VPN.
upvoted 2 times
Question #12 Topic 1
D. Reliable logging prevents the loss of logs when the local disk is full.
Correct Answer: D
Selected Answer: B
Selected Answer: B
Reliable logging changes the log transport delivery from UDP to TCP. Then, only if you are using Reliable logging, you can do encryption.
NSE 4 training 7.2 training material: Fortigate Security: 05.Logging and Monitoring: Page 22, Reliable logging and OFTPs
upvoted 10 times
D. Reliable logging prevents the loss of logs when the local disk is full.
Reliable logging helps ensure that logs are not lost even when the local disk reaches its capacity by offloading and storing them in another location
or system.
This statement is not accurate regarding reliable logging on FortiGate. Reliable logging primarily focuses on ensuring logs are not lost due to disk
space constraints, rather than specifically encrypting log transmissions. Encryption of log transmissions would typically be handled through other
means such as secure protocols or encryption settings, not directly tied to reliable logging functionality.
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: D
As encryption is an optional feature and this course is about about FGT - 7.2 I would argue that D is the answer they are aiming at.
Fortigate Security 7.2 Study Guide, p. 192:
When both FortiGate and FortiAnalyzer are running version 7.2 or later, and reliable logging is configured, FortiGate keeps logs in a confirm queue
until it verifies those logs were received by FortiAnalyzer. This is achieved by using sequence numbers (seq_no) to track the logs received. FortiOS
periodically queries FortiAnalyzer for the latest seq_no of the last log received, and clears logs from the confirm queue up to the seq_no.
upvoted 1 times
Igor_Mioralli 1 month, 2 weeks ago
Selected Answer: D
Encryption is OPTIONAL , so the answer is D, the main reason you would allow Reliable logs is to prevent log loss, so it is RELIABLE in the case of a
failure. Encryption is to SECURE the logs not to make it RELIABLE :
reliable
/rɪˈlʌɪəbl/
adjective
consistently good in quality or performance; able to be trusted.
"a reliable source of information"
Source :
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/942202/improve-fortianalyzer-log-
caching#:~:text=Improve%20FortiAnalyzer%20log%20caching,seq_no%20to%20track%20received%20logs
upvoted 1 times
Selected Answer: D
NSE4 - Security Training 7.2 - Study Guide, page 192.
"Selected Answer: B
NSE4 - Security Training 7.2 - Study Guide, page 191.
Answer: D.
NSE4 - Security Training 7.2 - Study Guide, page 192.
"When both Fortigate and FortiAnalyzer are running version 7.2 or later, and reliable logging is configured, Fortigate keeps logs in a confirm queue
until it verifies those logs where received by FortiAnalyzer.
OPTIONALLY, if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it
is safely transmitted across an unsecure network. "
upvoted 4 times
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Encrypt-logs-sent-to-FortiAnalyzer-FortiManager/ta-p/192021
Sample config CLI shows "set reliable enable" along with "set enc-algorithm" command ... so B seems to be correct
upvoted 1 times
Selected Answer: B
If using reliable logging ("set reliable enable"), then you have the option to encrypt communications using OFTPS ("set enc-algorithm").
upvoted 3 times
Selected Answer: B
Selected Answer: B
Correct answer
upvoted 1 times
Reliable logging is a feature that stores log messages in a buffer on the FortiGate until they can be written to the local disk. This helps to prevent
the loss of log messages if the local disk becomes full. Reliable logging is not enabled by default, and it can be configured using the CLI or the
FortiGate web interface.
Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly.
Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured separately.
Reliable logging can be configured using the CLI or the FortiGate web interface.
upvoted 3 times
Question #13 Topic 1
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?
A. 10.200.1.1
B. 10.0.1.254
C. 10.200.1.10
D. 10.200.1.100
Correct Answer: D
Selected Answer: D
Selected Answer: D
D. 10.200.1.100
upvoted 2 times
D. 10.200.1.100
If outbound traffic match rule with NAT enabled and IP pool configured. Traffic will use the IP pool external IP.
Basically SNAT priority from high to low will be :
1) IP pool
2) VIP IP
3) SNAT egress interface
upvoted 3 times
Selected Answer: D
Selected Answer: C
- The second Firewall policy will activate the VIP so that its external IP address can be used to perform SNAT when the HOST generates traffic
towards the Internet.
- Internet Traffic from internal network will be allowed by first firewall policy for SNAT with VIP's external IP address.
upvoted 3 times
Selected Answer: D
Selected Answer: D
The question says SNAT, so the only correct answer here (looking at the IP Pool) is D
upvoted 1 times
Selected Answer: D
Selected Answer: D
D is correct. If the IP Pool would not have been set on the egress Policy C would have been the correct answer due to default VIP behaviour in
SNAT
upvoted 1 times
From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100
Destination NAT, from WAN to LAN, will use the VIP
upvoted 3 times
Question #14 Topic 1
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time,
the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.
Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?
C. Enable port forwarding on the server to map the external service port to the internal service port.
Correct Answer: D
Selected Answer: B
correct answer is B:
In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the
ISP, and this is why there is no packets in the forti sniffer.
upvoted 24 times
Selected Answer: B
C. Enable port forwarding on the server to map the external service port to the internal service port.
upvoted 2 times
match-vip is not allowed in firewall policies when the action is set to accept.
https://docs.fortinet.com/document/fortigate/6.4.11/fortios-release-notes/350283/enabling-match-vip-in-firewall-policies
upvoted 4 times
Al estar deshabilitado el match-vip, no iba a ver trafico proveniente de internet porque no se habían conectado
upvoted 1 times
the external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network
has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream
network
upvoted 4 times
Which two statements are true about the FGCP protocol? (Choose two.)
Correct Answer: AD
Selected Answer: AC
The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA) clusters of FortiGate devices. It performs
several functions, including the following:
FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate device will be the primary device,
responsible for handling traffic and making decisions about what to allow or block. FGCP uses a variety of factors, such as the device's priority, to
determine which device should be the primary.
FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA cluster using the heartbeat links. These are
dedicated links that are used to exchange status and control information between the devices. FGCP does not run over other types of links, such
as data links.
upvoted 13 times
Selected Answer: AC
A and C are correct. Transparence doesn't matter here and HA devices must be configured not discovered.
upvoted 3 times
Selected Answer: AC
Selected Answer: AC
A and C is correct
upvoted 1 times
Selected Answer: AC
it´s ok.
upvoted 1 times
Selected Answer: AC
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes
down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Correct Answer: AD
Selected Answer: BD
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D. Enable Dead Peer Detection.
Selected Answer: BD
Answer: BD
upvoted 1 times
Selected Answer: BD
BD, as explained in the IPsec videos in the official nse4 training guide from fortinet
upvoted 1 times
Selected Answer: BD
Selected Answer: BD
Selected Answer: BD
Correct B and D
upvoted 1 times
Selected Answer: BD
BD correct
upvoted 1 times
Selected Answer: BD
Selected Answer: BD
Selected Answer: BD
BD are correct
upvoted 2 times
What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)
Correct Answer: AC
Selected Answer: AC
Selected Answer: AC
Selected Answer: AC
Correct A and C
upvoted 1 times
Selected Answer: AC
FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to improve the
performance of the firewall device and reduce the impact on overall system performance.
FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for
real-time applications or other types of traffic that require low latency.
upvoted 4 times
FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the
Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)
A. www.example.com
B. www.example.com/index.html
C. www.example.com:443
D. example.com
Correct Answer: AB
Selected Answer: AD
A. www.example.com
D. example.com
To create a web rating override for the home page of the example.com domain, the administrator must use one of the following syntaxes:
www.example.com: This syntax specifies the fully qualified domain name (FQDN) of the website, including the www subdomain. This syntax will
apply the web rating override to all pages on the website, including the home page.
example.com: This syntax specifies the root domain of the website, without the www subdomain. This syntax will also apply the web rating
override to all pages on the website, including the home page.
upvoted 17 times
Selected Answer: AD
A. www.example.com
D. example.com
Selected Answer: AD
A. www.example.com
D. example.com
upvoted 1 times
Selected Answer: AD
Correct answer
upvoted 1 times
Selected Answer: AD
Correct A and D
upvoted 1 times
Selected Answer: AD
AD correct
upvoted 1 times
Selected Answer: AD
AD correct
upvoted 1 times
A and D
upvoted 1 times
Selected Answer: AD
Selected Answer: AD
Selected Answer: AD
Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However,
when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?
A. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.
Correct Answer: C
Selected Answer: C
Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has
also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access
twitter.com.
To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration
change:
On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on
twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking
sites will still be blocked.
upvoted 8 times
Selected Answer: C
Even that in the GUI static URL filter is configured as part of Web Filter profile in the background they are separate. FortiGate will apply the
following order of inspection 1)Static URL -> 2) FortiGuard Category Filter -> 3)Advance Filter.
When static URL filter is configured to allow FGT will move to next and check if url is allowed or blocked by FortiGuard categories.
Exempt action on static url filter will tell FGT to exempt this url from other inspections, by passing FortiGuard categories.
upvoted 3 times
Selected Answer: C
Selected Answer: C
Correct answer is C:
Exempt: when set to exempt, the FortiGate allow the traffic and exempt URL from all further inspection (including FortiGuard catergories which
would then block the traffic)
upvoted 2 times
Selected Answer: C
Selected Answer: C
C is correct
upvoted 1 times
Correct C
upvoted 1 times
C is correct! Tested this in a lab environment and to make this work as stated in the question the Exempt action is the only way to go, and also
*.twimg.com will has to be added to the URL Filter with an Exempt action for this situation to really work!
upvoted 1 times
A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
D. FortiGate buffers the whole file but transmits to the client at the same time.
D as formulate is definitely not a correct answer. FortiOS 7.2 Admin Guide Page 1086. You can read "When a firewall policy's inspection mode is
set to flow, traffic flowing through the policy will not be buffered by the FortiGate". Below the link
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/659145
So, as C is not correct too, i think there is a mistake on the formulation of answer D which should be the correct answer.
upvoted 1 times
A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
D. FortiGate buffers the whole file but transmits to the client at the same time.
E. Flow-based inspection optimizes performance compared to proxy-based inspection.
A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. (correct)
B. If a virus is detected, the last packet is delivered to the client. (Wrong, if a virus is detected the packet is dropped and a RST packet is sent to
client)
C. The IPS engine handles the process as a standalone.(since B and D are wrong, C must be correct)
D. FortiGate buffers the whole file but transmits to the client at the same time. (wrong, is flow-based inspection mode the fortigate does not buffer
the packets, it delivers them to the client immediately. When the last packet arrives, FortiGate caches it and puts it on hold while performing AV
scanning by the AV engine)
E. Flow-based inspection optimizes performance compared to proxy-based inspection. (correct)
upvoted 1 times
Correct answer is A, D, E
upvoted 1 times
A: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection
D: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. some
operations can be offloaded to SPUs to improve performance (not C)
E: If performance is your top priority, then flow inspection mode is more appropriate.
upvoted 2 times
ADE is correct.
upvoted 2 times
Question #21 Topic 1
Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)
Correct:
A. Services defined in the firewall policy
C. Destination defined as Internet Services in the firewall policy
E. Source defined as Internet Services in the firewall policy
The policies are consulted from top to bottom, regardless of the Policy ID #. The first rule that matches is applied and subsequent rules are not
evaluated. FortiGate matches the traffic using the following criteria:
- Incoming Interface
- Outgoing Interface
- Source (IP Address, User, Internet Services)
- Destination (IP Address or Internet Services)
- Service (IP Protocol and Port number)
- Schedule (Time that the packet connected to the FortiGate)
upvoted 4 times
ACE is correct
upvoted 1 times
7.2 SEC 52
upvoted 2 times
there is no priority to be defined in security policies, and the policy id is just for reference
upvoted 2 times
Correct A, C, E
upvoted 1 times
ACE is correct!
upvoted 1 times
ACE - Policy ID does not define a matching criteria, it´s just for editing purposes, and there is no priority in the policies, only their order will affect
the matching process.
upvoted 2 times
Correct Answer: CD
Selected Answer: CD
ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices,
and applications. It is based on the principle of "never trust, always verify," which means that all access to network resources is subject to strict
verification and authentication.
ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources.
This can include checks on the device's software and hardware configurations, security settings, and the presence of malware.
ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are
granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access
and minimize the risk of data breaches.
upvoted 15 times
Selected Answer: CD
Correct:
A. ZTNA manages access through the client only. (client or browser)
B. ZTNA manages access for remote users only. (not just remote)
C. ZTNA provides a security posture check.
D. ZTNA provides role-based access.
Selected Answer: CD
Selected Answer: CD
Selected Answer: CD
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?
A. Pre-shared key
B. Dialup user
C. Dynamic DNS
D. Static IP address
Correct Answer: D
Selected Answer: B
B
How can it be that some of the answers here are the most obviously false ones? :)
upvoted 5 times
Selected Answer: B
B. Dialup user
Selected Answer: B
Selected Answer: B
If its not an IPSec VPN Tunnel it's going to be a dial up tunnel so option B
upvoted 3 times
Its B !!
Page 25
3 FortiGate_Infrastructure_7.2
upvoted 3 times
Selected Answer: B
B is correct
upvoted 1 times
Selected Answer: B
B is correct!
upvoted 1 times
Question #24 Topic 1
Which timeout setting can be responsible for deleting SSL VPN associated sessions?
Correct Answer: A
Selected Answer: A
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session
becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the
timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated
resources (such as VPN tunnels and virtual interfaces) will be deleted.
upvoted 10 times
Selected Answer: A
Selected Answer: A
Correct Answer: A
upvoted 1 times
Which statement is correct regarding the use of application control for inspecting web applications?
A. Application control can identify child and parent applications, and perform different actions on them.
C. Application control does not require SSL inspection to identify web applications.
D. Application control does not display a replacement message for a blocked web application.
Correct Answer: A
Selected Answer: A
The FortiGuard application control signature database is organized in a hierarchical structure. This gives you the ability to inspect the traffic with
more granularity. You can block Facebook applications while allowing users to collaborate using Facebook chat.
upvoted 8 times
Selected Answer: A
A. Application control can identify child and parent applications, and perform different actions on them.
Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application
control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.
upvoted 7 times
Selected Answer: A
Selected Answer: A
Correct:
A. Application control can identify child and parent applications, and perform different actions on them.
Incorrect:
B. Application control signatures are organized in a nonhierarchical structure. (p.302)
C. Application control does not require SSL inspection to identify web applications. (p.296)
D. Application control does not display a replacement message for a blocked web application. (p.308 and p.315)
Selected Answer: C
Selected Answer: A
Correct Answer: A
upvoted 1 times
Question #26 Topic 1
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through
HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)
B. The EICAR test file exceeds the protocol options oversize limit.
Correct Answer: AD
Selected Answer: AD
ssl is exampted
upvoted 1 times
Selected Answer: AC
Answers are A and C. Can't be B because the file was already downloaded through HTTP without problems and D doesn't apply.
upvoted 1 times
B - Since files bigger than the oversize limit are bypassed from scanning although there is option to enable it
C - Deep inspection is required for scanning files for virus
upvoted 1 times
AC is correct because if the file is downloading over HTTPS which means that there must be no SSL inspection (or at least the correct ones) so A
is true, and C is true because you would need SSL deep-inspection in order to inspect a file over HTTPS.
upvoted 1 times
Selected Answer: AC
Correct Answer: AC
upvoted 1 times
Since the file downloaded using http it's not the size.
upvoted 3 times
Correct Answer: AC
upvoted 2 times
Selected Answer: AC
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
B. The traffic sourced from the client and destined to the server is sent to FGT-1.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Correct Answer: AB
Selected Answer: AD
A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in standby mode
D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to
the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This
is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is
done only for the first packet of a load balanced session
upvoted 6 times
Selected Answer: AD
FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320): "To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses." "The
primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates
the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated
packet includes the original packet plus session information that the secondary requires to process the traffic."
upvoted 1 times
Selected Answer: AD
Correct:
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Incorrect:
B. The traffic sourced from the client and destined to the server is sent to FGT-1. (not primary)
C. The cluster can load balance ICMP connections to the secondary. (not enabled)
for A-A loadbalance traffic from the client is received on the primary's Vmac to which the packet is then sent to the secondary for inspection with
the physical mac address of the primary as source. Then it comes back to primary and client to which the handshake has begun.
upvoted 2 times
Selected Answer: D
A. Is not true, always Cluster sends traffic to server using physical MAC
B. Is not true, the traffic sourced from the client and destined to the server is sent to FGT-2.
C. Is not true, the cluster cannot load balance ICMP connections
D. Is true for load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary using 0x8891 frame
Everything is taken from infrastruture study guide pages 320-322
upvoted 3 times
Selected Answer: AD
Correct Answr is AD
upvoted 1 times
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)
D. The common name on the subject field must use a wildcard name.
Correct Answer: AB
Selected Answer: AB
Selected Answer: AB
Selected Answer: AB
Correct answers: AB
upvoted 1 times
Selected Answer: AB
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Add-a-new-certificate-to-SSL-SSH-inspection/ta-p/251252
upvoted 2 times
Selected Answer: AB
A&B
Selected Answer: AB
Correct Answer: AB
upvoted 1 times
Selected Answer: AB
Security page 323
its CA certificate must have the basic constrainst extension set to cA=True and the value of the keyUsage extension set to keyCertSing
upvoted 2 times
Selected Answer: AB
AB is correct.
upvoted 1 times
Question #29 Topic 1
Which three pieces of information are included in the sniffer output? (Choose three.)
A. Packet payload
B. Application header
C. IP header
D. Ethernet header
E. Interface name
Correct:
A. Packet payload
C. IP header
E. Interface name
FortiGate_Infrastructure page 61
upvoted 3 times
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.
Which CLI command causes FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?
Correct Answer: C
Selected Answer: D
Selected Answer: D
Selected Answer: D
Selected Answer: D
To change the fortiguard port, you have to disable "fortiguard-anycast" option under fortiguard settings
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-UDP-protocol-for-FortiGuard-web-filter/ta-p/191920
upvoted 3 times
D is correct answer
upvoted 3 times
D is correct.
upvoted 1 times
Question #31 Topic 1
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends
A. On Demand
B. On Idle
C. Disabled
D. Enabled
Correct Answer: B
Selected Answer: B
Selected Answer: B
B. On Idle
On Idle, opcion B
upvoted 1 times
Selected Answer: B
On Idle, so B is correct
upvoted 1 times
On Idle: FortiGate sends DPD probes when no traffic is observed in the tunnel.
upvoted 3 times
Question #32 Topic 1
An administrator does not want to report the login events of service accounts to FortiGate.
Correct Answer: A
Selected Answer: A
Selected Answer: A
Selected Answer: A
Selected Answer: A
A is correct
upvoted 2 times
Based on the ZTNA tag, the security posture of the remote endpoint has changed.
Correct Answer: D
Selected Answer: C
Selected Answer: C
Selected Answer: C
Selected Answer: C
ZTNA POLICY
upvoted 2 times
Selected Answer: C
ztna policy
upvoted 2 times
Question #34 Topic 1
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate
device.
Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)
A. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
C. FortiGate generates a system event log for every port block allocation made per user.
Correct Answer: AD
Selected Answer: BC
Not A: FortiGate allocates a block size and number per host for a range of external addresses
B: FortiGate allocates port blocks on a first-come, first-served basis
C: For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator
Not D: It allows 8 blocks of 128 ports per host
upvoted 18 times
Selected Answer: BC
Selected Answer: BC
Selected Answer: BC
Correct: BC
upvoted 1 times
Selected Answer: BC
BC are correct answers the question is describing a port block allocation, please see Study guide - Security_7.2 page 109
upvoted 2 times
FortiGate allocates a port block to a host, it generates a system event log to inform the administrator
FortiGate allocates port blocks on a first-come, first-served basis
upvoted 1 times
Selected Answer: CD
https://docs.fortinet.com/document/fortigate/7.2.3/hyperscale-firewall-guide/303964/port-block-allocation-cgn-ip-pool
based on this doc CD are correct
c - When all of the client sessions have ended, FortiOS releases the port block and writes another log message.
d - The number of ports allocated in a block. The default value is 128.
upvoted 1 times
https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/298620/config-firewall-ippool
upvoted 2 times
https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/298620/config-firewall-ippool
upvoted 1 times
Which two statements about the Security Fabric rating are true? (Choose two.)
B. The Security Fabric rating is a free service that comes bundled with all FortiGate devices.
C. Many of the security issues can be fixed immediately by clicking Apply where available.
D. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
Correct Answer: CD
Selected Answer: CD
Selected Answer: CD
Correct:
C. Many of the security issues can be fixed immediately by clicking Apply where available.
D. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
Selected Answer: CD
Selected Answer: CD
Security rating is a subscription service that requires a security rating license. It provides executive summaries of THREE largest areas of security
focus.
upvoted 4 times
An administrator wants to configure timeouts for users. Regardless of the user's behavior, the timer should start as soon as the user authenticates
A. new-session
B. idle-timeout
C. hard-timeout
D. soft-timeout
E. auth-on-demand
Correct Answer: C
C. hard-timeout
Selected Answer: C
Answer is C: hard-timeout
Fortigate Security 7.2 Study Guide, Pag. 167
upvoted 2 times
Selected Answer: C
Answer is C: hard-timeout
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Firewall/ta-p/189423
upvoted 2 times
Hard: time is an absolute value. Regardless of the user’s behavior, the timer starts as soon as the user authenticates and expires after the
configured value.
upvoted 3 times
Question #37 Topic 1
A. In flow-based inspection mode, files bigger than the buffer size are scanned.
B. In proxy-based inspection mode, files bigger than the buffer size are scanned.
C. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
Correct Answer: CD
Selected Answer: CD
Selected Answer: CD
Correct:
C. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
Selected Answer: CD
Selected Answer: CD
CD correct
upvoted 1 times
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access
In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)
Correct Answer: CD
Selected Answer: BC
Selected Answer: BC
Selected Answer: BC
Correct
upvoted 1 times
Selected Answer: BC
B and C
upvoted 1 times
Selected Answer: CD
Answer should be BC
upvoted 2 times
Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit.
If option 5 is used with the IPS diagnostic command and the outcome is a decrease in the CPU usage, what is the correct conclusion?
Correct Answer: B
Selected Answer: B
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application
ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass
mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases
after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
upvoted 1 times
Correct answer: B
upvoted 1 times
Option 5 enables IPS bypass mode. In this mode, the IPS is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually
indicates that the volume of traffic being inspected is too high for that particular FortiGate model. If the
CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine that you must report to Fortinet's support.
Enterprise_Firewall_7.0_Study_Guide-Online pg 405
upvoted 1 times
Selected Answer: B
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)
A. FTM
B. SSH
C. HTTPS
D. FortiTelemetry
Correct Answer: BC
Simple
2 protocol
upvoted 1 times
B, C
FortiGate Security 7.2 Study Guide p.29
upvoted 1 times
Selected Answer: BC
B and C
upvoted 1 times
B. SSH
C. HTTPS
Selected Answer: BC
B and C
upvoted 1 times
A. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
Correct Answer: B
Selected Answer: D
Selected Answer: D
Selected Answer: B
B is correct
upvoted 1 times
Selected Answer: D
Selected Answer: D
It looks to me like 'Otis' is a mistyped 'It is' -- in any case D is the correct answer.
upvoted 1 times
Selected Answer: D
Not A - Video Filtering FortiGuard categories are based on a combination of popular online video provider categories, not web filter FortiGuard
categories
Not B - It is part of the FortiGuard "service", but requires a SEPARATE license bundled with the other FortiGuard security services
NOT C - video filtering DOES require full SSL inspection
By process of elimination, the answer is D - but I can't find any documentation specifically for "Otis"....but video filtering in general should be
applied to only proxy-based FW policies
upvoted 4 times
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
D. The collector agent uses a Windows API to query DCs for user logins.
Correct Answer: D
Selected Answer: C
NetAPI polling does not track user log out through NetSessionEnum function. This function is used to retrieve info about session established on a
server but it does not specifically track user log outs
upvoted 1 times
Selected Answer: C
Answer is C.
upvoted 1 times
Selected Answer: B
Answer is B you can check FortiGate Infrastructure 7.2 Study Guide p.128
NetAPI: Polls temporary sessions created on the DC when users logs in or logs out and calls the NetSessionEnum function on Windows.
upvoted 1 times
Selected Answer: D
I think D stands as the correct answer because the question is asking what correctly describes the polling mode. In this case, the polling method
scans a Microsoft or Windows DC using the windows API (netapi32.dll) for logged in users.
https://community.fortinet.com/t5/FortiGate/Technical-Note-FSSO-NetAPI-polling-bandwidth-usage-calculator/ta-p/196417
upvoted 2 times
Selected Answer: C
Polling doesn't do use user logout only logins. The correct answer is C, increase network bandwidth.
upvoted 1 times
Selected Answer: B
NetAPI:Polls temporary sessions created on the DC when a user logs in or out and calls the NetSesssionEnum function on Windows. It is faster
than WinSec and WMI but in turn might miss some login events if DC is under heavy load. This is because sessions can be quickly created and
purged from RAM before agent has time to poll and notify FG.
upvoted 2 times
Selected Answer: C
NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. It’s faster
than the WinSec and WMI methods; however, it can
miss some login events if a DC is under heavy system load. This is because sessions can be quickly created and purged from RAM, before the
agent has a chance to poll and notify FortiGate.
upvoted 3 times
Selected Answer: B
Correcta B
Fortigate Infraestructure Pag. 128.
upvoted 1 times
Question #43 Topic 1
What are two features of FortiGate FSSO agentless polling mode? (Choose two.)
A. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
Correct Answer: AD
- If there are many user logins at the same time, the FSSO daemon may miss some.
- No NTLM.
- FSSO-polling Agentless may not work correctly with nested users group.
Selected Answer: AD
Selected Answer: AD
A. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
D. FortiGate does not support workstation check.
Selected Answer: AD
Correct Answer is AD
upvoted 3 times
Question #44 Topic 1
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
C. Antivirus engine
D. Turbo engine
Correct Answer: B
Selected Answer: A
Selected Answer: A
Selected Answer: A
Selected Answer: A
Correct answer is A
upvoted 2 times
Based on the routing database shown in the exhibit, which two conclusions can you make about the routes? (Choose two.)
B. The port1 and port2 default routes are active in the routing table.
Correct Answer: CD
Selected Answer: BC
Correct:
B. The port1 and port2 default routes are active in the routing table.
C. The "port3" default route has the highest distance.
Selected Answer: BC
Please correct the write of C, the other one options makes no sense
upvoted 1 times
Selected Answer: BC
Selected Answer: BC
Selected Answer: AB
Bit confusing… Routes with *> are active. So port1 and port2. Answer B.
For C, I guess there is a typo and meant port3 has the highest distance, which is true
upvoted 4 times
Correct Answer is BC
upvoted 2 times
Question #46 Topic 1
The exhibits show a firewall policy (Exhibit A) and an antivirus profile (Exhibit B).
Why is the user unable to receive a block replacement message when downloading an infected file for the first time?
B. The intrusion prevention security profile must be enabled when using flow-based inspection mode.
C. Flow-based inspection is used, which resets the last packet to the user.
D. The volume of traffic being inspected is too high for this model of FortiGate.
Correct Answer: C
Selected Answer: C
Selected Answer: C
C. Flow-based inspection is used, which resets the last packet to the user.
Reference and download study guide:
https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 2 times
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
B. FortiGate hostname
C. DNS
D. NTP
Correct Answer: CD
Selected Answer: CD
C. DNS
D. NTP
In the 7.2 Infrastructure Guide (page 306) the list of configuration settings that are NOT synchronized includes both 'FortiGate host name' and
'Cache'
upvoted 3 times
Selected Answer: CD
FortiGate hostname and cache (such as FortiGuard web filtering cache) are NOT synchronized
upvoted 3 times
Question #48 Topic 1
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?
C. Security logs
Correct Answer: D
Selected Answer: B
Selected Answer: B
B. Correct !
upvoted 1 times
Selected Answer: B
Selected Answer: B
Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to
the GUI and FortiGuard queries.
upvoted 4 times
Selected Answer: B
Answer should be B.
upvoted 2 times
Question #49 Topic 1
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?
Correct Answer: C
Selected Answer: C
The correct answer is C, take a look at the 7.2 Security study guide page 394:
Select Block to silently drop traffic matching any of the signatures included in the entry.
So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the
default action the setting would have to be 'Default'.
upvoted 9 times
Selected Answer: C
Correct answer is C beacause IPS action is set to block, if action is set to default it will allow the traffic.
upvoted 2 times
Selected Answer: C
I didn't understand this application Control link if the theme is IPS... The right answer is C
upvoted 1 times
alex4988 7 months, 2 weeks ago
Selected Answer: A
Answer A reference
http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control
upvoted 1 times
Correct Answer: D
Selected Answer: D
"If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface
pairs—some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence)."
Selected Answer: D
Selected Answer: A
"If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface
pairs—some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence)."
upvoted 1 times
Correct Answer: C
Selected Answer: C
Correct:
C. They can run multiple actions simultaneously.
Incorrect:
A. They can have one or more triggers.
B. They can be run only on devices in the Security Fabric.
D. They can be created on any device in the fabric.
Selected Answer: C
Selected Answer: C
Selected Answer: C
Actions can be run sequentially or in parallel per the slides from NSE 4 FortiGate Security 7.2 - Security Fabric.
upvoted 2 times
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination
port of the packet be, after FortiGate forwards the packet to the destination?
Correct Answer: C
Selected Answer: A
A is correct.
NAT on the policy means the source gets translated from 10.200.3.1 to 10.0.1.254. The VIP performs DNAT which changes the destination from
10.200.1.10 to 10.0.1.10. Then port forwarding translates the port from 10443 to 443.
upvoted 21 times
Selected Answer: A
The correct answer is A because this rule is set-up with BOTH SNAT and DNAT enabled (which is very uncommon in the real world.)
The Destination is a VIP with Port Forwarding which means the FortiGate has to translate the incoming requests destination IP and port to the
internal resource's IP and port. Thus destination translation occurs from 10.200.1.1:10443 to 10.0.1.10:443.
The firewall rule itself also has NAT set to Enabled. The default setting for this type of source NAT is 'Use Outgoing Interface Address' (in this case
port3's IP) and, given the options, this must be set in this case. Thus source translation occurs from 10.200.3.1 to 10.0.1.254.
Selected Answer: A
Translations:
10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy
10.200.1.10 --> 10.0.1.10 because VIP as Destination
10443 --> 443 because Port Forwarding enabled on VIP
Selected Answer: A
A is the right answer The policy has NAT enabled, so the original IP is NATted using the outgoing interface IP address
upvoted 1 times
Selected Answer: A
Correct answer: A
upvoted 1 times
Lab tested.
upvoted 2 times
lupnoob 5 months, 1 week ago
Selected Answer: C
C for sure. If IP pool is used, NAT column should show the IP pool name.
NAT column will show
upvoted 1 times
Selected Answer: C
Definitely C, DNAT does not change source IP address, only destination - tried it several times.
upvoted 2 times
should C
upvoted 1 times
Selected Answer: A
Selected Answer: A
After Firewall the packet source will be the LAN port (10.0.1.254) and the destination will be 10.0.1.10 with port 443
upvoted 1 times
Selected Answer: C
C for Sure
upvoted 2 times
Question #53 Topic 1
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only
VDOM with internet access and is directly connected to the ISP modem.
A. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.
C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
D. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Correct Answer: C
Selected Answer: D
D. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Selected Answer: D
Selected Answer: B
B makes more sense than others for me since the default gateway can be learned via DHCP, no static route is really needed.
upvoted 1 times
Selected Answer: D
Selected Answer: A
You would need inter vdom links to the local and DMZ frm the internet vdom to get out on the internet. You do not need a link between the rot and
the internet since it is used for managment. Thats under the section of inter vdom links.
upvoted 1 times
Correct Answer is D
upvoted 2 times
C: wrong because one of the vdoms has to be in nat mode to create a link.
upvoted 2 times
Correct Answer: C
Selected Answer: D
Selected Answer: D
Answer D
See Fortinet Article:https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-find-out-the-Policy-Route-Types/ta-p/270555
upvoted 1 times
Selected Answer: D
Selected Answer: D
The answer is D.
ID >= 65535 and vwl_service tag means SD-WAN.
upvoted 2 times
Selected Answer: D
Correct answer: D
upvoted 2 times
Examples:
Static route with “Internet Services”:
id=2113929252 static_route=36 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=0(any) dport=1-65535 path(1)
oif=8(wan2)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Adobe-DNS(917507,0,0,0)
Selected Answer: D
vwl_service is present !
upvoted 2 times
Selected Answer: D
The correct answer is D. This is an SD-WAN rule (ID greater than 65535 and the vwl_service field is present)
upvoted 3 times
page 59
upvoted 3 times
Selected Answer: D
SDB routes and SD-WAN rules are assigned an ID higher than 65535. However, SD-WAN rule entries include the vwl_service field, and ISDB route
entries don’t. The vwl_service field indicates the ID and the name of the rule from the SD-WAN configuration perspective.
upvoted 4 times
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group
option.
What is the impact of using the Include in every user group option in a RADIUS configuration?
A. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
B. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
C. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
Correct Answer: B
Selected Answer: B
Selected Answer: B
Selected Answer: B
B. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
Selected Answer: B
B is correct
upvoted 2 times
This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/759080/configuring-a-radius-server
upvoted 1 times
Selected Answer: B
B is correct. The Include in every User Group option adds the RADIUS server and all users that can authenticate against it, to every user group
created on FortiGate.
upvoted 1 times
Question #56 Topic 1
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status
Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?
Correct Answer: B
Selected Answer: B
Selected Answer: B
B is correct.
When key lifetime is different, FortiGate chooses the lower one.
Diffie Helman group needs only one that matches.
The authentication proposals need one matching, which there isnt. That makes is B.
upvoted 2 times
Selected Answer: C
I think the correct is C. DH is different between HQ and Spoke. AES is matching on both sides
upvoted 1 times
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
Correct Answer: B
Selected Answer: D
Study Guide Page 15 - By default, uses DNS over TLS DoT to secure DNS traffic - FortiOS uses Fortiguard server for DNS requests
upvoted 6 times
Selected Answer: D
FortiGate_Security_7.2_Study_Guide page 15
upvoted 6 times
Selected Answer: D
When using fortiguard servers for DNS? FortiOS uses DNS over TLS by default to secure the DNS traffic. Answer D is correct.
FortiGate_Security_7.2_Study_Guide page 15
upvoted 1 times
Selected Answer: D
Correct answer: D
upvoted 1 times
I've tested on lab and the result was the same of the Study Guide.
upvoted 1 times
I’m going with answer D if this exam is focused on FortiOS 7.2.3 and lower. From 7.2.4 the default setting is set to DNS (UDP/53) and TLS
(TCP/853) is optional.
upvoted 2 times
Selected Answer: D
For DNS servers, select Use FortiGuard Servers. The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS
Protocols is set to TLS and cannot be modified.
upvoted 2 times
Selected Answer: D
Answer is D:
https://docs.fortinet.com/document/FortiProxy/7.2.0/administration-guide/710207/use-dns-over-tls-for-default-fortiguard-dns-servers
upvoted 2 times
Correct answer is D
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/92199/use-dns-over-tls-for-default-fortiguard-dns-servers-7-0-4
upvoted 2 times
Selected Answer: D
If you configure FortiGuards Servers as DNS, you can not choose UDP 53, DNS over TLS is selected
upvoted 2 times
Question #58 Topic 1
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
A. The sensor will gather a packet log for all matched traffic.
B. The sensor will reset all connections that match these signatures.
D. The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
Correct Answer: AB
When an IPS sensor detects an intrusion attempt or violation of a security policy, it can trigger an alert or log the event, providing information for
further analysis or action.
By using the monitor action instead of the block action, you can allow traffic to continue flowing while still gaining visibility into potential security
risks. This can be useful in situations where blocking the traffic might cause operational disruptions or false positives.
However, it's important to note that the monitor action does not actively block traffic, so it's recommended to use it in conjunction with other
security measures, such as firewalls, antivirus software, and intrusion prevention systems, to ensure comprehensive protection against cyber
threats.
upvoted 7 times
Selected Answer: CD
Selected Answer: AD
The Right answer is actually A and D, cause there is a catch - the Fortigate is not blocking ALL attacks to windows server cause it is allowing that
iSCSI signature to pass through and the matching traffic is indeed set to log
upvoted 1 times
Selected Answer: CD
Selected Answer: CD
Correct Answer is CD
upvoted 4 times
Which two types of traffic are managed only by the management VDOM? (Choose two.)
A. DNS
C. PKi
D. Traffic shaping
Correct Answer: AB
Selected Answer: AB
C is wrong because PKI stands for Public Key Infrastructure and is associated with VPNS
D is wrong because traffic shaping is configured on a 'Traffic Shaping Policy'
A is correct because Fortigate will use Fortiguard for these queries
B is correct as the management VDOM can use DNS for DNS queries
upvoted 6 times
Selected Answer: AB
A. DNS
B. FortiGuard web filter queries
Selected Answer: AB
The SSL VPN connection fails when a user attempts to connect to it.
What should the user do to successfully connect to the SSL VPN?
Correct Answer: A
Selected Answer: A
Selected Answer: A
Selected Answer: A
A is correct
upvoted 2 times
Question #61 Topic 1
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination
port of the packet be, after FortiGate forwards the packet to the destination?
Correct Answer: C
Selected Answer: C
change the source IP address of the outgoing traffic, in the other way, the changes goes for the destination.
upvoted 1 times
Translations:
10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy
10.200.1.10 --> 10.0.1.10 because VIP as Destination
10443 --> 443 because Port Forwarding enabled on VIP
Selected Answer: A
Answer is A.
SNAT and DNAT are both active. We dont see the IP pool of SNAT, but it has to be another IP than the original. The only logical answer is A.
upvoted 1 times
Selected Answer: A
It is A
upvoted 2 times
Selected Answer: A
Lab tested.
upvoted 1 times
Selected Answer: C
NAT only operates in one direction at a time. for inbound traffic only the DNAT will apply as the original source has to be preserved so that traffic
can be routed back, so C.
upvoted 2 times
Selected Answer: C
The correct option is C because the external source IP is never translated, only the server address that is behind the Fortigate, so A option is
wrong.
The NAT enabled in the firewall policy indicates that egress traffic is translated using the VIP address (10.200.1.10) and not using the 10.200.1.1
(port1 of fortigate)
There's DNAT and then there's NAT enabled in the policy (i.e. SNAT). So destination address will change, as well as the source address. So A is
correct.
upvoted 4 times
Source will stay the same. NAT will take place so it will forward packet to mapped IP in VIP
upvoted 3 times
Question #62 Topic 1
Which three methods are used by the collector agent for AD polling? (Choose three.)
A. FortiGate polling
C. WMI
D. NetAPI
E. WinSecLog
C. WMI
D. NetAPI
E. WinSecLog
FortiGate Infrastructure Study Guide for FortiOS 7.2 page 127 - 128
upvoted 2 times
FortiGate polling is not a method used by the collector agent for AD polling.
FSSO REST API is not a method used by the collector agent for AD polling.
WMI is a method used by the collector agent for AD polling.
NetAPI is a method used by the collector agent for AD polling.
WinSecLog is not a method used by the collector agent for AD polling.
The collector agent uses NetAPI and WMI to poll the domain controllers for user logon information. The collector agent then sends this
information to the FortiGate firewall.
upvoted 1 times
Question #63 Topic 1
Correct Answer: BC
Selected Answer: BD
Selected Answer: BD
My vote is C,D
A ZTNA rule is a proxy policy used to enforce access control.
Infra 7.2 page 177.
upvoted 1 times
Selected Answer: BD
Selected Answer: AD
The two functions of a ZTNA rule are to redirect the client request to the access proxy and to enforce access control. So the answer is A and D.
Redirecting the client request to the access proxy is the primary function of a ZTNA rule. This is how the ZTNA solution ensures that all traffic is
routed through the access proxy, where it can be inspected and protected.
Enforcing access control is another important function of a ZTNA rule. This is how the ZTNA solution ensures that only authorized users and
devices are allowed to access the protected resources.
upvoted 1 times
Selected Answer: BD
Which two statements describe how the RPF check is used? (Choose two.)
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
B. The RPF check is run on the first sent and reply packet of any new session.
C. The RPF check is run on the first sent packet of any new session.
D. The RPF check is run on the first reply packet of any new session.
Correct Answer: AC
Selected Answer: AC
The two statements that describe how the RPF check is used are A and C.
RPF stands for Reverse Path Forwarding. It is a security mechanism that protects FortiGate and the network from IP spoofing attacks.
The RPF check is run on the first sent packet of any new session. This is because the first packet is the only packet that contains the source IP
address of the sender.
upvoted 5 times
Selected Answer: AC
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
C. The RPF check is run on the first sent packet of any new session.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed
to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring
Correct Answer: BD
Selected Answer: BD
Selected Answer: BD
B. On HQ-FortiGate, set IKE mode to Main (ID protection).
D. On Remote-FortiGate, set port2 as Interface.
"In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must
agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel."
Selected Answer: BD
Which interface type must the administrator select to bind multiple FortiGate interfaces?
A. Redundant interface
C. VLAN interface
D. Aggregate interface
Correct Answer: D
Selected Answer: D
it's D
upvoted 2 times
Selected Answer: D
D. Aggregate interface
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/567758/aggregation-and-redundancy
upvoted 2 times
Selected Answer: D
The answer is D.
upvoted 1 times
Question #67 Topic 1
When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or
FortiManager?
A. Policy ID
B. Log ID
C. Sequence ID
Correct Answer: D
Selected Answer: D
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: D
The answer is D
upvoted 1 times
Which CLI command must the administrator use to view the route?
Correct Answer: B
Selected Answer: B
Selected Answer: B
Selected Answer: B
The answer is B
upvoted 2 times
Selected Answer: B
An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS
connection.
Correct Answer: B
Selected Answer: B
SSL VPN tunnel is a FortiGate configuration that allows remote users to connect to the FortiGate firewall through an SSL/TLS connection. This
connection provides a secure tunnel between the remote user's PC and the FortiGate firewall, which allows the remote user to send external
application data running on their PCs and access FTP resources through the firewall.
upvoted 5 times
Selected Answer: B
The IPS engine is used by which three security features? (Choose three.)
C. Application control
D. DNS filter
Correct answer is A.
IPS engine is used by:
- Application control
- Antivirus (flow-based)
- Web filter (flow-based)
- Email filter (flow-based)
upvoted 1 times
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/605868
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/836396/antivirus
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/302748/application-control
upvoted 1 times
You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.
A. No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.
B. No new log is recorded until you manually clear logs from the local disk.
C. Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.
D. Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.
Correct Answer: C
Reference:
https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/421620/config-log-disk-setting
https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/418620/config-log-memory-global-setting
upvoted 3 times
Selected Answer: C
The answer is C
upvoted 1 times
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)
A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
B. Extended authentication (XAuth) to request the remote peer to provide a username and password
C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
Correct Answer: BD
Selected Answer: BD
B. Extended authentication (XAuth) to request the remote peer to provide a username and password
D. Pre-shared key and certificate signature as authentication methods
Selected Answer: BD
If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field
of a firewall policy?
A. IP address
C. FQDN address
Correct Answer: B
Selected Answer: B
Security p. 59
Answer B is correct
upvoted 7 times
Selected Answer: B
D. User or User Group (incorrect because you can not use Users or Groups as Destination, just as Source and they actually can be mixed with ISDB
objects)
Selected Answer: A
If you've ever made a policy, you know you can make the destination an IP address.
upvoted 1 times
Selected Answer: B
The answer is B
upvoted 2 times
Question #74 Topic 1
Correct Answer: C
Selected Answer: B
Correct:
B. FortiGate devices must be operating in NAT mode.
Incorrect:
A. FortiManager is one of the required member devices. (Recommended member)
C. A minimum of two Fortinet devices is required. (3 Fortinet devices = 2 FG + 1 logging)
D. FortiGate Cloud cannot be used for logging purposes. (It can be used)
Selected Answer: B
B is the correct answer. This is the explanation. You must have a minimum of two FORTIGATE devices at the core of the Security Fabric, plus one
FortiAnalyzer or cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The FortiGate devices must
be running in NAT mode. C is incorrect, because said you must have two fortinet devices no fortigate. PAGE 428 7.2
upvoted 3 times
Selected Answer: B
Correct answer is B
- FortiGate devices must operate in NAT mode https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/58646/security-fabric-
settings-and-usage
C is wrong since the rcore requirements for Security Fabric are:
2 FortiGate devices AND one of the following:
FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud
upvoted 2 times
You must have a minimum of two FortiGate devices at the core of the Security Fabric, plus one FortiAnalyzer
or cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The
FortiGate devices must be running in NAT mode.
upvoted 1 times
Answer is B
As he says 2 Fortinet devices not 2 FortiGate devices.
upvoted 4 times
Selected Answer: B
Both C & B answers are correct. In the FortiGate security study guide Page 428
1st You must have a minimum of two FortiGate devices at the core of the security fabric, plus one FortiAnalyzer or Cloud loggin solution.
2nd The FortiGate device must be running in NAT.
The question is asked specifically regarding the (security fabric) not the FortiGate device so I would say the answer is more to "C"
upvoted 2 times
The security fabric is an integrated and collaborative approach to security, where multiple Fortinet devices work together as a cohesive system to
provide enhanced security, visibility, and control across the entire network. The security fabric allows different Fortinet devices, such as FortiGate
firewalls, FortiSwitches, FortiAPs, and FortiAnalyzer, to share information and coordinate actions to detect and respond to security threats more
effectively.
upvoted 2 times
Selected Answer: D
The asnwer is D
upvoted 1 times
Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)
Correct Answer: AD
Selected Answer: AD
Selected Answer: AD
Answer is A & D
upvoted 1 times
Selected Answer: AD
Selected Answer: AD
Selected Answer: BD
Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on
FortiGate?
Correct Answer: A
Selected Answer: A
system-diagnostics:
Enable/disable permission to run system diagnostic commands.
upvoted 3 times
darkstar15 4 months, 1 week ago
redistricted from using diagnose commands in the CLI:
set system-diagnostics disable
la resouesta correcta es A.
upvoted 1 times
Only anserw is A
upvoted 1 times
The answer is A
upvoted 1 times
Question #77 Topic 1
Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
D. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Correct Answer: B
Selected Answer: B
IN this case we only need to take into account the position of the filter, the application, and the action. Fortigate will analyze the filter from top to
bottom like a regular firewall policy. Therefore we have position, then facetime and then action block the final result will be "Block face time"
upvoted 3 times
Selected Answer: B
Selected Answer: C
"if there are only a few calls originating or incoming?" indicates Facetime does not trigger the excessive bandwidth filter.
upvoted 2 times
Selected Answer: B
The answer is B
upvoted 1 times
Since the question states "if there are only a few calls originating or incoming?:
C should be the correct answer
upvoted 1 times
Question #78 Topic 1
Correct Answer: C
Selected Answer: D
Selected Answer: D
Right anserw is D
upvoted 1 times
Selected Answer: D
The answer is D
upvoted 1 times
Selected Answer: D
Selected Answer: D
Selected Answer: D
https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/
upvoted 3 times
A. The IPS socket buffer is full and the IPS engine cannot process additional packets.
Correct Answer: C
Selected Answer: A
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-socket-size-and-fail-open-mode/ta-p/191254
upvoted 1 times
Selected Answer: A
The answer is A
upvoted 1 times
Selected Answer: A
source : Fortinet community: Technical Tip: IPS - 'socket size' and 'fail-open' mode
upvoted 1 times
Selected Answer: A
Answer is A.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-socket-size-and-fail-open-mode/ta-
p/191254#:~:text=A%20'fail%2Dopen'%20scenario,or%20bypass%20them%20without%20inspection.
upvoted 1 times
Selected Answer: A
Selected Answer: A
Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?
A. VDOMs without ports with connected devices are not displayed in the topology.
B. Downstream devices can connect to the upstream device from any of their VDOMs.
C. Security rating reports can be run individually for each configured VDOM.
Correct Answer: B
Selected Answer: A
A. VDOMs without ports with connected devices are not displayed in the topology.
Selected Answer: A
Answer is A.
Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM.
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/721683/deploying-the-security-fabric-in-a-multi-vdom-environment
upvoted 3 times
Answer is A
upvoted 1 times
The answer is A
upvoted 1 times
Selected Answer: A
Selected Answer: A
Answer is A.
Security study guide 7.2 page 436.
upvoted 1 times
C is correct. Security Guide p.450 "in multi-vdom mode, reports can be generated in the global vdom for all the vdoms"
upvoted 1 times
imwatever 5 months, 1 week ago
Selected Answer: A
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
A. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
B. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
C. FortiGate automatically negotiates different local and remote addresses with the remote peer.
D. FortiGate automatically negotiates a new security association after the existing security association expires.
Correct Answer: D
Selected Answer: B
Selected Answer: B
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536
it sounds like "B" is directed at the keep-alive feature, which (AFAIK) doesn't re-establish the P2 if it is down, while D appears to be the correct
answer in this case ... also that document references the fact that enabling auto-neg also implicitly activates the keep-alive feature for the tunnel ...
upvoted 1 times
Selected Answer: B
B is correct
upvoted 2 times
ccnax2 5 months ago
Selected Answer: B
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Auto-negotiate initiates the phase 2 SA
negotiation automatically, repeating every five seconds until the SA is established.
upvoted 2 times
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536
upvoted 2 times
The answer is B
upvoted 1 times
Selected Answer: B
answer
upvoted 1 times
Selected Answer: B
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports
certificate warning errors. When visiting HTTP websites, the browser does not report errors.
B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
C. The full SSL inspection feature does not have a valid license.
D. The browser does not trust the certificate used by FortiGate for SSL inspection.
Correct Answer: D
Selected Answer: D
D. The browser does not trust the certificate used by FortiGate for SSL inspection.
Selected Answer: D
The answer is D
upvoted 1 times
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?
A. idle-timeout
B. login-timeout
C. udp-idle-timer
D. session-ttl
Correct Answer: B
Selected Answer: B
B. login-timeout
Selected Answer: B
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
upvoted 2 times
Selected Answer: B
The answer is B
upvoted 1 times
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.
Which order must FortiGate use when the web filter profile has features such as safe search enabled?
D. Static domain filter, SSL inspection filter, and external connectors filters
Correct Answer: B
Selected Answer: B
Selected Answer: B
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filtering-order-of-execution/ta-p/196179
upvoted 1 times
The answer is B
upvoted 1 times
Question #85 Topic 1
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must
What are two solutions for satisfying the requirement? (Choose two.)
A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
Correct Answer: AD
Selected Answer: BD
A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com... (incorrect because you still allow root
domain)
Selected Answer: BD
Selected Answer: BD
change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category.
Remember that changing categories does not automatically result in a different action for the website. This depends on the settings within the
web filter profile.
en la imagen nos muestra una categoria como denegada dentro del perfil (malicious Websites).
upvoted 1 times
Selected Answer: AD
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?
A. 10.200.1.10
B. 10.0.1.254
C. 10.200.1.1
D. 10.200.3.1
Correct Answer: C
Community vote distribution
C (71%) A (29%)
Selected Answer: C
If WebServer firewall policy was active it would be A because: SNAT changes it to 10.200.1.10 due to VIP.
But correct is C due to the disabled WebServer firewall policy.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
upvoted 7 times
Selected Answer: A
Therefore the alternative would be the NAT rule used in Full_access, which since there’s no pool specified, it will be PAT which is the egress
interface IP of 10.200.1.1.
upvoted 1 times
Selected Answer: C
VIPs are DNAT and this traffic is originating from LAN to WAN which would then use SNAT if enabled on the firewall policy.
upvoted 1 times
ChatGPT answer (XD): "Disabling a security policy on a Fortigate device will not deactivate the NAT VIP configured in it. The VIP will still translate
traffic regardless of the policy being disabled. The security policy and NAT VIP are separate configurations on the Fortigate device, and disabling
the security policy will not affect the operation of the NAT VIP"
upvoted 1 times
Selected Answer: C
The question is about SNAT so LAN to WAN rule, if traffic is destined from the LAN to WAN then it would NAT out over the WAN IP or if a IPPOOL
was present it would NAT out over that.
DNAT is inbound WAN to LAN so incoming traffic sent towards the VIP rule would be affected by the NAT.
I think the correct answer is C.
upvoted 1 times
Selected Answer: C
C. 10.200.1.1
Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface.
Simple SNAT.
C. 10.200.1.1
Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface.
Simple SNAT.
Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface.
Simple SNAT.
C is correct
upvoted 3 times
Selected Answer: C
Selected Answer: A
Correct answer: A
upvoted 2 times
Selected Answer: A
Why would the firewall policy not block a well-known virus, for example eicar?
A. Web filter is not enabled on the firewall policy to complement the antivirus profile.
Correct Answer: C
Selected Answer: C
C is correct
upvoted 1 times
Selected Answer: C
The answer is C
upvoted 1 times
What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
Correct Answer: AD
Selected Answer: AD
Yes A and D.
Infra 7.2 page 301.
upvoted 1 times
Selected Answer: AD
https://networkinterview.com/fortigate-ha-high-availability/
upvoted 1 times
An administrator wants to simplify remote access without asking users to provide user credentials.
C. SSL VPN
D. L2TP
Correct Answer: B
Selected Answer: A
IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to implement role-based zero trust
access.
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/855420/zero-trust-network-access-introduction
upvoted 1 times
Selected Answer: B
The answer is B
upvoted 2 times
What are two features of collector agent advanced mode? (Choose two.)
A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
B. In advanced mode, security profiles can be applied only to user groups, not individual users.
Correct Answer: AD
Selected Answer: AD
A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
D. Advanced mode supports nested or inherited groups.
Which three CLI commands can you use to troubleshoot Layer 3 issues, if the issue is in neither the physical layer nor the link layer? (Choose
three.)
B. execute ping
D. execute traceroute
B. Antivirus scan
C. Ransomware scan
D. Trojan scan
Correct Answer: AB
Selected Answer: AB
Selected Answer: AB
Selected Answer: AB
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate
device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third
Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for
E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
ACD it is.
upvoted 1 times
D: If we disable Ippool via cli, the default will be overload. E: we create a new firewall policy but don't say anything about enable NAT, so this will
fail.
upvoted 2 times
Based on the raw log, what can you conclude from the output? (Choose two.)
Correct Answer: AC
Selected Answer: AC
A: action=blocked; msg = "URL belongs to a dnied categoy in policy" it's the same example of te FortiGate Security pg: 178
C: Security: type=UTM
upvoted 1 times
FortiGate_Security_7.2_Course p. 176
B. vd="root"
C. Security log, log type = utm
upvoted 1 times
Selected Answer: BC
Selected Answer: BC
Correct answers= BD
upvoted 1 times
Selected Answer: BC
Answer is B, C.
upvoted 1 times
B and C is correct,
A is not correct, because the log does not state that the firewall policy drops the packet. The log states it drop the packet because the web filter
profile blocks it. Profile is not the firewall policy.
upvoted 3 times
"vd=root"
"type=utm"
upvoted 3 times
Question #95 Topic 1
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. System time
C. Operating mode
D. NGFW mode
Correct Answer: CD
Selected Answer: CD
C and D.
upvoted 1 times
Selected Answer: CD
C. Operating mode
D. NGFW mode
Selected Answer: CD
Which inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?
A. Flow-based inspection
C. Certificate inspection
D. Proxy-based inspection
Correct Answer: A
Selected Answer: A
A. Flow-based inspection
A is correct.
FortiGate_Infrastructure_7.2 page 90.
upvoted 1 times
Selected Answer: A
The answer is A
upvoted 1 times
Question #97 Topic 1
What are two features of the NGFW policy-based mode? (Choose two.)
A. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.
B. NGFW policy-based mode does not require the use of central source NAT policy.
D. NGFW policy-based mode can only be applied globally and not on individual VDOMs.
Correct Answer: AC
Selected Answer: AC
A. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.
C. NGFW policy-based mode policies support only flow inspection.
What is the primary FortiGate election process when the HA override setting is disabled?
A. Connected monitored ports > Priority > HA uptime > FortiGate serial number
B. Connected monitored ports > System uptime > Priority > FortiGate serial number
C. Connected monitored ports > Priority > System uptime > FortiGate serial number
D. Connected monitored ports > HA uptime > Priority > FortiGate serial number
Correct Answer: D
Selected Answer: D
D. Connected monitored ports > HA uptime > Priority > FortiGate serial number
If Override DISABLED then: ports > HA Uptime > Priority > SN.
If Override ENABLED then: ports > Priority > HA Uptime > SN
The answer is D
upvoted 1 times
Correct
upvoted 1 times
Question #99 Topic 1
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled?
(Choose three.)
D. The server name indication (SNI) extension in the client hello message
During the exchange of hello messages at the beginning of an SSL handshake, FortiGate parses server name indication (SNI) from client Hello,
which is an extension of the TLS protocol.
The SNI tells FortiGate the hostname of the SSL server, which is validated against the DNS name before receipt of the server certificate.
If there is no SNI exchanged, then FortiGate identifies the server by the value in the Subject field or SAN (subject alternative name) field in the
server certificate.
upvoted 2 times
Correct Answer: D
Selected Answer: D
D
upvoted 1 times
The answer is D
upvoted 1 times
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338
upvoted 1 times
Question #101 Topic 1
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
A. The administrator must register the same FortiToken on more than one FortiGate device.
Correct Answer: C
Selected Answer: C
Selected Answer: C
The answer is C
upvoted 1 times
Question #102 Topic 1
Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool configuration.
A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching central SNAT policies will be applied.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate
(10.200.3.1)?
A. 10.200.1.99
B. 10.200.1.1
C. 10.200.1.49
D. 10.200.1.149
Correct Answer: A
Selected Answer: A
A is correct , pings is ICMP so protocol 1. Protocol 1 is enabled on access list id 2 which has destination address SNAT-remote 1
upvoted 8 times
Selected Answer: A
A. 10.200.1.99
Selected Answer: A
The answer is D
upvoted 1 times
Question #103 Topic 1
The exhibits contain a network interface configuration, firewall policies, and a CLI console configuration.
How will the FortiGate device handle user authentication for traffic that arrives on the LAN interface?
A. All users will be prompted for authentication; users from the HR group can authenticate successfully with the correct credentials.
B. If there is a fall-through policy in place, users will not be prompted for authentication.
C. All users will be prompted for authentication; users from the sales group can authenticate successfully with the correct credentials.
D. Authentication is enforced only at a policy level; all users will be prompted for authentication.
Correct Answer: A
configure on Fortigate:
- captive portal authentication required
- Authentication failed message for Sales users
- Authentication success for HR users
- second policy used by HR users
Interface LAN (port3) is configured to authenticate and only allow HR to access. " All users will be prompted for authentication, users from the HR
group can authenticate successfully with the correct credentials
upvoted 8 times
A. All users will be prompted for authentication; users from the HR group can authenticate successfully with the correct credentials.
Selected Answer: A
answer is A
upvoted 2 times
The answer is B
upvoted 1 times
Selected Answer: A
The answer is A
upvoted 2 times
Question #104 Topic 1
In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and
C. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".
Correct Answer: A
Interface is set to any and is checking all traffic on port 80. The webserver is directly connected to the FortiGate. We would see traffic destined to
port 80 with this sniffer. The only thing that makes sense is A.
upvoted 1 times
Selected Answer: D
The answer is D, not A. It's not mentionned the packet is blocked somewhere. As we can see the sniffer command, we capture packet on all
interfaces. Packet arrives on the interface, is captured before being blocked if a policy exist.
We can see on the capture thre are syn flood send by the host, but we cannot see the reply from the web server (reply from port 80 to host
destination port). If the server replies (sysn ack), It should be on the capture.
We need to check on the server why there is no response. That's why we need to Run a sniffer on the web server (answer D).
upvoted 2 times
Selected Answer: A
Debug flow will definitely provide the reason why the packets are dropped.
The answer is A
upvoted 2 times