An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field?
A. A VIP group
B. The mapped IP address object of the VIP object
C. A VIP object
D. An IP pool
When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that FortiGate can forward Internet traffic?
A. It must be configured in a static route using the sdwan virtual interface.
B. It must be provided in the SD-WAN member interface configuration.
C. It must be configured in a policy-route using the sdwan virtual interface.
D. It must be learned automatically through a dynamic routing protocol.
How does FortiGate select the central SNAT policy that is applied to a TCP session?
A. It selects the SNAT policy specified in the configuration of the outgoing interface.
B. It selects the first matching central SNAT policy, reviewing from top to bottom.
C. It selects the central SNAT policy with the lowest priority.
D. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.
Which configuration objects can be selected for the Source field of a firewall policy? (Choose two.)
A. Firewall service
B. User or user group
C. IP Pool
D. FQDN address
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
A. The next-hop IP address is unreachable.
B. It failed the RPF check.
C. It matched an explicitly configured firewall policy with the action DENY.
D. It matched the default implicit firewall policy.
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)
A. Include the group of guest users in a policy.
B. Extend timeout timers.
C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.
D. Ensure all firewalls allow the FSSO required ports.
How can you block or allow to Twitter using a firewall policy?
A. Configure the Destination field as Internet Service objects for Twitter.
B. Configure the Action field as Learn and select Twitter.
C. Configure the Service field as Internet Service objects for Twitter.
D. Configure the Source field as Internet Service objects for Twitter.
Examine the exhibit, which shows the partial output of an IKE real-time debug.
Which of the following statement about the output is true?
A. The VPN is configured to use pre-shared key authentication.
B. Extended authentication (XAuth) was successful.
C. Remote is the host name of the remote IPsec peer.
D. Phase 1 went down.
View the exhibit:
Which statement about the exhibit is true? (Choose two.)
A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
B. port-VLAN1 is the native VLAN for the port1 physical interface.
C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
Which of the following statements about NTLM authentication are correct? (Choose two.)
A. It is useful when users log in to DCs that are not monitored by a collector agent.
B. It takes over as the primary authentication method when configured alongside FSSO.
C. Multi-domain environments require DC agents on every domain controller.
D. NTLM-enabled web browsers are required.
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)
A. The interface has been configured for one-arm sniffer.
B. The interface is a member of a virtual wire pair.
C. The operation mode is transparent.
D. The interface is a member of a zone.
E. Captive portal is enabled in the interface.
On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose two.)
A. hourly
B. real time
C. on-demand
D. store-and-upload
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
A. Traffic to botnetservers
B. Traffic to inappropriate web sites
C. Server information disclosure attacks
D. Credit card data leaks
E. SQL injection attacks
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
A. The firmware image must be manually uploaded to each FortiGate.
B. Only secondary FortiGate devices are rebooted.
C. Uninterruptable upgrade is enabled by default.
D. Traffic load balancing is temporally disabled while upgrading the firmware.
Which is a requirement for creating an inter-VDOM link between two VDOMs?
A. The inspection mode of at least one VDOM must be proxy-based.
B. At least one of the VDOMs must operate in NAT mode.
C. The inspection mode of both VDOMs must match.
D. Both VDOMs must operate in NAT mode.