Scribd
Upload
38 views7 pages

25

Fortigate Administrator Sample Questions

Uploaded by

Jorge Palacios
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
38 views7 pages

25

Fortigate Administrator Sample Questions

Uploaded by

Jorge Palacios
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Question 1

Which two statements about incoming and outgoing interfaces in firewall


policies are true? (Choose two)
 A zone can be chosen as the outgoing interface.
 An incoming interface is mandatory in a firewall policy, but an
outgoing interface is optional.
 Only the
any interface can be chosen as an incoming interface.
 Multiple interfaces can be selected as incoming and outgoing
interfaces.

Question 2
An administrator needs to create a tunnel mode SSL-VPN to access an
internal web server from the internet. The web server is connected to
port1. The internet is connected to port2. Both interfaces belong to the
VDOM named Corporation. What interface must the administrator use
as the source for the firewall policy that will allow this traffic?
 internal.root
 ssl.Corporation
 port2
 port1

Question 3
Which statement is correct regarding the Security Fabric?
 FortiManager is one of the required member devices.
 FortiClient Cloud can be used for logging purposes.
 FortiGate devices must be operating in NAT mode.
 You must have three FortiGate devices to establish the Security
Fabric.

Question 4
What is extended Authentication (XAuth)?
 It is an IPsec extension that forces remote VPN users to
authenticate using their local ID.
 It is an IPsec extension that forces remote VPN users to
authenticate using their credentials (username and password).
 It is an IPsec extension that authenticates remote VPN peers using
a pre-shared key.
 It is an IPsec extension that authenticates remote VPN peers using
digital certificates.
Question 5
Which two behaviors result from this full (deep) SSL configuration?
(Choose two)
 The browser bypasses all certificate warnings and allows the
connection.
 A temporary trusted FortiGate certificate replaces the server
certificate when the server certificate is trusted.
 A temporary untrusted FortiGate certificate replaces the server
certificate when the server certificate is untrusted.
 A temporary trusted FortiGate certificate replaces the server
certificate, even when the server certificate is untrusted.

Question 6
Which route will be selected when trying to reach 10.20.30.254?
 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

Question 7
Which NAT method translates the source IP address in a packet to
another IP address?
 SNAT
 IPPOOL
 VIP
 DNAT

Question 8
You have hired contractors for your company, created user accounts for
them, and added them to the contractors group. The contractors receive
a certificate warning error when they attempt to access the FortiGate
GUI. Employees can access the portal without any errors. Which changes
must you make to allow the contractors to access the FortiGate GUI?
(Choose two)
 Import the Fortinet CA SSL certificate on the contractor's browser.
 Create a local-in firewall policy and add contractors as a source
group.
 Disable full SSL inspection on FortiGate to prevent warning errors.
 Install the company CA certificate on FortiGate.
Question 9
Which type of traffic inspection requires FortiGate to act as a CA?
 SSL certificate inspection when protecting multiple clients
connecting to multiple servers.
 SSL certificate inspection when protecting a local SSL server.
 SSL traffic inspection when protecting a local SSL server.
 SSL traffic inspection when protecting multiple clients connecting
to multiple servers.

Question 10
Which three settings and protocols can be used to provide secure and
restrictive administrative access to FortiGate? (Choose three.)
 SSH
 HTTPS
 Trusted authentication
 Trusted host
 FortiTelemetry

Question 11
Which three methods can you use to deliver the token code to a user
who is configured to use two-factor authentication? (Choose three)
 SMS text message
 Instant message app
 Email
 Voicemail message
 FortiToken Mobile

Question 12
Which two statements correctly describe the differences between IPsec
main mode and IPsec aggressive mode? (Choose two.)
 The first packet of aggressive mode contains the peer ID, while the
first packet of main mode does not.
 Main mode cannot be used for dialup VPNs, while aggressive mode
can.
 Aggressive mode supports XAuth, while main mode does not.
 Six packets are usually exchanged during main mode, while only
three packets are exchanged during aggressive mode.

Question 13
Which two statements are true about the routing entries in this database
table? (Choose two.)
 Both default routes have different administrative distances.
 The port3 default route is an inactive route.
 All of the entries in the routing database table are installed in the
FortiGate routing table.
 The default route on port2 is the preferred route.

Question 14
Which statement best describes the role of a DC agent in an FSSO DC
agent mode solution?
 It captures the user IP address and workstation name and forwards
them to FortiGate.
 It captures the login and logoff events and forwards them to the
collector agent.
 It captures the login events and forwards them to the collector
agent.
 It captures the login events and forwards them to FortiGate.

Question 15
Which statement about firewall policy NAT is true?
 DNAT can automatically apply to multiple firewall policies, based
on DNAT rules.
 SNAT can automatically apply to multiple firewall policies, based
on SNAT policies.
 You must configure SNAT for each firewall policy.
 DNAT is not supported.

Question 16
FortiGate is configured for firewall authentication. When attempting to
access an external website, the user is not presented with a login
prompt. What is the most likely reason for this situation?
 The user is using a guest account profile.
 The user was authenticated using passive authentication.
 No matching user account exists for this user.
 The user is using a super admin account.

Question 17
You have implemented the application sensor and the corresponding
firewall policy as shown in the exhibits. You cannot access any of the
Google applications, but you are able to access www.fortinet.com. What
would you do to resolve this issue?
 Set SSL inspection to
certificate-inspection.
 Change Inspection mode to
Flow-based.
 Add https://www.google.com/search?q=Google.com to the URL
category in the security profile.
 Move up Google in the Application and Filter Overrides section to
set its priority to 1.

Question 18
A user at 192.168.32.15 is trying to access the web server at
172.16.32.254. Which two statements are true? (Choose two.)
 Strict RPF check will deny the traffic.
 Loose RPF check will allow the traffic.
 Strict RPF check will allow the traffic.
 Loose RPF check will deny the traffic.

Question 19
Which two statements about advanced AD access mode for the FSSO
collector agent are true? (Choose two.)
 It is only supported if DC agents are deployed.
 It supports monitoring of nested groups.
 It uses the Windows convention for naming: that is,
Domain\Username.
 FortiGate can act as an LDAP client to configure the group filters.

Question 20
Which two settings must you configure when FortiGate is being deployed
as a root FortiGate in a Security Fabric topology? (Choose two)
 FortiAnalyzer IP address
 FortiManager IP address
 Pre-authorize downstream FortiGate devices.
 Fabric name

Question 21
What must you configure to enable proxy-based TCP session failover?
 You do not need to configure anything because all TCP sessions are
automatically failed over.
 You must configure
session-pickup-connectionless enable under config system ha.
 You must configure
ha-configuration-sync under config system ha.
 You must configure
session-pickup-enable under config system ha.

Question 22
Which two IP pool types are useful for carrier-grade NAT deployments?
(Choose two.)
 Port block allocation
 One-to-one
 Fixed port range
 Overload

Question 23
Which two statements correctly describe the differences between IPsec
main mode and IPsec aggressive mode? (Choose two.)
 Main mode cannot be used for dialup VPNs, while aggressive mode
can.
 Aggressive mode supports XAuth, while main mode does not.
 The first packet of aggressive mode contains the peer ID, while the
first packet of main mode does not.
 Six packets are usually exchanged during main mode, while only
three packets are exchanged during aggressive mode.

Question 24
Which statement about the configuration settings is true?
 When a remote user accesses
https://10.200.1.1:443, the SSL-VPN login page opens.
 When a remote user accesses
http://10.200.1.1:443, the SSL-VPN login page opens.
 The settings are invalid. The administrator settings and the SSL-
VPN settings cannot use the same port.
 When a remote user accesses
https://10.200.1.1:443, the FortiGate login page opens.

Question 25
An administrator needs to inspect all web traffic (including Internet web
traffic) coming from users connecting to the SSL-VPN. How can this be
achieved?
 Using web-only mode.
 Disabling split tunneling.
 Configuring web bookmarks.
 Assigning public IP addresses to SSL-VPN users

You might also like