Question 21
Refer to the exhibit, which shows a FortiGate configuration.
An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is passing through the policy.
What must the administrator do to fix the issue?
A. Increase webfilter-timeout.
B. Change protocol to TCP.
C. Enable fortiguard-anycast.
D. Disable webfilter-force-off.
Question 22
Which two configuration commands change the default behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.)
A. set av-failopen off
B. set av-failopen pass
C. set fail-open enable
D. set ips fail-open disable
Question 23
Refer to the exhibit, which shows the output of a diagnose command.
What can you conclude from the output shown in the exhibit? (Choose two.)
A. This is a pinhole session created to allow traffic for a protocol that requires additional sessions to operate through FortiGate.
B. This is an expected session created by the IPS engine.
C. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.200.1.1.
D. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.0.1.10.
Question 24
You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature databases.
Which two settings need to be verified for these features to function? (Choose two.)
A. FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management.
B. FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages.
C. Service access needs to be enabled on FortiManager under System Settings > Network.
D. FortiGate needs to have include-default-servers disabled under config system central-management.
Question 25
Refer to the exhibit, which shows the output of a debug command.
Which two statements about the output are true? (Choose two.)
A. In the network connected to port 4, two OSPF routers are down.
B. Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.5.
C. Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.6.
D. There are a total of 5 OSPF routers attached to the Port4 network segment.
Question 26
Refer to the exhibit, which shows partial outputs from two routing debug commands.
Why is the port2 default route not in the second command output?
A. The port2 interface is disabled in the FortiGate configuration.
B. The port1 default route has a lower distance than the default route using port2.
C. The port1 default route has a higher priority value than the default route using port2.
D. The port1 default route has a lower priority value than the default route using port2.
Question 27
In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)
A. It provides VM license validation services.
B. It supports rating requests from non-FortiGate devices.
C. It caches available firmware updates for unmanaged devices.
D. It can be configured as an update server, a rating server, or both.
Question 28
Refer to the exhibit, which contains the output of a debug command.
If the default settings are in place, what can be concluded about the conserve mode shown in the exhibit?
A. FortiGate is currently blocking all new sessions regardless of the content inspection requirements or configuration settings due to high memory use.
B. FortiGate is currently allowing new sessions that require flow-based or proxy-based content inspection but is not performing inspection on those sessions.
C. FortiGate is currently blocking new sessions that require flow-based or proxy-based content inspection.
D. FortiGate is currently allowing new sessions that require flow-based content inspection and blocking sessions that require proxy-based content inspection.
Question 29
Refer to the exhibit, which contains a screenshot of some phase 1 settings.
The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands to an SSH session on FortiGate: diagnose vpn ike log-filter dst-addr4 10.0.10.1 diagnose debug application ike -1However, the IKE real-time debug does not show any output. Why?
A. The administrator must also run the command diagnose debug enable.
B. The administrator must enable the following real-time debug: diagnose debug application ipsec -1.
C. The log-filter setting is incorrect. The VPN traffic does not match this filter.
D. The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match.
Question 30
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Which two statements about this debug output are correct? (Choose two.)
A. The initiator provided remote as its IPsec peer ID.
B. It shows a phase 2 negotiation.
C. Perfect Forward Secrecy (PFS) is enabled in the configuration.
D. The local gateway IP address is 10.0.0.1.
