Question 81
IPS Engine is used by which three security features? (Choose three.)
A. Web filter in flow-based inspection
B. Web application firewall
C. DNS filter
D. Application control
E. Antivirus in flow-based inspection
Question 82
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
A. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
B. Virtual IP addresses are used to distinguish between cluster members.
C. Heartbeat interfaces have virtual IP addresses that are manually assigned.
D. The primary device in the cluster is always assigned IP address 169.254.0.1.
Question 83
Refer to the exhibits.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access theWebserver. Remote-User2 must not able to access the Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)
A. Set the Destination address as Deny_IP in the Allow_access policy.
B. Enable match-vip in the Deny policy.
C. Set the Destination address as Webserver in the Deny policy.
D. Disable match-vip in the Deny policy.
Question 84
When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?
A. Policy ID
B. Log ID
C. Universally Unique Identifier
D. Sequence ID
Question 85
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
A. The browser requires a software update.
B. FortiGate does not support full SSL inspection when web filtering is enabled.
C. There are network connectivity issues.
D. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
Question 86
Refer to the exhibit.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
B. Apple FaceTime will be allowed, based on the Apple filter configuration.
C. Apple FaceTime will be allowed, based on the Categories configuration.
D. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Question 87
Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)
A. A certificate is not required on the remote peer when you set the signature as the authentication method.
B. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
C. FortiGate supports pre-shared key and signature as authentication methods.
D. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.
Question 88
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)
A. On both FortiGate devices, set Dead Peer Detection to On Demand.
B. On HQ-FortiGate, set IKE mode to Main (ID protection).
C. On HQ-FortiGate, disable Diffie-Helman group 2.
D. On Remote-FortiGate, set port2 as Interface.
Question 89
Which three methods are used by the collector agent for AD polling? (Choose three.)
A. WMI
B. Novell API
C. WinSecLog
D. NetAPI
E. FortiGate polling
Question 90
Refer to the exhibit.
Why did FortiGate drop the packet?
A. It matched the implicit Firewall policy
B. The next-hop IP address is unreachable
C. It failed the RPF check
D. It matched an explicitly configured firewall policy with the action DENY
