Refer to the exhibits.
An administrator has configured a FortiGate and Forti Authenticator for two-factor
authentication with FortiToken push notifications for their SSL VPN login. Upon initial
review of the setup, the administrator has discovered that the customers can manually type
in their two-factor code and authenticate but push notifications do not work
Based on the information given in the exhibits, what must be done to fix this?
A. On FG-1 port1, the ftm access protocol must be enabled.
B. FAC-1 must have an internet routable IP address for push notifications.
C. On FG-1 CLI, the ftm-push server setting must point to 100.64.141.
D. On FAC-1, the FortiToken public IP setting must point to 100.64.1 41
Explanation: FortiToken push notifications require that the FortiAuthenticator has an
internet routable IP address. This is because the FortiAuthenticator uses this IP address to
send push notifications to the FortiGate.
The other options are not correct. Enabling the ftm access protocol on FG-1 port1 is not
necessary for push notifications to work. The ftm-push server setting on FG-1 CLI should
already point to the FortiAuthenticator's IP address. The FortiToken public IP setting on FAC-1 is not relevant to push notifications.
Here is a table that summarizes the different options:
Refer to the exhibit, which shows a VPN topology.
The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50
Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this
environment?
A. All the session traffic will pass through the Hub
B. The TCP port 21 must be allowed on the NAT Device2
C. ADVPN is not supported when spokes are behind NAT
D. Spoke1 will establish an ADVPN shortcut to Spoke2
Explanation: D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events.
Refer to the exhibit showing a firewall policy configuration.
To prevent unauthorized access of their cloud assets, an administrator wants to enforce
authentication on firewall policy ID 1.
What change does the administrator need to make?
A. Option A
B. Option B
C. Option C
D. Option D
Explanation: The firewall policy in the exhibit allows all traffic from the internal network to
the cloud. To enforce authentication on this traffic, the administrator needs to add the authon-
demand option to the policy. This option will force all users to authenticate before they are allowed to access the cloud.
The following is the correct configuration:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "all"
set action accept
set auth-on-demand enable
Refer to the exhibit.
You have deployed a security fabric with three FortiGate devices as shown in the exhibit.
FGT_2 has the following configuration:
FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the
synchronization of fabric-objects?
A. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
B. Objects from the root FortiGate will only be synchronized to FGT__2.
C. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.
D. Objects from the root FortiGate will only be synchronized to FGT_3.
Explanation: The fabric-object-unification setting on FGT_2 is set to local, which means
that objects will not be synchronized to any other FortiGate devices in the security fabric.
The default setting for fabric-object-unification is default, which means that objects will be
synchronized from the root FortiGate to all downstream FortiGate devices.
Since FGT_2 is not the root FortiGate and the fabric-object-unification setting is set to local,
objects from the root FortiGate will not be synchronized to FGT_2.
On a FortiGate Configured in Transparent mode, which configuration option allows you to
control Multicast traffic passing through the?
A. Option A
B. Option B
C. Option C
D. Option D
Explanation: To control multicast traffic passing through a FortiGate configured in transparent mode, you can use multicast policies. Multicast policies allow you to filter multicast traffic based on source and destination addresses, protocols, and interfaces. You can also apply securityprofiles to scan multicast traffic for threats and violations.
A remote worker requests access to an SSH server inside the network. You deployed a
ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this
traffic.
Which two statements are true regarding the requirements? (Choose two.)
A. FortiGate can perform SSH access proxy host-key validation.
B. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
C. SSH traffic is tunneled between the client and the access proxy over HTTPS
D. Traffic is discarded as ZTNA does not support SSH connection rules
Explanation: ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH.
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer
requirements:
• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
• Public IP address (129.11.1.100) is assigned to portl
• Datacenter.acmecorp.com resolves to the public IP address assigned to portl
The customer has a Let's Encrypt certificate that is going to expire soon and it reports that
subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve
this issue?
A. Option A
B. Option B
C. Option C
D. Option D
Explanation: The customer's SSLVPN Portal is currently configured to use a self-signed
certificate. This means that the certificate is not trusted by any browsers, and users will
have to accept a security warning before they can connect to the portal.
To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt
certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for
websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt
certificate for the SSLVPN Portal. This will allow users to connect to the portal without
having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will
configure the FortiGate to use a different port for the SSLVPN Portal, but this will not
resolve the issue with the self-signed certificate. Option C will configure the FortiGate to
use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue
with the self-signed certificate. Option D will configure the FortiGate to use a different
certificate authority for the SSLVPN Portal, but this will also not resolve the issue because
the customer still needs to use a trusted certificate.
Refer to the exhibit.
You are deploying a FortiGate 6000F. The device should be directly connected to a switch.
In the future, a new hardware module providing higher speed will be installed in the switch,
and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect
any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?
A. Connect the switch on any interface between ports 21 to 24
B. Connect the switch on any interface between ports 25 to 28
C. Connect the switch on any interface between ports 1 to 4
D. Connect the switch on any interface between ports 5 to 8.
Explanation: The FortiGate 6000F has 24 1/10/25-Gbps SFP28 data network interfaces (1
to 24). These interfaces are divided into the following interface groups: 1 to 4, 5 to 8, 9 to
12, 13 to 16, 17 to 20, and 21 to 24. The ports 25 to 28 are 40/100-Gbps QSFP28 data
network interfaces.
The initial connection should be made to any interface between ports 1 to 4. This is
because the ports 21 to 24 are part of the same interface group, and changing the speed of
one of these ports will affect the speeds of all of the ports in the group. The ports 5 to 8 are
also part of the same interface group, so they should not be used for the initial connection.
The new hardware module that will be installed in the switch will provide higher speed
ports. When this module is installed, the speed of the ports 21 to 24 will be increased.
However, this will not affect the ports 1 to 4, because they are not part of the same
interface group.
Therefore, the initial connection should be made to any interface between ports 1 to 4, in
order to ensure that the FortiGate interface connected to the switch does not affect any
other port when the new module is installed and the new port speed is defined.
Refer to the exhibit.
FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this
template? (Choose two.)
A. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
B. The template will work if you change the variable format to $(WAN).
C. The template will work if you change the variable format to {{ WAN }}.
D. The administrator must first manually map the interface for each device with a meta field.
E. The template will fail because this configuration can only be applied with a CLI or TCL script.
Explanation: D. The administrator must first manually map the interface for each device
with a meta field.
The Jinja template in the exhibit is expecting a meta field calledWANto be set on the
managed FortiGate. This meta field will specify which interface on the FortiGate should be
assigned the "WAN" role. If the meta field is not set, then the template will fail.
E. The template will fail because this configuration can only be applied with a CLI or TCL
script.
The Jinja template in the exhibit is trying to configure the interface role on the managed
FortiGate. This type of configuration can only be applied with a CLI or TCL script. The Jinja
template will fail because it is not a valid CLI or TCL script.
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by
the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead
on the device for WAN traffic.
Which action achieves the requirement in this scenario?
A. Add a switch between the FortiGate and FEX.
B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
C. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
D. Add a VLAN under the FEX-WAN interface on the FortiGate.
Explanation: VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate
than CAPWAP Mode. This is because VLAN Mode does not require the FortiExtender to
send additional control traffic to the FortiGate.
The other options are not correct.
A. Add a switch between the FortiGate and FEX. This will add overhead to the
network, as the switch will need to process the traffic.
B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
This will increase the overhead on the FortiGate, as it will need to process
additional control traffic.
D. Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect
the overhead on the FortiGate.
Which feature must you enable on the BGP neighbors to accomplish this goal?
A. Graceful-restart
B. Deterministic-med
C. Synchronization
D. Soft-reconfiguration
Explanation: Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful-restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper routers) that it is about to restart or failover, and request them to preserve their routing information and forwarding state for a certain period of time (the restart time). The helper routers then mark the routes learned from the restarting router as stale, but keep them in their routing table and continue forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing instability during a BGP restart or failover event.
Refer to the exhibit.
The exhibit shows the forensics analysis of an event detected by the FortiEDR core
In this scenario, which statement is correct regarding the threat?
A. This is an exfiltration attack and has been stopped by FortiEDR.
B. This is an exfiltration attack and has not been stopped by FortiEDR
C. This is a ransomware attack and has not been stopped by FortiEDR.
D. This is a ransomware attack and has been stopped by FortiEDR
Explanation: The exhibit shows that the FortiEDR core has detected an exfiltration attack.
The attack is attempting to copy files from the device to an external location. The FortiEDR
core has blocked the attack, and the files have not been exfiltrated.
The exhibit also shows that the attack is using the Cobalt Strike beacon. Cobalt Strike is a
penetration testing tool that can be used for both legitimate and malicious purposes. In this
case, the Cobalt Strike beacon is being used to exfiltrate files from the device.
The other options are incorrect. Option A is incorrect because the attack has not been stopped. Option C is incorrect because the attack is not a ransomware attack. Option D is
incorrect because the FortiEDR core has not stopped the attack.
| Page 2 out of 9 Pages |
| Previous |