QUESTOES FORTIGATE ADM 7.

4 - 001

Q1
Which NAT method translates the source IP address in a packet to another IP address? Select one:

A. IPPOOL
B. SNAT
C. DNAT
D. VIP

ANSWER: B
SECTION: Firewall and authentication

Q2
Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive
mode? (Choose two.)Select one or more:

A. Aggressive mode supports XAuth, while main mode does not.

B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during
aggressive mode.
D. Main mode cannot be used for dialup VPNs, while aggressive mode can.

ANSWER: C,D
SECTION: VPN

Q3
Refer to the exhibit. Which statement about the configuration settings is true? Select one:

A. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
B. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.
C. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.
D. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
E. The settings are invalid. The administrator settings and the SSL VPN settings cannot use the same port.
ANSWER: B
SECTION: Deployment and System Configuration

Q4
FortiGate is configured for firewall authentication. When attempting to access an external website, the
user is not presented with a login prompt. What is the most likely reason for this situation?Select one:

A. No matching user account exists for this user.

B. The user is using a super admin account.
C. The user is using a guest account profile.
D. The user was authenticated using passive authentication.
ANSWER: D
SECTION: Deployment and System Configuration

Q5
Refer to the exhibit.

A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.

Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF)
checks on this traffic? (Choose two.)

A. Strict RPF check will allow the traffic.

B. Loose RPF check will allow the traffic.
C. Loose RPF check will deny the traffic.
D. Strict RPF check will deny the traffic.
ANSWER: A,B
SECTION: Firewall and authentication

Q6
Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254? Select one:

A. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

B. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
C. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
D. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
ANSWER: D
SECTION: Routing

Q7
Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose
two.)
Select one or more:

A. A zone can be chosen as the outgoing interface.

B. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
C. Only the any interface can be chosen as an incoming interface.
D. Multiple interfaces can be selected as incoming and outgoing interfaces.
ANSWER: A,D
SECTION: Firewall and authentication
Q8
Which statement about firewall policy NAT is true? Select one:

A. SNAT can automatically apply to multiple firewall policies, based on SNAT policies.
B. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
C. DNAT is not supported.
D. You must configure SNAT for each firewall policy.
ANSWER: D
SECTION: Firewall and authentication

Q9
Which three settings and protocols can be used to provide secure and restrictive administrative access to
FortiGate? (Choose three.)
Select one or more:

A. Trusted authentication
B. FortiTelemetry
C. SSH
D. Trusted host
E. HTTPS
ANSWER: A,C,E
SECTION: Deployment and System Configuration

Q10
Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)
Select one or more:

A. Port block allocation

B. Fixed port range
C. One-to-one
D. Overload
ANSWER: A,B
SECTION: Firewall and authentication

Q11
Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a
Security Fabric topology? (Choose two.)
Select one or more:

A. Pre-authorize downstream FortiGate devices

B. FortiAnalyzer IP address
C. Fabric name
D. FortiManager IP address
ANSWER: A,C
SECTION: Deployment and System Configuration

Q12
Which statement about the HA override setting in FortiGate HA clusters is true?
Select one:

A. It reboots FortiGate.
B. You must configure override settings manually and separately for each cluster member.
C. It synchronizes device priority on all cluster members.
D. It enables monitored ports.
ANSWER: B
SECTION: Deployment and System Configuration

Q13
What is eXtended Authentication (XAuth)?
Select one:

A. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
B. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
D. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username
and password).
ANSWER: D
SECTION: VPN

Q14
An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the
internet. The web server is connected to port1. The internet is connected to port2. Both interfaces
belong to the VDOM named Corporation.
What interface must the administrator use as the source for the firewall policy that will allow this traffic?
Select one:

A. port1
B. port2
C. ssl.Corporation
D. ssl.root
ANSWER: A
SECTION: Firewall and authentication

Q15
Which type of traffic inspection requires FortiGate to act as a CA?
Select one:

A. SSL certificate inspection when protecting multiple clients connecting to multiple servers.
B. SSL traffic inspection when protecting multiple clients connecting to multiple servers.
C. SSL traffic inspection when protecting a local SSL server.
D. SSL certificate inspection when protecting a local SSL server.
ANSWER: B
SECTION: Content inspection
Q16
Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?
Select one:

A. It captures the user IP address and workstation name and forwards them to FortiGate.
B. It captures the login events and forwards them to FortiGate.
C. It captures the login events and forwards them to the collector agent.
D. It captures the login and logoff events and forwards them to the collector agent.
ANSWER: C
SECTION: Firewall and authentication

Q17
Which three methods can you use to deliver the token code to a user who is configured to use two-
factor authentication? (Choose three.)
Select one or more:

A. Voicemail message
B. SMS text message
C. Instant message app
D. Email
E. FortiToken Mobile
ANSWER: B,D,E
SECTION: Firewall and authentication

Q18
What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
Select one:

A. Both control ECMP algorithms.

B. Both support volume algorithms.
C. Both can be enabled at the same time.
D. Both use the same physical interface load balancing settings.
ANSWER: A
SECTION: Routing

Q19
An administrator needs to inspect all web traffic (including Internet web traffic) coming from users
connecting to the SSL-VPN. How can this be achieved? Select one:

A. Using web-only mode

B. Disabling split tunneling
C. Configuring web bookmarks
D. Assigning public IP addresses to SSL-VPN users
ANSWER: B
SECTION: Content inspection
Q20
Which two statements about advanced AD access mode for the FSSO collector agent are true? (Choose
two.)

A. It is only supported if DC agents are deployed.

B. It uses the Windows convention for naming; that is, Domain\Username.
C. FortiGate can act as an LDAP client to configure the group filters.
D. It supports monitoring of nested groups.
ANSWER: C,D
SECTION: Firewall and authentication

Q21
What must you configure to enable proxy-based TCP session failover?

A. You must configure ha-configuration-sync under configure system ha.

B. You do not need to configure anything because all TCP sessions are automatically failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system ha.
ANSWER: C
SECTION: Deployment and System Configuration

Q22
Which two behaviours result from this full SSL configuration? (Choose two.)

A. The browser bypasses all certificate warnings and allows the connection.
B. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate
is untrusted.
C. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is
trusted.
D. A temporary trusted FortiGate certificate replaces the server certificate, even when the server
certificate is untrusted.
ANSWER: B,C
SECTION: VPN

Q23
You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set
up logging to use the FortiGate local disk. What is the default behavior when the local disk is full?

A. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.
B. No new log is recorded until you manually clear logs from the local disk.
C. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.
D. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

ANSWER: C
SECTION: Deployment and System Configuration

Q24
The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP
address of Remote-FortiGate
(10.200.3.1)?

A. 10.200.1.149
B. 10.200.1.1
C. 10.200.1.49
D. 10.200.1.99

ANSWER: D
SECTION: Firewall and authentication

Q25
According to the image, what is the correct answer?

A. The session is a UDP unidirectional state.

B. The session is in TCP ESTABLISHED state.
C. The session is a bidirectional UDP connection.
D. The session is a bidirectional TCP connection
ANSWER: C
SECTION: Deployment and System Configuration

Q26
Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)

A. Source defined as Internet Services in the firewall policy.

B. Destination defined as Internet Services in the firewall policy.
C. Highest to lowest priority defined in the firewall policy.
D. Services defined in the firewall policy.
E. Lowest to highest policy ID number.
ANSWER: A,B,D
SECTION: Firewall and authentication

Q27
Refer to the exhibit.
Why did Fortigate drop the packet ?

A. It matched an explicitly configured firewall policy with the action DENY.

B. The next-hop IP address is unreachable.
C. It failed the RPF check.
D. It matched the default implicit firewall policy
ANSWER: D
SECTION: Firewall and authentication

Q28
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

A. SSH
B. HTTPS
C. FTM
D. FortiTelemetry
ANSWER: A,B
SECTION: Deployment and System Configuration

Q29
What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall
(NGFW) ?

A. Full Content inspection

B. Proxy-based inspection
C. Certificate inspection
D. Flow-based inspection
ANSWER: D
SECTION: Content inspection

Q30
The frame contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator has created a Deny policy with default settings to deny access to the Web server for
Remote-user2. Remote-user2 is still able to access
Web Server.
What two changes can the administrator make to deny access to the web server for Remote-User2?
(Choose two.)

A. Disable match-vip in the Deny policy.

B. Set the Destination Address to Deny_IP in the Allow Access policy.
C. Enable match-vip in the Deny policy.
D. Set destination address to Web_server in Deny policy
ANSWER: C,D
SECTION: Firewall and authentication

Q31
Which two policies must be configured to allow traffic on a policy-based next-generation firewall
(NGFW) FortiGate? (Choose two.)

A. Firewall policy
B. Policy rule
C. Security policy
D. SSL inspection and authentication policy
ANSWER: C,D
SECTION: Firewall and authentication

Q32
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when
SSL certificate inspection is enabled? (Choose three.)

A. The subject field in the server certificate

B. The serial number in the server certificate
C. The server name indication (SNI) extension in the client hello message
D. The subject alternative name (SAN) field in the server certificate
E. The host field in the HTTP header
ANSWER: A,C,D
SECTION: Content inspection

Q33
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A. FortiSIEM
B. FortiCloud
C. FortiCache
D. FortiSandbox
E. FortiAnalyzer
ANSWER: A,B,E
SECTION: Deployment and System Configuration

Q34
Refer to the exhibit to view the application control profil ,

Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which
statement is true?
A. Apple FaceTime belongs to the custom monitored filter
B. The category of Apple FaceTime is being monitored.
C. Apple FaceTime belongs to the custom blocked filter
D. The category of Apple FaceTime is being blocked
ANSWER: C
SECTION: Content inspection

Q35
The HTTP inspection process in web filtering follows a specific order when multiple features are
enabled in the web filter profile. What order must FortiGate use when the web filter profile has features
enabled, such as safe search?

A. DNS-based web filter and proxy-based web filte

B. Static URL filter, FortiGuard category filter, and advanced filters
C. Static domain filter, SSL inspection filter, and external connectors filters
D. FortiGuard category filter and rating filter
ANSWER: B
SECTION: Content inspection
Q36
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A. Antivirus engine
B. Intrusion prevention system engine
C. Flow engine
D. Detection engine
ANSWER: B
SECTION: Content inspection

Q37

Refer to the exhibit to view the firewall policy..

Which statement is correct if well-known viruses are not being blocked?

A. The firewall policy does not apply deep content inspection.

B. The firewall policy must be configured in proxy-based inspection mode.

C. The action on the firewall policy must be set to deny.
D. Web filter should be enabled on the firewall policy to complement the antivirus profile.
ANSWER: A
SECTION: Firewall and authentication

Q38
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option
5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

A. The IPS engine was blocking all traffic

B. The IPS engine was unable to prevent an intrusion attack
C. The IPS engine will continue to run in a normal state
D. The IPS engine was inspecting high volume of traffic
ANSWER: D
SECTION: Content inspection

Q39
Refer to the exhibit, which contains a session diagnostic outpu .

Which statement is true about the session diagnostic output

A. The session is a UDP unidirectional state.

B. The session is in TCP ESTABLISHED state.
C. The session is a bidirectional UDP connection.
D. The session is a bidirectional TCP connection.
ANSWER: C
SECTION: Firewall and authentication

Q40
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering
and application control directly on the security policy. Which two other security profiles can you apply to
the security policy? (Choose two.)

A. Antivirus scanning
B. File filter
C. DNS filter
D. Intrusion prevention
ANSWER: A,D
SECTION: Content inspection

Q41
Refer to the exhibit.

The exhibit shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the
sensor expected to take? (Choose two)
A. The sensor will gather a packet log for all matched traffic
B. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature
C. The sensor will block all attacks aimed at Windows servers
D. The sensor will reset all connections that match these signatures
ANSWER: B,C
SECTION: Content inspection

Q42
Refer to the web filter raw logs,

Based on the raw logs shown in the exhibit, which statement is correct?

A. Access to the social networking web filter category was explicitly blocked to all users.
B. The action on firewall policy ID 1 is set to warning.
C. Social networking web filter category is configured with the action set to authenticate.
D. The name of the firewall policy is all_users_web.
ANSWER: C
SECTION: Deployment and System Configuration

Q43
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B)

Which statement is correct if a user is unable to receive a block replacement message when
downloading an infected file for the first time?
A. The volume of traffic being inspected is too high for this model of FortiGate.
B. The intrusion prevention security profile needs to be enabled when using flow-based inspection
mode.
C. The firewall policy performs the full content inspection on the file.
D. The flow-based inspection is used, which resets the last packet to the user.
ANSWER: D
SECTION: Firewall and authentication

Q44
Refer to the exhibity
Based on the raw log, which two statements are correct? (Choose two.
A. Traffic is blocked because Action is set to DENY in the firewall policy.
B. Traffic belongs to the root VDOM.
C. This is a security log.
D. Log severity is set to error on FortiGate.
ANSWER: B,C
SECTION: Deployment and System Configuration

Q45
If Internet Service is already selected as Source in a firewall policy, which other configuration objects
can be added to the Source field of a firewall policy?

A. IP address
B. Once Internet Service is selected, no other object can be added
C. User or User Group
D. FQDN address
ANSWER: C
SECTION: Firewall and authentication

Q46
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting
any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the
browser does not report errors. What is the reason for the certificate warning errors?

A. The browser requires a software update.

B. FortiGate does not support full SSL inspection when web filtering is enabled.
C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
D. There are network connectivity issues.
ANSWER: C
SECTION: Content inspection

Q47
Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security
policy (Exhibit B) for Facebook. Exhibit A.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the
policy configuration must you change to resolve the issue?

A. Add Facebook in the URL category in the security policy

B. Force access to Facebook using the HTTP service
C. Additional application signatures are required to add to the security policy
D. The SSL inspection needs to be a deep content inspection
ANSWER: D
SECTION: Content inspection

Q48
Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What
does the Administrator account need to access the FortiGate global settings?
A. Enable restrict access to trusted hosts
B. Change password
C. Enable two-factor authentication
D. Change Administrator profile
ANSWER: D
SECTION: Deployment and System Configuration

Q49
Which two statements are correct about NGFW Policy-based mode? (Choose two.)

A. NGFW policy-based mode does not require the use of central source NAT policy
B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
C. NGFW policy-based mode supports creating applications and web filtering categories directly in a
firewall policy
D. NGFW policy-based mode policies support only flow inspection
ANSWER: C,D
SECTION: Deployment and System Configuration

Q50
Which statement about the policy ID number of a firewall policy is true?

A. It represents the number of objects used in the firewall policy

B. It is required to modify a firewall policy using the CLI
C. It defines the order in which rules are processed
D. It changes when firewall policies are reordered
ANSWER: B
SECTION: Firewall and authentication

Q51
FortiGuard categories can be overridden and defined in different categories. To create a web rating
override for example.com home page, the override must be configured using a specific syntax. Which
two syntaxes are correct to configure web rating for the home page? (Choose two.)
A. www.example.com:443
B. www.example.com
C. example.com
D. www.example.com/index.html
ANSWER: B,C
SECTION: Firewall and authentication

Q52
Which two statements about antivirus scanning mode are true? (Choose two.)

A. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the
client
B. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending
it to the client
C. In proxy-based inspection mode, files bigger than the buffer size are scanned
D. In flow-based inspection mode, files bigger than the buffer size are scanned
ANSWER: A,B
SECTION: Content inspection

Q53
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection?
(Choose two.)

A. The issuer must be a public CA

B. The common name on the subject field must use a wildcard name
C. The keyUsage extension must be set to keyCertSign
D. The CA extension must be set to TRUE
ANSWER: C,D
SECTION: Content inspection

Q54
Which type of logs on FortiGate record information about traffic directly to and from the FortiGate
management IP addresses?

A. Local traffic logs

B. Forward traffic logs
C. None
D. Security logs
ANSWER: A
SECTION: Deployment and System Configuration

Q55
A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When
downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When
downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be
downloaded. What is the reason for the failed virus detection by FortiGate?

A. Application control is not enabled

B. SSL/SSH Inspection profile is incorrect
C. Antivirus profile configuration is incorrect
D. Antivirus definitions are not up to date
ANSWER: B
SECTION: Content inspection

Q56
Which three statements about a flow-based antivirus profile are correct? (Choose three.)

A. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

B. Optimized performance compared to proxy-based inspection
C. FortiGate buffers the whole file but transmits for the client simultaneously
D. If the virus is detected, the last packet is delivered to the client
E. IPS engine handles the process as a standalone
ANSWER: A,B,C
SECTION: Content inspection

Q57
Which two inspection modes can you use to configure a firewall policy on a profile-based next-
generation firewall (NGFW)? (Choose two.

A. Proxy-based inspection
B. Certificate inspection
C. Flow-based inspection
D. Full Content inspection
ANSWER: A,C
SECTION: Deployment and System Configuration

Q58
If Internet Service is already selected as Destination in a firewall policy, which other configuration objects
can be selected to the Destination field of a firewall policy?

A. User or User Group

B. IP address
C. No other object can be added
D. FQDN address
ANSWER: C
SECTION: Firewall and authentication

Q59
A team manager has decided that, while some members of the team need access to a particular website,
the majority of the team does not. Which configuration option is the most effective way to support this
request?
A. Implement web filter authentication for the specified website.
B. Implement a web filter category override for the specified website.
C. Implement a DNS filter for the specified website.
D. Implement web filter quotas for the specified website.
ANSWER: A
SECTION: Firewall and authentication

Q60

Which statement about video filtering on FortiGate is true?

A. Full SSL Inspection is not required.

B. It is available only on a proxy-based firewall policy.
C. It inspects video files hosted on file sharing services.
D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
ANSWER: B
Section: Content inspection