QUESTION 1

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard
servers.
Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard
servers for live web filtering?
A. set fortiguard-anycast disable
B. set webfilter-force-off disable
C. set webfilter-cache disable
D. set protocol tcp
Correct Answer: A

QUESTION 2
Refer to the exhibits.
Exhibit A
shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.
Exhibit B
shows the HA configuration and the partial output of the get system ha status command.

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual
MAC address of port2 as source.
B. The traffic sourced from the client and destined to the server is sent to FGT-1.
C. The cluster can load balance ICMP connections to the secondary.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to
the secondary.
Correct Answer: AD

QUESTION 3
Which two types of traffic are managed only by the management VDOM? (Choose two.)
A. FortiGuard web filter queries
B. PKI
C. Traffic shaping
D. DNS
Correct Answer: AD

QUESTION 4
An administrator added a configuration for a new RADIUS server. While configuring, the administrator
selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?

A. This option places the RADIUS server, and all users who can authenticate against that server, into
every FortiGate user group.
B. This option places all FortiGate users and groups required to authenticate into the RADIUS server,
which, in this case, is FortiAuthenticator.
C. This option places all users into every RADIUS user group, including groups that are used for the LDAP
server on FortiGate.
D. This option places the RADIUS server, and all users who can authenticate against that server, into
every RADIUS group.
Correct Answer: A

QUESTION 5
To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?
A. FortiManager
B. Root FortiGate
C. FortiAnalyzer
D. Downstream FortiGate
Correct Answer: C (The answer is C. All devices must be authorized on the root Fortigate, and then after
this step all must be authorized on the FortiAnalyzer.)

QUESTION 6
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. FortiGuard update servers
B. System time
C. Operating mode
D. NGFW mode
Correct Answer: C,D
(Settings for each VDOM:
- Op. Mode
- NGFW Mode
- Routes and interfaces
- Firewall Policies)

QUESTION 7
Which statement is correct regarding the inspection of some of the services available by web applications
embedded in third-party websites?
A. The security actions applied on the web applications will also be explicitly applied on the third-party
websites.
B. The application signature database inspects traffic only from the original web application server.
C. FortiGuard maintains only one signature of each web application that is unique.
D. FortiGate can inspect sub-application traffic regardless where it was originated.
Correct Answer:D

QUESTION 8
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer
should start as soon as the user authenticates and expire after the configured value. Which timeout
option should be configured on FortiGate?
A. auth-on-demand
B. soft-timeout
C. idle-timeout
D. new-session
E. hard-timeout
Correct Answer: E(Hard: time is an absolute value. Regardless of the user’s behavior, the timer starts as
soon as the user authenticates and expires after the configured value.)

QUESTION 9
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui
proxy-based inspection mode? (Choose two.)
A. Warning
B. Exempt
C. Allow
D. Learn
Correct Answer: AC
QUESTION 10

A. Administrators can access FortiGate only through the console port.

B. FortiGate has entered conserve mode.
C. FortiGate will start sending all files to FortiSandbox for inspection.
D. Administrators cannot change the configuration.
Correct Answer: BD
(FortiGate Infrastructure 7.2 Study Guide (p.367):
"If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters
conserve mode."
FortiGate Infrastructure 7.2 Study Guide (p.368):
"FortiGate does not accept configuration changes, because they might increase memory usage.")

QUESTION 11
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)
A. FortiCache
B. FortiSIEM
C. FortiAnalyzer
D. FortiSandbox
E. FortiCloud
Correct Answer: BCE

QUESTION 12
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the
exhibit.

Which policy will be highlighted, based on the input criteria?

A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 4.
Correct Answer: B(We are looking for a policy that will allow or deny traffic from the source interface
Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are
only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated
from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent
policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.)

QUESTION 13
Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)
Based on the raw log, which two statements are correct? (Choose two.)
C. Traffic is blocked because Action is set to DENY in the firewall policy.
B. Traffic belongs to the root VDOM.
D. This is a security log.
A. Log severity is set to error on FortiGate.
Correct Answer: AD(
A. Log severity is set to error on FortiGate. obviously wrong
B. Traffic belongs to the root VDOM. correct (vd="root")
C. Traffic is blocked because Action is set to DENY in the firewall policy. wrong (msg="URL belongs to a
DENIED CATEGORY in policy" It's meaning traffic blocked with "Security Profiles" but Action is allow int
the firewall policy)
D. This is a security log. correct (type="utm"))

QUESTION 14
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
B. FortiGate automatically negotiates a new security association after the existing security association
expires.
C. FortiGate automatically negotiates different encryption and authentication algorithms with the
remote peer.
D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec
tunnel.
Correct Answer: D(I think it's D. Enable auto-negotiate by default enabling auto-keep-alive too which
brings up tunnel automatically. Ans B is little bit tricky, auto-negotiate will negotiate new SA "before"
existing SA expired not "after" existing SA expired.)

QUESTION 15
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to
the same physical interface. In this scenario, which 2 statement about VLAN IDs is true?
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same
subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different.
Correct Answer: BC

QUESTION 16
What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)
A. FortiGate uses fewer resources.
B. FortiGate performs a more exhaustive inspection on traffic.
C. FortiGate adds less latency to traffic.
D. FortiGate allocates two sessions per connection.

Correct Answer: AC(Flow-based inspection is a type of traffic inspection that is used by some firewall
devices, including FortiGate, to analyze network traffic. It is designed to be more efficient and less
resource-intensive than proxy-based inspection, and it offers several benefits over this approach. Two
benefits of flow-based inspection compared to proxy-based inspection are: FortiGate uses fewer
resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to
improve the performance of the firewall device and reduce the impact on overall system performance.
FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based
inspection, which can be important for real-time applications or other types of traffic that require low
latency.)

QUESTION 17
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address
is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN
tunnel to work?
A. Dialup User
B. Static IP Address
C. Pre-shared Key
D. Dynamic DNS
Correct Answer: A(Dialup user is used when the remote peer's IP address is unknown. The remote peer
whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and
mobile VPN clients that use dynamic IP address and no dynamic DNS)

QUESTION 18
A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When
downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When
downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be
downloaded.
What is the reason for the failed virus detection by FortiGate?

A. The website is exempted from SSL inspection.

B. The EICAR test file exceeds the protocol options oversize limit.
C. The selected SSL inspection profile has certificate inspection enabled.
D. The browser does not trust the FortiGate self-signed CA certificate.
Correct Answer: AC
(AC is correct see FortiGate_Security_7.2_Study_Guide-Online p. 230
While offering some level of security, certificate inspection does not permit the inspection of encrypted
data. p. 333 Deep-Inspection is required in stead of Certificate-based to ensure content inspection.)

QUESTION 19
Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation
firewall (NGFW)? (Choose two.)

A. Full Content inspection

B. Proxy-based inspection
C. Certificate inspection
D. Flow-based inspection
Correct Answer: BD

QUESTION 20
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
A. Intrusion prevention system engine
B. Detection engine
C. Flow engine
D. Antivirus engine
Suggested Answer: A

QUESTION 21
Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies.
What does the Administrator account need to access the FortiGate global settings?
A. Enable two-factor authentication
B. Change Administrator profile
C. Change password
D. Enable restrict access to trusted hosts
Suggested Answer: B
FortiGate Security 7.2 Study Guide (p.22):
"By default, there is a special profile named super_admin, which is used by the account named admin.
You can't change it. It provides full access to everything, making the admin account similar to a root
superuser account.The prof_admin is another default profile. It also provides full access, but unlike
super_admin, it applies only to its virtual domain—not the global settings of FortiGate. Also, you can
change its permissions."

QUESTION 22
An administrator must disable RPF check to investigate an issue.
Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?
A. Enable asymmetric routing, so the RPF check will be bypassed.
B. Disable the RPF check at the FortiGate interface level for the source check.
C. Disable the RPF check at the FortiGate interface level for the reply check.
D. Enable asymmetric routing at the interface level.
Correct:B
"B" is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to disable
RFP. 1 Enable asymetric routing, which disables RPF checking system wide (but not at interface level is
through the CLI command config system settings) 2 Disable RPF checkking at the interface level (the only
way at the interface level in the CLI command). A incorrect. If you enable asymetric routing, RPF not will
be bypass because is disable. B Correct. You have to disable the RPF check an the interface level, for the
source. C Is incorrect is for the source D is incorrect: Asymetric routing is not enable at interface level.

QUESTION 23
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true
about the policy list view?
A. Interface Pair view will be disabled.
B. Search option will be disabled.
C. Policy lookup will be disabled.
D. By Sequence view will be disabled.
Suggested Answer: A

QUESTION 24
In which two ways can RPF checking be disabled? (Choose two )
A. Enable anti-replay in firewall policy.
B. Disable the RPF check at the FortiGate interface level for the source check.
C. Disable strict-src-check under system settings.
D. Enable asymmetric routing.
Suggested Answer: BD

QUESTION 25
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels.
The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which
DPD mode on FortiGate will meet the above requirement?
A. On Demand
B. Disabled
C. On Idle
D. Enabled
Correct Answer: C

QUESTION 26
An administrator observes that the port1 interface cannot be configured with an IP address. What can be
the reasons for that? (Choose three.)
A. The interface has been configured for one-arm sniffer.
B. The interface is a member of a virtual wire pair.
C. The operation mode is transparent.
D. The interface is a member of a zone.
E. Captive portal is enabled in the interface.
Suggested Answer: ABC

QUESTION 27
Which two statements are true about the FGCP protocol? (Choose two.)
A. Is used to discover FortiGate devices in different HA groups
B. Runs only over the heartbeat links
C. Elects the primary FortiGate device
D. Not used when FortiGate is in Transparent mode
Suggested Answer: BC
The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA)
clusters of FortiGate devices. It performs several functions, including the following:
- FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which
FortiGate device will be the primary device, responsible for handling traffic and making decisions
about what to allow or block.
- FGCP uses a variety of factors, such as the device's priority, to determine which device should be the
primary. FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in
the HA cluster using the heartbeat links. These are dedicated links that are used to exchange status
and control information between the devices. FGCP does not run over other types of links, such as
data links

QUESTION 28
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering
and application control directly on the security policy. Which two other security profiles can you apply to
the security policy? (Choose two.)
A. Antivirus scanning FortiGate polling
B. File filter NetAPI
C. DNS filter Novell API
D. Intrusion prevention WMI
E. WinSecLog
Correct Answer: BDE

QUESTION 29
Which three methods are used by the collector agent for AD polling? (Choose three.)