Question #53 Section 1
A FortiGate is used as a VPN hub for a number of remote spoke VPN units (Group A) spokes using a phase 1 main mode dial-up tunnel and pre-shared keys. You are asked to establish VPN connectivity for a newly acquired organization's sites for which new devices will be provisioned Group B spokes.
Both existing Group A and new Group B spoke units are dynamically addressed through a single public IP Address on the hub. You are asked to ensure that spokes from Group B have different access permissions than the existing VPN spokes units Group A.
Which two solutions meet the requirements for the new spoke group? (Choose two.)
Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spokes.
Implement a new phase 1 dial-up main mode tunnel with certificate authentication.
Implement a new phase 1 dial-up main mode tunnel with pre-shared keys and XAuth.
Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer ID.
Question #54 Section 1
You configured a firewall policy with only a Web filter profile for accessing the Internet. Access to websites belonging to the "Information Technology" category are blocked and to the "Business" category are allowed. SSL deep inspection is not enabled on this policy.
A user wants to access the website https://www.it-acme.com which presents a certificate with CN=www.acme.com. The it-acme.com domain is categorized as "Information Technology" and the acme.com domain is categorized as "Business".
Which statement regarding this scenario is correct?
The FortiGate is able to read the URL within HTTPS sessions when using SSL certificate inspection so the website will be blocked by the "Information Technology".
The website will be blocked by category "Information Technology" as the SNI takes precedence over the certificate name.
The website will be allowed by category "Business" as the certificate name takes precedence over the URL.
Only with SSL deep inspection enabled will the FortiGate be able to categorized this website.
Question #55 Section 1 Refer to the exhibit.
Central NAT was configured on a FortiGate firewall. A sniffer shows ICMP packets out to a host on the Internet egresses with the port1 IP address instead of the virtual IP (VIP) that was configured
Referring to the exhibit, which configuration change will ensure that ICMP traffic is also translated? A.
Question #56 Section 1
A company has just rolled out new remote sites and now you need to deploy a single firewall policy to all of these sites to allow Internet access using FortiManager. For this particular firewall policy, the source address object is called LAN, but its value will change according to the site the policy is being installed. Which statement about creating the object LAN is correct?
Create a new object called LAN and enable per-device mapping.
Create a new object called LAN and promote it to the global database.
Create a new object called LAN and use it as a variable on a TCL script.
Create a new object called LAN and set meta-fields per remote site.
Question #57 Section 1 Refer to the exhibit.
You are working on FortiGate 61E operating in flow-based inspection mode with various settings optimized for performance. The main Internet firewall policy is using the "default" antivirus profile. You found that some executable virus samples files downloaded over HTTP are not being blocked by the FortiGate.
Referring to the exhibit, how can this be fixed?
Change the set scan-mode configuration to full.
Disable the emulator feature.
Change the set default-db configuration to extreme.
Add set content-disarm enable to the configuration.
Question #58 Section 1 Refer to the exhibit.
An organization has a FortiGate cluster that is connected to two independent ISPs. You must configure the FortiGate failover for a single ISP failure to occur without disruption. Referring to the exhibit, which two FortiGate BGP features are enabled to accomplish this task? (Choose two.)
Question #59 Section 1
A legacy router has been replaced by a FortiGate device. The FortiGate has inherited the management IP address of the router and now the network administrator needs to remove the router from the FortiSIEM configuration.
Which two statements about this operation are true? (Choose two.)
FortiSIEM will move the router device into the Decommission folder.
The router will be completely deleted from the FortiSIEM database.
By default, FortiSIEM can only parser event logs for FortiGate devices.
FortiSIEM will discover a new device for the FortiGate with the same IP.
Question #60 Section 1
You have configured an HA cluster with two FortiGate devices. You want to make sure that you are able to manage the individual cluster members directly using port3.
Referring to the configuration shown, in which two ways can you accomplish this task? (Choose two.)
Create a management VDOM and disable the HA synchronization for this VDOM, assign port3 to this VDOM, then configure specific IPs for port3 on both cluster members.
Configure port3 to be a dedicated HA management interface; then configure specific IPs for port3 on both cluster members.
Allow administrative access in the HA heartbeat interfaces.
Disable the sync feature on port3; then configure specific IPs for port3 on both cluster members.