Question 1: Why should a user prefer a security protocol over a non secured one?

 It provides Quality of Service (QoS).

 it adds segmentation.
 It adds confidentiality.
 It provides lower latency.
Question 2: What was missing in the early sandbox generation? (Choose two.)
 An integration with other security devices
 Automation and artificial intelligence
 An isolated environment to test unknown files
 A zero-day attacks detection
Question 3: How can a security engineer secure switching and ports?
 By configuring an application layer gateway
 By configuring firewall policies
 By configuring Network Address Translation (NAT) filtering
 By configuring static or sticky Media Access Control (MAC) address entries in the Content
Addressable Memory (CAM) table
Question 4: Why is Fortinet Security Fabric an example of centralized security network management?
(Choose two.)
 It can operate only locally.
 It has a broad view of the security with an end to end visibility.
 It can communicate with other devices through Application Programming Interfaces (APIs) or
fabric connectors.
 All tasks and configurations are manual.
Question 5: Which network is enclosed by the security perimeter?
 The Demilitarized Zone (DMZ)
 The trusted network
 The Local Area Network (LAN) only
 The Wide Area Network (WAN)
Question 6: how can a security architect better control and protect the east-west traffic in a DeMilitarized
Zone (DMZ)?
 Through Simple Network Management Protocol (SNMP)
 Through centralized security management
 Through micro-segmentation
 Through traffic shaping
Question 7: Why would a security architect segment a network? (Choose two.)
 To reduce the network congestions and broadcasts
 To limit the attacks to the specific segment without contaminating all the network
 To facilitate the management access through a connection to each device in the network
 To increase the scope of compliance to the complete network
Question 8: What are objectives of Software Defined Wide Area Network (SD-WAN)? (Choose two.)
 Lower latency
 Increase data protection
 Greater reliability
 Lower Quality of Service (QoS)
Question 9: Which principles are part of the Zero-Trust security model? (Choose two.)
 Assume that your network is breached
 Implement least privilege
  Reduce DeMilitarized Zone (DMZ) surface
 Trust only your Local Area Network (LAN)
Question 10: Why knowing the source IPs of an attack may not be relevant? (Choose two.)
 Source IPs can be forked.
 Attackers can use zero-day attacks.
 Source IPs can be spoofed.
 Attackers can use botnets.
Question 11: When implementing Zero-Trust security, which benefits do you expect? (Choose two.)
 A defined trusted zone
 Tighter restrictions to access resources
 Proofs of trust
 No micro-segmentation
Question 12: Which challenges brought the evolution from a network model with a single, dedicated
service provider to Software Defined Wide Area Network (SD-WAN)? (Choose two.)
 Reliability
 Demand for more cloud applications and services
 Data protection
 Compliance requirements
Question 13: Which implementation should be done by a security architect to limit network threats in a
network? (Choose two.)
 Zero trust
 Centralized network management
 Network segmentation
 Software Defined Wide Area Network (SD-WAN)
Question 14: What does Secure Multipurpose Internet Mail Extensions (S/MIME) bring over MIME?
(Choose two.)
 Integrity with remote access
 repudiation with private connection
 Confidentiality with encryption
 Authentication with digital signature
Question 15: Why may a security architect add a sandbox in a network? (Choose two.)
 To share threat intelligence with other security devices
 To stop known threats like a honeypot
 To provide authentication
 To detect zero day attacks
Question 16: When implementing a data fabric architecture, which benefits do you expect? (Choose two.)
 The monitoring and data management is centrally governed.
 The attack surface is reduced.
 The different parts of the security network are linked.
 The authentication is enforced.
Question 17: What are two core capabilities of Secure Access Service Edge (SASE)? (Choose two.)
 Simple Network Management Protocol (SNMP)
 Zero-Trust network access
 Traffic shaping
 Data loss prevention
Question 18: View the following exhibit:In this SD-WAN environment, what does the red line represent?
 An overlay network
  An underlay network
 A physical network
 A Wide Area Network (WAN)
Question 19: A security compliance audit must take place. Which implementation can simplify it?
 Centralized security management
 Simple Network Management Protocol (SNMP)
 Application Programming Interface (API)
 Artificial Intelligence
Question 20: Which application could provide the list of open ports to a security engineer, so the
unnecessary ones can be closed?
 Syslog
 Machine Learning
 Sandbox
 Network mapper (nmap)
Question 21: View the following exhibit: What will be at least checked by the firewall upon receiving the
server reply packet?
 The packet five-tuple
 The firewall session table
 If the implicit firewall policy is set to allow
 Nothing when the packet is encrypted
Question 22: Which required capabilities are included in Secure Access Service Edge (SASE)? (Choose two.)
 Network-as-a-Service
 Software-as-a-Service
 Security-as-a-Service
 Platform-as-a-Service
Question 23: What are the benefits for a bank in taking a Next Generation FireWall (NGFW) to secure its
network? (Choose two.)
 Further analysis can be performed with a sandbox.
 An artificial intelligence performs all the security checkpoints.
 Malicious content is checked through Deep Packet Inspection (DPI).
 Machine learning configures automatically micro-segmentation.
Question 24: A security architect would like to add in a network a device able to understand the
application layers protocols. Which device should be added?
 A Next Generation FireWall (NGFW)
 A packet filter firewall
 A stateful firewall
 A stateless firewall
Question 25: How could the traffic be filtered at the security perimeter? (Choose two.)
 By performing traffic shaping
 By acting as an application layer gateway
 By logging the incoming traffic
 By performing packet filtering at transport layer
Question 26: A network architect must implement security in a network including Internet of Things (IoT),
Bring your own Device (ByoD), and cloud-based workstations. Which model should the architect put in
place?
 Packet filtering
  Security perimeter
 Network Address Translation (NAT) filtering
 Zero trust
Question 27: Why should a security engineer secure a switch? (Choose two.)
 The management access is only available through the default Virtual Local Area Networks (VLAN).
 The management access is only available through the default Media Access Control (MAC) address.
 By default, a switch is vulnerable to broadcast storms.
 By default, port authentication is not configured.
Question 28: What does Secure Access Service Edge (SASE) offer to remote off-net users compared to on-
net?
 Different login credentials to access different systems
 Better software upgrades including security patches
 Real-time analysis of security alerts
 The same security policies no matter their location
Question 29: how can a security architect segment a network? (Choose two.)
 Through Virtual Local Area Networks (VLANs)
 Through Software Defined Wide Area Network (SD-WAN)
 Through a bastion host
 Through a jump box
Question 30: Which type of attack is handled only by the latest sandbox generation?
 AI-driven attacks
 Zero-day attacks
 Attacks exploiting known vulnerabilities
 Fraggle attacks
Question 31: Which protocols should a security engineer disable for management access? (Choose two.)
 Secure Shell protocol (SSH)
 HyperText Transfer Protocol Secure (HTTPS)
 HyperText Transfer Protocol (HTTP)
 Telnet
Question 32: A security architect must put in place the Zero-Trust model in a network. Which methods
could the architect implement? (Choose two.)
 Traffic shaping
 Privilege access management
 The Kipling method
 The Kubernetes method
Question 33: View the following exhibit: How can a security architect secure the switch to reduce a Media
Access Control (MAC) flooding attack performed by the device D?
 By grouping the devices in the same Virtual Local Area Network (VLAN)
 By limiting the number of MAC address entries per switch port
 By grouping the switch ports in the same VLAN
 By limiting the number of IP address entries per VLAN