Fortinet NSE4_FGT-7.

0
Exam preparation
NSE4_FGT-7.0 New and Exclusive book to test your knowledge and help you passing your real
NSE4_FGT-7.0 exam On the First Try – Save your time and your money | Latest Version.

This New and Exclusive Book covers all topics included in the Fortinet NSE4_FGT-7.0 exam.

This New Book is constructed to enhance your confidence to sit for real exam, as you will be testing
your knowledge and skills in all the required topics.

Practice Test

1) Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW)
FortiGate?

(Choose two.)

A. Firewall policy

B. Policy rule

C. SSL inspection and authentication policy

D. Security policy

2) View the exhibit:

Which the FortiGate handle web proxy traffic rue?

(Choose two.)
A. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

B. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

C. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

D. port-VLAN1 is the native VLAN for the port1 physical interface.

3) Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A. The collector agent uses a Windows API to query DCs for user logins.

B. The NetSession Enum function is used to track user logouts.

C. The collector agent must search security event logs.

D. NetAPI polling can increase bandwidth usage in large networks.

4) What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

A. It limits the scanning of application traffic to use parent signatures only.

B. It limits the scanning of application traffic to the browser-based technology category only.

C. It limits the scanning of application traffic to the application category only.

D. It limits the scanning of application traffic to the DNS protocol only.

5) Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
A. Virtual IP addresses are used to distinguish between cluster members.

B. The primary device in the cluster is always assigned IP address 169.254.0.1.

C. Heartbeat interfaces have virtual IP addresses that are manually assigned.

D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

6) Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic?

(Choose two.)

A. Spillover

B. Source IP

C. Session

D. Volume

7) Which two statements about antivirus scanning mode are true? (Choose two.)

A. In flow-based inspection mode, files bigger than the buffer size are scanned.

B. In proxy-based inspection mode, files bigger than the buffer size are scanned.

C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the
client.

D. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

8) Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?
A. A subordinate

B. A user

C. A bridge CA

D. A root CA

9) Which of the following statements about central NAT are true?

(Choose two.)

A. IP tool references must be removed from existing firewall policies before enabling central NAT.

B. Central NAT can be enabled or disabled from the CLI only.

C. Source NAT, using central NAT, requires at least one central SNAT policy.

D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

10) Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine

whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor,

FortiGate is still not generating any IPS logs for the HTTPS traffic.

What is a possible reason for this?

A. The IPS filter is missing the Protocol: HTTPS option.

B. The firewall policy is not using a full SSL inspection profile.

C. A DoS policy should be used, instead of an IPS sensor.

D. A DoS policy should be used, instead of an IPS sensor.

E. The HTTPS signatures have not been added to the sensor.

11) Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA? (Choose two.)

A. ping

B. udp-echo

C. DNS

D. TWAMP

12) Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux

server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The
administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server.

This issue does not happen when the application establishes a Telnet connection to the Linux server directly
on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through
FortiGate? (Choose two.)

A. Create a new service object for TELNET and set the maximum session TTL.

B. Set the maximum session TTL value for the TELNET service object.

C. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90
minutes.

D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the
new TELNET service object in the policy.

13) Which two statements are correct about SLA targets?

(Choose two.)

A. You can configure only two SLA targets per one Performance SLA.

B. SLA targets are optional. Most Voted

C. SLA targets are required for SD-WAN rules with a Best Quality strategy.

D. SLA targets are used only when referenced by an SD-WAN rule.

14) Refer to the exhibit.

The exhibits show a network diagram and the explicit web proxy configuration.

In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and
the explicit web proxy?

A. "˜host 192.168.0.2 and port 8080'

B. "˜host 10.0.0.50 and port 80'

C. "˜host 192.168.0.1 and port 80'

D. "˜host 10.0.0.50 and port 8080'

15) Refer to the exhibits.
The SSL VPN connection fails when a user attempts to connect to it.

What should the user do to successfully connect to SSL VPN?

A. Change the SSL VPN port on the client.

B. Change the Server IP address.

C. Change the idle-timeout.

D. Change the SSL VPN portal to the tunnel.

16) Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection?
(Choose two.)

A. The issuer must be a public CA

B. The common name on the subject field must use a wildcard name

C. The keyUsage extension must be set to keyCertSign

D. The CA extension must be set to TRUE

17) An administrator has configured a route-based IPsec VPN between two FortiGate devices.

Which statement about this IPsec VPN configuration is true?

A. A phase 2 configuration is not required.

B. This VPN cannot be used as part of a hub-and-spoke topology.

C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

D. The IPsec firewall policies must be placed at the top of the list.

18) In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.
Instead of separate policies.

Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

A. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and
destinations.

B. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

C. The IP version of the sources and destinations in a firewall policy must be different.

D. The IP version of the sources and destinations in a policy must match.

E. The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

19) Which two statements are correct about NGFW Policy-based mode? (Choose two.)

A. NGFW policy-based mode does not require the use of central source NAT policy

B. NGFW policy-based mode can only be applied globally and not on individual VDOMs

C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

D. NGFW policy-based mode policies support only flow inspection

20) Examine this output from a debug flow:

Why did the FortiGate drop the packet?

A. The next-hop IP address is unreachable.

B. It failed the RPF check.

C. It matched an explicitly configured firewall policy with the action DENY.

D. It matched the default implicit firewall policy.

21) Refer to the exhibit.

Which contains a network diagram and routing table output.

The student is unable to access Webserver.

What is the cause of the problem and what is the solution for the problem?

A. The first reply packet for Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

B. The first reply packet for Student failed the RPF check.

This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

C. The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

D. The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

22) An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention
system?

A. Enable asymmetric routing, so the RPF check will be bypassed.

B. Disable the RPF check at the FortiGate interface level for the source check.

C. Disable the RPF check at the FortiGate interface level for the reply check.

D. Enable asymmetric routing at the interface level.

23) An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both
sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and
the remote quick mode selector is 192.16.2.0/24.

How must the administrator configure the local quick mode selector for site B?

A. 192.16.3.0/24

B. 192.16.2.0/24

C. 192.16.1.0/24

D. 192.16.0.0/8
24) Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation
to the Web server?

A. 172.16.32.0/24 is directly connected, port1

B. 0.0.0.0/0 [20/0] via 10.4.200.2, port2

C. 10.4.200.0/30 is directly connected, port2

D. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]

25) Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode?
(Choose two.)

A. FG-traffic

B. Mgmt

C. FG-Mgmt

D. Root

26) Which three statements are true regarding session-based authentication? (Choose three.)

A. HTTP sessions are treated as a single user.

B. IP sessions from the same source IP address are treated as a single user.

C. It can differentiate among multiple clients behind the same source IP address.

D. It requires more resources.

E. It is not recommended if multiple users are behind the source NAT.

27) Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

A. By default, FortiGate uses WINS servers to resolve names.

B. By default, the SSL VPN portal requires the installation of a client's certificate.

C. By default, split tunneling is enabled.

D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

28) Which certificate value can FortiGate use to determine the relationship between the issuer and the
certificate?

A. Subject Key Identifier value

B. SMMIE Capabilities value

C. Subject value

D. Subject Alternative Name value

29) Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

A. The session is a UDP unidirectional state.

B. The session is in TCP ESTABLISHED state.

C. The session is a bidirectional UDP connection.

D. The session is a bidirectional TCP connection.

30) Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is
enabled on all FortiGate devices?

A. FG-traffic VDOM

B. Root VDOM

C. Customer VDOM

D. Global VDOM

31) A team manager has decided that, while some members of the team need access to a particular website,
the majority of the team does not Which configuration option is the most effective way to support this
request?

A. Implement web filter authentication for the specified website.

B. Implement a web filter category override for the specified website.

C. Implement DNS filter for the specified website.

D. Implement web filter quotas for the specified website.

32) Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)

A. Source defined as Internet Services in the firewall policy.

B. Destination defined as Internet Services in the firewall policy.

C. Highest to lowest priority defined in the firewall policy.

D. Services defined in the firewall policy.

E. Lowest to highest policy ID number.

33) Which feature in the Security Fabric takes one or more actions based on event triggers?

A. Fabric Connectors

B. Security Rating

C. Automation Stitches
D. Logical Topology

34) Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

A. Phase 2 SA expiration can be time-based, volume-based, or both.

B. An SA never expires.

C. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

D. A phase 1 SA is bidirectional, while a phase 2 SA is directional.

E. Both the phase 1 SA and phase 2 SA are bidirectional.

35) Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

A. FortiGuard update servers

B. System time

C. Operating mode

D. NGFW mode

36) Refer to the exhibit, which contains a Performance SLA configuration.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not generating any traffic for the performance SLA?

A. There may not be a static route to route the performance SLA traffic.

B. You need to turn on the Enable probe packets switch.

C. The Ping protocol is not supported for the public servers that are configured.

D. Participants configured are not SD-WAN members.

37) An administrator has configured a strict RPF check on FortiGate.

Which statement is true about the strict RPF check?

A. Strict RPF checks only for the existence of at least one active route back to the source using the incoming
interface.

B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF allows packets back to sources with all active routes.

D. The strict RPF check is run on the first sent and reply packet of any new session.

38) Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux

server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The
administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This
issue does not happen when the application establishes a Telnet connection to the Linux server directly on the
LAN.

What two changes can the administrator make to resolve the issue without affecting services running through
FortiGate? (Choose two.)

A. Set the maximum session TTL value for the TELNET service object.

B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90
minutes.

C. Create a new service object for TELNET and set the maximum session TTL.

D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the
new TELNET service object in the policy.

39) When a firewall policy is created, which attribute is added to the policy to support recording logs to a
FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these
devices?

A. Log ID

B. Universally Unique Identifier

C. Policy ID

D. Sequence ID

40) Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for
Facebook.
Exhibit A.
Exhibit B.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but
they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

A. Add Facebook in the URL category in the security policy

B. Force access to Facebook using the HTTP service

C. Additional application signatures are required to add to the security policy

D. The SSL inspection needs to be a deep content inspection

41) Which of the following conditions must be met in order for a web browser to trust a web server certificate
signed by a third-party CA?
A. The public key of the web server certificate must be installed on the browser.

B. The web-server certificate must be installed on the browser.

C. The CA certificate that signed the web-server certificate must be installed on the browser.

D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

42) Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose
two.)

A. The firmware image must be manually uploaded to each FortiGate.

B. Only secondary FortiGate devices are rebooted.

C. Uninterruptable upgrade is enabled by default.

D. Traffic load balancing is temporally disabled while upgrading the firmware.

43) Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

A. FortiGate uses the AD server as the collector agent.

B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C. FortiGate points the collector agent to use a remote LDAP server.

D. ForiGate queries AD by using the LDAP to retrieve user group information.

44) Refer to the exhibit.

A user located behind the FortiGate device is trying to go to

http://www.addictinggames.com (Addicting.Games). The exhibit shows the application detains and

application control profile.
Based on this configuration, which statement is true?

A. Addicting.Games will be blocked, based on the Filter Overrides configuration.

B. Addicting.Games will be allowed only if the Filter Overrides action is set to Learn.

C. Addicting.Games will be allowed, based on the Categories configuration.

D. Addicting.Games will be allowed, based on the Application Overrides configuration.

45) Which of the following are valid actions for FortiGuard category-based filter in a web filter profile ui
proxy-based inspection mode?

(Choose two.)

A. Warning

B. Exempt

C. Allow

D. Learn

46) Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA? (Choose two.)

A. udp-echo

B. DNS

C. TWAMP

D. ping

47) Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A. NetAPI polling can increase bandwidth usage in large networks.

B. The NetSessionEnum function is used to track user logouts.

C. The collector agent uses a Windows API to query DCs for user logins.

D. The collector agent must search security event logs.

48) Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

A. get router info routing-table all

B. get internet service route list

C. get router info routing-table database

D. diagnose firewall proute list

49) Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP
address of Remote-FortiGate (10.200.3.1)?

A. 10.200.1.149

B. 10.200.1.1

C. 10.200.1.49

D. 10.200.1.99

50) Refer to the exhibit, which contains a radius server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator
selected the Include in every user group option.

What will be the impact of using Include in every user group option in a RADIUS configuration?

A. This option places the RADIUS server, and all users who can authenticate against that server, into every
FortiGate user group.

B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this
case, is FortiAuthenticator.

C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server
on FortiGate.

D. This option places the RADIUS server, and all users who can authenticate against that server, into every
RADIUS group.

51) Which three pieces of information does FortiGate use to identify the hostname of the SSL server when
SSL certificate inspection is enabled? (Choose three.)
A. The subject field in the server certificate

B. The serial number in the server certificate

C. The server’s name indication (SNI) extension in the client hello message

D. The subject alternative name (SAN) field in the server certificate

E. The host field in the HTTP header

52) An administrator does not want to report the logon events of service accounts to FortiGate.

What setting on the collector agent is required to achieve this?

A. Add the support of NTLM authentication

B. Add user accounts to the FortiGate group filter

C. Add user accounts to Active Directory (AD)

D. Add user accounts to the Ignore User List

53) What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A. FortiGate automatically negotiates different local and remote addresses with the remote peer.

B. FortiGate automatically negotiates a new security association after the existing security association expires.

C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

54) FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering
and application control directly on the security policy.

Which two other security profiles can you apply to the security policy?

(Choose two.)

A. Antivirus scanning

B. File filter

C. DNS filter

D. Intrusion prevention

55) Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings.

Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

A. Traffic matching the signature will be silently dropped and logged.

B. The signature setting uses a custom rating threshold.

C. The signature setting includes a group of other signatures.

D. Traffic matching the signature will be allowed and logged.

56) Which of the following statements about backing up logs from the CLI and downloading logs from the
GUI are true? (Choose two.)

A. Log downloads from the GUI are limited to the current filter view

B. Log backups from the CLI cannot be restored to another FortiGate.

C. Log backups from the CLI can be configured to upload to FTP as a scheduled time

D. Log downloads from the GUI are stored as LZ4 compressed files.

57) Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A. Antivirus engine
B. Intrusion prevention system engine

C. Flow engine

D. Detection engine

58) Which two statements are true when FortiGate is in transparent mode?

(Choose two.)

A. By default, all interfaces are part of the same broadcast domain.

B. The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.

C. Static routes are required to allow traffic to the next hop.

D. FortiGate forwards frames without changing the MAC address.

59) Which two configuration settings are synchronized when FortiGate devices are in an active-active HA
cluster?

(Choose two.)

A. FortiGuard web filter cache

B. FortiGate hostname

C. NTP

D. DNS

60) Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server.

The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.

What should the administrator do next to troubleshoot the problem?

A. Run a sniffer on the web server.

B. Capture the traffic using an external sniffer connected to port1.

C. Execute another sniffer in the FortiGate, this time with the filter "host 10.0.1.10"

D. Execute a debug flow.

61) What is the primary FortiGate election process when the HA override setting is disabled?

A. Connected monitored ports > System uptime > Priority > FortiGate Serial number

B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number

D. Connected monitored ports > Priority > System uptime > FortiGate Serial number

62) Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

A. diagnose wad session list

B. diagnose wad session list | grep hook-pre&&hook-out

C. diagnose wad session list | grep hook=pre&&hook=out

D. diagnose wad session list | grep "hook=pre"&"hook=out"

63) Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output?

(Choose three.)

A. Interface name

B. Ethernet header

C. IP header

D. Application header

E. Packet payload
64) Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies.

What does the Administrator account need to access the FortiGate global settings?

A. Enable restrict access to trusted hosts

B. Change password

C. Enable two-factor authentication

D. Change Administrator profile

65) When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?

A. remote user's public IP address

B. The public IP address of the FortiGate device.

C. The remote user's virtual IP address.

D. The internal IP address of the FortiGate device.

66) Which type of logs on FortiGate record information about traffic directly to and from the FortiGate
management IP addresses?

A. Local traffic logs

B. Forward traffic logs

C. System event logs

D. Security logs

67) Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the
physical layer nor the link layer?

(Choose three.)

A. diagnose sys top

B. execute ping

C. execute traceroute

D. diagnose sniffer packet any

E. get system arp

68) Refer to the exhibit, which contains a Performance SLA configuration.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not generating any traffic for the performance SLA?

A. There may not be a static route to route the performance SLA traffic.

B. You need to turn on the Enable probe packets switch.

C. The Ping protocol is not supported for the public servers that are configured.

D. Participants configured are not SD-WAN members.

69) Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

B. The sensor will block all attacks aimed at Windows servers.

C. The sensor will reset all connections that match these signatures.

D. The sensor will gather a packet log for all matched traffic.

70) Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose
two.)

A. The firmware image must be manually uploaded to each FortiGate.

B. Only secondary FortiGate devices are rebooted.

C. Uninterruptable upgrade is enabled by default.

D. Traffic load balancing is temporally disabled while upgrading the firmware.

71) An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken.
Each site has a FortiGate VPN gateway.

What must an administrator do to achieve this objective?

A. The administrator can register the same FortiToken on more than one FortiGate.

B. The administrator must use a FortiAuthenticator device.

C. The administrator can use a third-party radius OTP server.

D. The administrator must use the user self-registration server.

72) Which of the following are valid actions for FortiGuard category-based filter in a web filter profile ui
proxy-based inspection mode? (Choose two.)

A. Warning

B. Exempt

C. Allow

D. Learn

73) Which two statements are true about collector agent advanced mode?

(Choose two.)

A. Advanced mode supports nested or inherited groups.

B. Advanced mode uses Windows convention-NetBios: Domain\Username.

C. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

D. Security profiles can be applied only to user groups, nor individual users.

74) A team manager has decided that while some members of the team need access to particular website, the
majority of the team does not. Which configuration option is the most effective option to support this
request?

A. Implement a web filter category override for the specified website.

B. Implement web filter authentication for the specified website

C. Implement web filter quotas for the specified website.

D. Implement DNS filter for the specified website.

75) Which statement regarding the firewall policy authentication timeout is true?

A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the
user's source IP.

B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has
expired.

C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the
user's source MAC.

D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer
has expired.

76) Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-
shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes
will bring phase 1 up? (Choose two.)
A. On HQ-FortiGate, set IKE mode to Main (ID protection).

B. On both FortiGate devices, set Dead Peer Detection to On Demand.

C. On HQ-FortiGate, disable Diffie-Helman group 2.

D. On Remote-FortiGate, set port2 as Interface.

77) FortiGuard categories can be overridden and defined in different categories. To create a web rating
override for example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating for the home page?

(Choose two.)

A. www.example.com:443

B. www.example.com

C. example.com

D. www.example.com/index.html

78) An administrator wants to configure timeouts for users. Regardless of the user's behavior, the timer
should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?

A. auth-on-demand

B. soft-timeout

C. idle-timeout

D. new-session

E. hard-timeout

79) Which statements are true regarding firewall policy NAT using the outgoing interface IP address with
fixed port disabled? (Choose two.)

A. This is known as many-to-one NAT.

B. Source IP is translated to the outgoing interface IP.

C. Connections are tracked using source port and source MAC address.

D. Port address translation is not used.

80) In an explicit proxy setup, where is the authentication method and database configured?

A. Proxy Policy

B. Authentication Rule

C. Firewall Policy

D. Authentication scheme

81) Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

A. A local FortiManager is one of the servers FortiGate communicates with.

B. One server was contacted to retrieve the contract information.

C. There is at least one server that lost packets consecutively.

D. FortiGate is using default FortiGuard communication settings.

82) Refer to the exhibit to view the authentication rule configuration.

In this scenario, which statement is true?

A. Session-based authentication is enabled

B. Policy-based authentication is enabled

C. IP-based authentication is enabled

D. Route-based authentication is enabled

83) Which three methods are used by the collector agent for AD polling?

(Choose three.)

A. FortiGate polling

B. NetAPI

C. Novell API

D. WMI

E. WinSecLog

84) Examine the output from a debug flow:

Why did the FortiGate drop the packet?

A. The next-hop IP address is unreachable.

B. It failed the RPF check.

C. It matched an explicitly configured firewall policy with the action DENY.

D. It matched the default implicit firewall policy.

85) Which security feature does FortiGate provide to protect servers located in the internal networks from
attacks such as SQL injections?

A. Denial of Service

B. Web application firewall

C. Antivirus

D. Application control

86) Which statement about the policy ID number of a firewall policy is true?

A. It is required to modify a firewall policy using the CLI.

B. It represents the number of objects used in the firewall policy.

C. It changes when firewall policies are reordered.

D. It defines the order in which rules are processed.

87) What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A. FortiGate automatically negotiates different local and remote addresses with the remote peer.

B. FortiGate automatically negotiates a new security association after the existing security association expires.
C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

88) Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme,
users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.

The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a
form-based authentication scheme for the FortiGate local user database. Users will be prompted for
authentication.

How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP
10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)
A. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

B. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

C. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

89) An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

A. VLAN interface

B. Software Switch interface

C. Aggregate interface

D. Redundant interface

90) Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are
configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the
Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP
modem.
Which two statements are true?

(Choose two.)

A. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

B. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

C. A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.

D. Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used
only as a management VDOM.

91) If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when
central NAT is used?

A. The Services field removes the requirement of creating multiple VIPs for different services.

B. The Services field is used when several VIPs need to be bundled into VIP groups.

C. The Services field does not allow source NAT and destination NAT to be combined in the same policy.

D. The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single
computer.

92) An administrator has configured outgoing interface any in a firewall policy.

Which statement is true about the policy list view?

A. Interface Pair view will be disabled

B. By Sequence view will be disabled

C. Policy lookup will be disabled

D. Search option will be disabled

93) An administrator observes that the port1 interface cannot be configured with an IP address. What can be
the reasons for that? (Choose three.)

A. The interface has been configured for one-arm sniffer.

B. The interface is a member of a virtual wire pair.

C. The operation mode is transparent.

D. The interface is a member of a zone.

E. Captive portal is enabled in the interface.

94) What devices form the core of the security fabric?

A. Two FortiGate devices and one FortiManager device

B. One FortiGate device and one FortiManager device

C. Two FortiGate devices and one FortiAnalyzer device

D. One FortiGate device and one FortiAnalyzer device

95) How does FortiGate act when using SSL VPN in web mode?

A. FortiGate acts as an FDS server.

B. FortiGate acts as an HTTP reverse proxy.

C. FortiGate acts as DNS server.

D. FortiGate acts as router.

96) An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead
tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

A. Disabled

B. On Demand

C. Enabled

D. On Idle

97) Examine the two static routes shown in the exhibit, then answer the following question.
Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

A. FortiGate will load balance all traffic across both routes.

B. FortiGate will use the port1 route as the primary candidate.

C. FortiGate will route twice as much traffic to the port2 route

D. FortiGate will only actuate the port1 route in the routing table

98) When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP req

uest?

A. remote user's public IP address

B. The public IP address of the FortiGate device.

C. The remote user's virtual IP address.

D. The internal IP address of the FortiGate device.

99) How can you format the FortiGate flash disk?

A. Load the hardware test (HQIP) image.

B. Execute the CLI command execute formatlogdisk.

C. Load a debug FortiOS image.

D. Select the format boot device option from the BIOS menu.

100) Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2.
Remote-user2 is still able to access Webserver.

Which two changes can the administrator make to deny Webserver access for Remote-User2?

(Choose two.)

A. Disable match-vip in the Deny policy.

B. Set the Destination address as Deny_IP in the Allow-access policy.

C. Enable match-vip in the Deny policy.

D. Set the Destination address as Web_server in the Deny policy.

101) Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

A. There are five devices that are part of the security fabric.

B. Device detection is disabled on all FortiGate devices.

C. This security fabric topology is a logical topology view.

D. There are 19 security recommendations for the security fabric.

102) Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)
A. Traffic is blocked because Action is set to DENY in the firewall policy.

B. Traffic belongs to the root VDOM.

C. This is a security log.

D. Log severity is set to error on FortiGate.

103) What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose
three.)

A. Traffic to botnet servers

B. Traffic to inappropriate web sites

C. Server information disclosure attacks

D. Credit card data leaks

E. SQL injection attacks

104) Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A. FortiSIEM

B. FortiCloud

C. FortiCache

D. FortiSandbox

E. FortiAnalyzer

105) Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 status is up, but phase
2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

A. On HQ-FortiGate, enable Diffie-Hellman Group 2.

B. On HQ-FortiGate, enable Auto-negotiate.

C. On Remote-FortiGate, set Seconds to 43200.

D. On HQ-FortiGate, set Encryption to AES256.

106) Which two inspection modes can you use to configure a firewall policy on a profile-based next-
generation firewall (NGFW)? (Choose two.)

A. Proxy-based inspection

B. Certificate inspection

C. Flow-based inspection

D. Full Content inspection

107) Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

A. The debug flow is of ICMP traffic

B. The default route is required to receive a reply

C. A firewall policy allowed the connection

D. A new traffic session is created

108) Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

A. The firewall policy does not apply deep content inspection.

B. The firewall policy must be configured in proxy-based inspection mode.

C. The action on the firewall policy must be set to deny.

D. Web filter should be enabled on the firewall policy to complement the antivirus profile.

109) A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When
downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When
downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be
downloaded.

What is the reason for the failed virus detection by FortiGate?

A. Application control is not enabled.

B. SSL/SSH Inspection profile is incorrect.

C. Antivirus profile configuration is incorrect.

D. Antivirus definitions are not up to date.

110) An administrator is running the following sniffer command:

diagnose sniffer packet any "host 10.0.2.10" 3

What information will be included in the sniffer output? (Choose three.)

A. IP header

B. Ethernet header

C. Packet payload

D. Application header

E. Interface name

111) To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?

A. FortiManager

B. Root FortiGate

C. FortiAnalyzer

D. Downstream FortiGate
112) A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces
added to the physical interface.

Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses
in different subnets.

A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

B. The two VLAN sub interfaces must have different VLAN IDs.

C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

113) NGFW mode allows policy-based configuration for most inspection rules. Which security profile's
configuration does not change when you enable policy-based inspection?

A. Web filtering

B. Antivirus

C. Web proxy

D. Application control

114) Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings.
In this scenario, which statement is true?

A. Apple FaceTime belongs to the custom monitored filter.

B. The category of Apple FaceTime is being monitored.

C. Apple FaceTime belongs to the custom blocked filter.

D. The category of Apple FaceTime is being blocked.

115) Which two statements are true about collector agent standard access mode? (Choose two.)

A. Standard mode uses Windows convention-NetBios: Domain\Username.

B. Standard mode security profiles apply to organizational units (OU).

C. Standard mode security profiles apply to user groups.

D. Standard access mode supports nested groups.

116) Which two types of traffic are managed only by the management VDOM? (Choose two.)

A. FortiGuard web filter queries

B. PKI

C. Traffic shaping

D. DNS

117) Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA?

(Choose two.)

A . DNS

B . ping

C . udp-echo

D . TWAMP

118) Examine the exhibit, which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address
10.0.1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP
address 10.0.1.10/24?

A. 10.200.1.10

B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24

C. 10.200.1.1

D. 10.0.1.254

119) Which two statements are true about the Security Fabric rating? (Choose two.)

A. It provides executive summaries of the four largest areas of security focus

B. Many of the security issues can be fixed immediately by clicking Apply where available

C. The Security Fabric rating is a free service that comes bundled with all FortiGate devices

D. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

120) What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

A. It limits the scanning of application traffic to the DNS protocol only.

B. It limits the scanning of application traffic to use parent signatures only.

C. It limits the scanning of application traffic to the browser-based technology category only.

D. It limits the scanning of application traffic to the application category only.

Notes:
…………………………………………………………………………………………………………………………………………………

Answers & Explanation

1) Answer: C,D

C & D are the correct answers by Fortigate_Security_7.0(New Version) page 369. If you are using Policy Based
Mode, SSL Inspection & Authentication (consolidated) and Security Policy are required to allow traffic.
Reference: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-basedmode

2) Answer: C,D

These are L3 VLAN interfaces which means different broadcast domains (there is no L2 VLAN what you describe).

3) Answer: B

B per FortiGate_Infrastructure_7.0 page 270: "NetAPI: polls temporary sessions created on the DC when a user logs
in or logs out and calls the NetSessionEnum function in Windows."

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&sliceId=1

4) Answer: B

the keyword is "browser-based" which we can find only in the Answer A.

5) Answer: C,D

FortiGate_Infrastructure_7.0 page 326

6) Answer: C,D

Reference:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-loadbalancing

7) Answer: C,D

FortiGate Security 7.0 pp 485 & 488

Explanation

An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB.

That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to
increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances
risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or
model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and
scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a
firewall would need infinitely large RAM-something that no device has in the real world. Most viruses are very
small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses
pass through.
8) Answer: B

Issued to, not issued from. The Subject tells you who it's issued to. In this case, a user. Answer is A: A user.

9) Answer: A,B

Central NAT is disabled by default. To toggle the feature on or off, use the following commands:

config system settings

set central-nat [enable | disable]

end

Reference:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-
52/Firewall%20Policies/Central%20SNAT.htm

10) Answer: B
A IPS sensor need a firewall policy to work... and need a policy with full inspection to inspect encrypted traffic.

11) Answer: B,D

In the GUI appears HTTP, DNS and Ping.

12) Answer: A,D

The key here is performing the task without affecting any of the other services.

- Not B - Changing the maximum TTL value for TELNET will affect every other policy that references the
TELNET service

- Not C - Changing the session TTL on the SSLVPN policy will impact other services referenced in the policy.

13) Correct Answer: B,D

A incorrect - You can configure more than 2 SLA targets.

C incorrect - SLA targets only required for Lower Cost (SLA) and Maximize Bandwidth (SLA).

Reference:

Fortigate Infrastructure 7.0 Study Guide P.81

14) Correct Answer: A

15) Correct Answer: A

A is Correct because in exhibit, port is 10443.

16) Correct Answer: C,D

B is incorrect as Its not mandatory to have a wildcard certificate.

A is incorrect because certificate can be signed by any CA private or public.

FortiGate Security 7.0 pp 328 "In order for FortiGate to act in these roles, its CA

certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to
keyCertSign."

FortiGate_Security_7.0_Study_Guide p.323

17) Correct Answer: C

In a route-based configuration, FortiGate automatically adds a virtual interface either the VPN name (Infrastructure
Study Guide, 206)

18) Correct Answer: B,D,E

19) Correct Answer: C,D

C is correct Fortigate Security 7.0 page 458

D is correct also Fortigate Security 7.0 page 458

20) Correct Answer: D

Implicit firewall rule == (policy id 0)

Traffic is denied by implicit firewall rule.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=13900

21) Correct Answer: C

22) Correct Answer: B

"B" is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to disable RFP. 1
Enable asymmetric routing, which disables RPF checking system wide (but not at interface level is through the CLI
command config system settings) 2 Disable RPF checking at the interface level (the only way at the interface level
in the CLI command).

A incorrect. If you enable asymmetric routing, RPF not will be bypass because is disable. B Correct. You have to
disable the RPF check the interface level, for the source. C Is incorrect is for the source D is incorrect: Asymmetric
routing is not enabled at interface level.

RPF checking can be disabled in the ways. If you enable asymmetric routing, it will disable RPF checking system
wide. However, this reduces the security of you network greatly. Features such us ANTIVIRUS, and IPS become
non-effective. So, if you need to disable RPF checking, you can do so at the interface level using the command:

config system interface

edit <interface>

set src-check [enable | disable]

end

Recent 7.0 Fortigate Infrastructure Pg 39

FG Infrast 7.0 SG page 38

You can disable RPF checking in two ways. If you enable asymmetric routing, it disables RPF checking system
wide. However, this reduces the security of your network. Features, such as antivirus and IPS become noneffective.
So, if you need to disable RPF checking, you can do so at the interface level using the commands: set src-check [
enable | disable] at system interface level.

23) Correct answer: B

192.16.2.0/24

24) Correct Answer: A

25) Correct Answer: A,D

FortiGate Infrastructure 7.0 Study Guide page 123.

26) Correct Answer: A,C,D

For A: Each session-based authenticated user is counted as a single user using their authentication membership
(RADIUS, LDAP, FSSO, local database etc.) to match users in other sessions. So, one authenticated user in multiple
sessions is still one user.

27) Correct Answer: C

Under SSL VPN settings you can see that port is 443 (same of https admin port).

BUT the question is about an SSL VPN Setting FOR A VPN PORTAL... so, if you go to SSL VPN Portals and hit
"Create new" you will see Tunnel Mode and Split Tunnel enabled by default... so, the correct answer is C.

28) Correct answer: A

FortiGate can use the Subject Key Identifier and Authority Key Identifier values to determine the relationship
between the issuer of the certificate (identified in the Issuer field) and the certificate.

29) Correct Answer: C

proto=17 - UDP, proto_state=1 – Bidirectional

30) Correct Answer: B

If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the
Security Fabric in the root and FG-Traffic VDOMs.

If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect to the upstream FortiGate
through the downstream FortiGate interface on the root VDOM.

31) Correct Answer: A

Since both A and B are working options, answer B needs one more Web filter profile - the one that will allow access
to the category in which resides website's domain name.

In both cases a custom category is needed and a rating override, which will assign the website to that category.

The question is "Which configuration option is the most effective way to support this request" in that case this is
answer A.

32) Correct Answer: A,B,D

Fortigate 7.0 Security pg 110

33) Correct Answer: C

Each automation stitches pairs an event trigger and 1 or more action to monitor your network.

34) Correct Answer: A,C,D

35) Correct Answer: C,D

C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs
on the same physical Fortigate.

D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow,
so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the
VDOM".

36) Correct Answer is: B.

FortiGate will stop sending out probe packets when the "enabled probe packets" option is disabled. This is also
called; Active Detection Mode is SLA performance. Page 81, FortiGate Infrastructure 7.0 (New Version!!)

37) B is correct. Loose RPF checks for any route and Strict RPF check for best route.

38) Correct answer: C,D

The key here is performing the task without affecting any of the other services.

- Not A - Changing the maximum TTL value for TELNET will affect every other policy that references the
TELNET service.

- Not B - Changing the session TTL on the SSLVPN policy will impact other services referenced in the policy.

39) B it is Correct: "Universally Unique Identifier (UUID) attributes have been added to policies to improve
functionality when working with FortiManager or FortiAnalyzer units".

FortiGate Security 7.0 Study Guide page 125.

40) Correct Answer: D

The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required.

Alle other Application Signatures Facebook and Facebook_Video.Play does not require SSL inspection. Hence that
the users can play video content. If you look up the Application Signature for Facebook_like.Button it will say
"Requires SSL Deep Inspection".

41) C is the correct answer. Otherwise, a browser will display a warning.

C Third party CA in this case FortiGate as a CA, its certificate should be installed in the web browser.

42) Correct answer: C,D

Reference:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_operatingFirmUpgd.htm

43) Correct answer: B,D

Fortigate Infrastructure 7.0 Study Guide P.257-258

Fortigate Infrastructure 7.0 Study Guide P.272-273

44) Correct answer: D

45) Correct answer: A,C

Exempt is not FortiGuard category action.

46) Correct answer: A,C

In the GUI appears HTTP, DNS and Ping.

Fortigate Infrastructure 7.0 pg 81

47) Correct answer: B

FortiGate_Infrastructure_7.0 page 270: "NetAPI: polls temporary sessions created on the DC when a user logs in or
logs out and calls the NetSessionEnum function in Windows."

Fortigate Infrastructure 7.0 pg 255

48) Answer: D

Fortigate Infrastructure 7.0 Study Guide P.56

49) D is correct.

Ping is ICMP protocol - protocol number = 1

=> SNAT policy ID 1 is policy that used.

=> Translated address is "SNAT-Remote1" that 10.200.1.99

50) Correct answer: A

FortiGate_Security_7.0 page 223

"The INCLUDE IN EVERY USER GROUP option adds the Radius server and all user that can authenticate against
it, to every user group created on the FortiGate".

51) Correct answer: A,C,D

Fortigate firstly uses SNI, if there is no SNI it uses Subject or Subject Alternatives.

FortiGate_Security_7.0 Study Guide .pdf page 326

FortiGate uses the server’s name indication (SNI) to discern the hostname of the SSL server at the beginning of the
SSL handshake. If there is no SNI, FortiGate looks at the subject and subject alternative name fields.

52) Correct answer: D

FG Infraest SG 7.0 page 290

FortiGate_Infrastructure_7.0 page 278

53) Correct answer: D

"Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there
is no interesting traffic”.

FG Infraest SG 7.0 page 290

FortiGate_Infrastructure_7.0 page 278

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=12069

54) A and D

FortiGate security 7.0 Pg 451

Security policy: If the traffic is allowed as per the consolidated policy, FortiGate will then process it based on the
security policy to analyze additional criteria, such as URL categories for web filtering and application control. Also,
if enabled, the security policy further inspects traffic using security profiles such as IPS and AV.

55) Correct answer: A

"pass" is only default action

To explain this: the Pass action on the specific signature would only be chosen, if the Action (on the top) was set to
Default. But instead, its set to Block, se the action is will be to block and drop.
56) Correct answer: A,B

The question is about Backing up logs from CLI and Downloading logs from the GUI, therefore, C is incorrect
because the question doesn't say anything about uploading logs from CLI, but says backing up from CLI...

57) Correct answer: B

Intrusion prevention system engine.

58) Correct answer: A,D

Fortigate_Security_7.0 page 379

59) Correct answer: C,D

FortiGate Hostname is not synchronized between cluster member.

60) Correct answer: D

Because sniffer shows the ingressing and egressing packets. but we cannot see dropped packets by FortiGate in a
sniffer.

Debugging can show the packets are not entering for any reasons caused by FortiGate. So, if a packed is reached to
FortiGate and dropped, debug will show us.

"Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. Debugging the
packet flow can only be done in the CLI."

61) Correct answer: B

PUPS - Ports/Uptime/Priority/Serial

FortiGate_Infrastructure_7.0 page 304

62) Correct answer: D

63) Correct answer: A,C,E

Fortigate Infrastructure 7.0 pg 58

For me to remember the order I think of the famous Architect I.M. Pei.

IPEI

IP Header

Packet Payload

Ethernet Header
Interface Name

1. IP Header

2. IP Header and Packet Payload

3. IP Head, Packet Payload, and Ethernet Header

4-6 is the same - just add "Interface Name" to the end of each.

64) Correct answer: D

Fortigate security 7.0 pg 24

Prof_admin is only vdom admin not global.

65) Correct answer: D

D is correct: The SSL VPN portal enables remote users to access internal network resources through a secure
channel using a web browser. The portal, bookmarks are used as links to internal network resources.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36530

66) Correct answer: A

FortiGate_Security_7.0 page 263

Fortigate Security 7.0 pg 268

67) Correct answer: B,C,D

FortiGate_Infrastructure page 57 for "D"

diagnose sys top - list of processes with most CPU

get system arp - show interface, IP, MAC (physical layer)

Fortigate Infrastructure 7.0 pg 145

"Besides traceroute and ping there are other tools for troubleshooting"

Diag sniffer and diag debug flow are specifically mentioned.

”dia sys top” is not for troubleshooting layer 3 issues rather for troubleshooting CPU and Memory issues.

68) Correct answer: B

FortiGate will stop sending out probe packets when the "enabled probe packets" option is disabled. This is also
called; Active Detection Mode is SLA performance. Page 81, FortiGate Infrastructure 7.0 (New Version)

A is not the answer because the pings work without static route.

C is wrong

D is wrong because you can't add non-SD-WAN members to SLA policy.

69) Correct answer: A,B

70) Correct answer: C,D

Reference:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_operatingFirmUpgd.htm

71) Correct answer: B

If you want to have one FortiToken assigned to multiple sites, FortiAuthenticator is required. 3rd party RADIUS is
possible with things like DUO, but the key items here is FORTITOKEN.

FortiGate_Security_7.0 page 212

FortiGate_Security_7.0 page 216

72) Correct answer: A,C

Proxy: Allow, Block, Monitor, Warning, and Authenticate.

73) Correct answer: A,C

FG Infra 7.0 page 280-295

74) Correct answer: B

Only some members can be authenticated by providing their credentials.

A could be a solution if you set custom categories and specify a web filter to the group with access. but B is the most
effective and simple solution.
75) A is correct.

*** If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default),
user authentication entry will be removed.

* If the user tries to access resources now, FortiGate will prompt the user to authenticate again.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

76) Correct answer: A,D

D - In the top image it says "Port2" so the configuration in the remote side should match port2 in the interface.

A - Both IKE Mode should match - Main (ID Protection)

77) Correct answer: B,C

When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating
override and define the website in a different category. Web ratings are only for host names— "no URLs or wildcard
characters are allowed"

Fortigate Security 7.0 pg 384

78) Correct answer: E

Fortigate Security 7.0 pg 254

79) Correct answer: A,B

A&B are correct because the fixed port is disabled (default). If it is enabled, then the answer would be C&D.

80) Correct answer: D

Fortigate Security 7.0 pg 624

81) Correct answer: B,D

Those IPs starting with 173.243 are for FortiGuard services, adding that uses port 443 to update.

82) Correct answer: A

Fortigate Infrastructure 7.0 pg 264

NTLM authentication = session-based

83) Correct answer: B,D,E

Fortigate Infra SG 7.0 pg 255

84) D is correct - traffic is denied by implicit firewall rule.

Implicit firewall rule == (policy id 0)

85) Correct answer: B

Some FortiGate features are meant to protect clients, not servers. For example, FortiGuard web filtering blocks
requests based on the category of the server’s web pages. Antivirus prevents clients from accidentally downloading
spyware and worms. Neither protects a server (which doesn’t send requests—it receives them) from malicious
scripts or SQL injections. Protecting web servers requires a different approach because they are subject to other
kinds of attacks. This is where WAF applies. The WAF feature is available only in proxy inspection mode.

86) Correct answer: A

It is required to modify a firewall policy using the CLI.

87) Correct answer: D

"Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there
is no interesting traffic”

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=12069

88) Correct answer: B,C

3 exhibits are missing. They are:

1. proxy custom address named "Browser CAT1" for local subnet and defined user agent "Chrome and IE"

2. proxy custom address named "Browser CAT2" for local subnet and defined user agent "Firefox"

3. proxy policy with 2 lines:

- Browser CAT2 & Local subnet & User B --> deny

- Browser CAT1 & Local subnet & User all --> accept

Beed on above exhibits only users from Chrome ana IE are allowed.
89) Answer is C

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an
aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails,
traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced
bandwidth.

90) Correct answer: BC

A is incorrect Layer 2 transparent mode.

D is incorrect Internet access is recommended because specific services, such as web filtering using the public
FortiGuard servers.

91) Correct answer: A

The Services option has been added to VIP objects. When services and port forward are configured, only a single
mapped port can be configured. However, multiple external ports can be mapped to that single internal port. This
configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple
services to connect to a single computer, while requiring a combination of source and destination NAT, and not
requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-
overlapping.

the Services Field allows a complex scenario where multiple sources using multiple services can connect to a single
source, so D isn't the answer.

92) Correct answer: A

FortiGate Security 7.0 page 133.

93) Correct Answer: A,B,C

Reference:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

94) Correct answer: C

As of 7.0, the preferred answer is C, according to FortiGate_Security_7.0 page 67.

95) Correct answer: B

FortiGate security Pg 583

In web-only mode, the FortiGate unit acts as a secure HTML5 HTTPS gateway and authenticates remote users as
members of a user group.
96) Correct answer: D

FortiGate Infrastructure 7.0 Study Guide P.214

97) Correct answer: B

FortiGate will use the port1 route as the primary candidate.

98) D is correct: The SSL VPN portal enables remote users to access internal network resources through a secure
channel using a web browser. The portal, bookmarks are used as links to internal network resources.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36530

99) Correct answer: D

Reference:

https://kb.fortinet.com/kb/viewContent.do?externalId=10338

100) Correct answer: C,D

By default, does not match VIP in deny policy for destination all. So, we have 2 options:

1. Enable match VIP in the Deny policy.

2. Add destination as webserver in deny policy.

101) C and D are correct.

Device detection is obviously on. And that red 19 indicates security rating recommendations.

102) Correct answer: B,C

as you can see the parameter on the log view:

1. "vd=root" which means vdom is root.

2. "type=utm" which means security log event.

FortiGate_Security_7.0_Study page 268 and 270

103) Answer is C,D,E

WAF can allow bot traffic to good servers and only block to malicious ones.... so A is not correct.
Reference:

https://help.fortinet.com/fweb/570/Content/FortiWeb/fortiweb-admin/web_protection.htm

104) Correct answer: A,B,E

Fortisandbox is not a logging solution.

FortiGate Security 7.0 pf 279

105) D is correct, the Encryption and authentication algorithm needs to match in order for IPSEC be successfully
established.

Encryption algorithm must be the same.

106) Correct answer: A,C

Fortigate Security 7.0 pg 368

Profile based - Flow or proxy based.

Policy based - flow only.

107) Correct answer: A,D

Proto 1 is icmp.

Obviously, a new session was created. The ping is being sent to the gateway from a local device so no policy is
needed. "Gw-10.0.1.250 via root"

FortiGate Infrastructure 7.0 pg 358-360

108) A is the correct answer.

Need SSL deep inspection enabled for AV, Application Control and some features of Web filter to work properly.

Can't do AV inspection on encrypted traffic. So, they must be unencrypted using SSL deep inspection.

Use deep-inspection instead of certificate-based inspection, to ensure that full content inspection is performed.

109) B is correct as https traffic requires SSL decryption. Check the SSH inspection profile.

Infrastructure 7.0 Study Guide pg. 325

110) Correct answer: A,B,C

Verbose levels in detail:

1: print header of packets

2: print header and data from IP of packets.

3: print header and data from Ethernet of packets.

4: print header of packets with interface name.

5: print header and data from IP of packets with interface name.

6: print header and data from Ethernet of packets with interface name.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=11186

111) The answer is C. All devices must be authorized on the root Fortigate, and then after this step all must be
authorized on the FortiAnalyzer.

"Final Step" is authorized Fortigate on Fortianalyzer. Authorize downstream Fortigates on Root Fortigate is required
too but is the third step not the final one.

112) Correct answer: B

Reference:

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31639

113) Correct answer: B

Antivirus and IPS is enhanced by the IPS Engine.

114) Correct answer: C

FaceTime categorized (filtered) under "Excessive-Bandwidth" and custom filter override set to block this.

Also, we know that users can't use FaceTime.

Facetime belongs to VoIP category which is monitored here and therefore should be allowed, however, because of
the behavior of the facetime "Excessive-Bandwidth", the custom filter Excessive-Bandwidth will block Facetime
and the lookup won't continue to the second filter

Here is what FortiGate shows about face time:

Category VoIP
Risk **

Popularity *****

Protocol UDP, TCP, SSL

Technology Client-Server

Behavior Excessive-Bandwidth

Vendor Apple

115) Correct answer: A,C

Fortigate Infra 7.0 Pg 280

B is incorrect. Standard Mode does not do OU, advanced mode does.

D is incorrect. Standard Mode cannot do nested groups.

116) Correct answer: A,D

"NTP, FortiGuard updated/queries, SNMP, DNS Filtering, Log settings and other management related services".

Fortigate Infrastructure 7.0 Book Pg. 122 says global settings for vdom's are:

Hostname

HA Settings

Fortiguard Settings

System time

Administrative Accounts

Fortigate Infrastructure 7.0 Study Guide P.113

B is wrong because PKI stands for Public Key Infrastructure and is associated with VPNS.

C is wrong because traffic shaping is configured on a 'Traffic Shaping Policy'.

A is correct because Fortigate will use Fortiguard for these queries.

D is correct as the management VDOM (very similar to Palo Alto) can use DNS for DNS queries.

117) Answer: A,C

118) Correct answer: C

We set up the scenario when we enable port forwarding in the VIP leaves with the IP associated with the wan
interface (10.200.1.1), if we disable port forwarding the outgoing IP is the one associated with the VIP
(10.200.1.10).
The "set nat-source-vip enable" should be applied in the VIP Otherwise, the IP address of the physical interface will
be used for NAT.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

119) Correct answer: B,D

Fortigate Security 7.0 pg 96-97

Scorecards: Security Posture, Fabric Coverage, Optimization.

"These scorecards provide executive summaries of the THREE LARGEST AREAS of security focus".

120) Correct answer: C

Fortigate Security 7.0 pg 451

Notes:
…………………………………………………………………………………………………………………………………………………

Good Luck