NSE-4（英文版）認證考試題庫（含答案）

PAGEPAGE1NSE-4（英文版）認證考試題庫（含答案）一、單選題1.TheHTTPinspectionprocessinwebfilteringfollowsaspecificorderwhenmultiplefeaturesareenabledin

Thewebfilterprofile.WhatordermustFortiGateusewhenthewebfilterprofilehasfeaturesenabled,suchas

Safesearch?A、DNS-basedwebfilterandproxy-basedwebfilterB、StaticURLfilter,FortiGuardcategoryfilter,andadvancedfiltersC、Staticdomainfilter,SSLinspectionfilter,andexternalconnectorsfiltersD、FortiGuardcategoryfilterandratingfilter答案：B2.WhichstatementaboutvideofilteringonFortiGateistrue?A、FullSSLInspectionisnotrequired.B、Itisavailableonlyonaproxy-basedfirewallpolicy.C、Itinspectsvideofileshostedonfilesharingservices.D、VideofilteringFortiGuardcategoriesarebasedonwebfilterFortiGuardcategories.答案：B3.Examinethefollowingwebfilteringlog.Whichstatementaboutthelogmessageistrue?A、TheactionforthecategoryGamesissettoblock.B、TheusagequotafortheIPaddress0.hasexpiredC、Thenameoftheappliedwebfilterprofileisdefault.D、Thewebsiteminiclip.matchesastaticURLfilterwhoseactionissettoWarning.答案：C4.AnadministratorhasconfiguredastrictRPFcheckonFortiGate.WhichstatementistrueaboutthestrictRPF

Check?A、ThestrictRPFcheckisrunonthefirstsentandreplypacketofanynewsession.B、StrictRPFchecksthebestroutebacktothesourceusingtheininginterface.C、StrictRPFchecksonlyfortheexistenceofatleastoneactiveroutebacktothesourceusingthe

Ininginterface.D、StrictRPFallowspacketsbacktosourceswithallactiveroutes.答案：B5.WhichCLImandwilldisplaysessionsbothfromclienttotheproxyandfromtheproxytotheservers?A、diagnosewadsessionlistB、diagnosewadsessionlist|grephook-pre&&hook-outC、diagnosewadsessionlist|grephook=pre&&hook=outD、diagnosewadsessionlist|grep"hook=pre"&"hook=out"答案：A6.WhatistheprimaryFortiGateelectionprocesswhentheHAoverridesettingisdisabled?A、Connectedmonitoredports>Systemuptime>Priority>FortiGateSerialnumberB、Connectedmonitoredports>HAuptime>Priority>FortiGateSerialnumberC、Connectedmonitoredports>Priority>HAuptime>FortiGateSerialnumberD、Connectedmonitoredports>Priority>Systemuptime>FortiGateSerialnumber答案：B7.Refertothewebfilterrawlogs.

Basedontherawlogsshownintheexhibit,whichstatementiscorrect?A、Socialnetworkingwebfiltercategoryisconfiguredwiththeactionsettoauthenticate.B、TheactiononfirewallpolicyID1issettowarning.C、Accesstothesocialnetworkingwebfiltercategorywasexplicitlyblockedtoallusers.D、Thenameofthefirewallpolicyisall_users_web.答案：A8.AnadministratorhasconfiguredoutgoingInterfaceanyinafirewallpolicy.Whichstatementistrueaboutthe

Policylistview?A、Policylookupwillbedisabled.B、BySequenceviewwillbedisabled.C、SearchoptionwillbedisabledD、InterfacePairviewwillbedisabled.答案：D9.WhichcertificatevaluecanFortiGateusetodeterminetherelationshipbetweentheissuerandthecertificate?A、SubjectKeyIdentifiervalueB、SMMIECapabilitiesvalueC、SubjectvalueD、SubjectAlternativeNamevalue答案：A10.ExaminetheIPSsensorconfigurationshownintheexhibit,andthen答案thequestionbelow.AnadministratorhasconfiguredtheWINDOWS_SERVERSIPSsensorinanattempttodeterminewhethertheinfluxofHTTPStrafficisanattackattemptornot.AfterapplyingtheIPSsensor,FortiGateisstillnotgeneratinganyIPSlogsfortheHTTPStraffic.Whatisapossiblereasonforthis?A、TheIPSfilterismissingtheProtocol:HTTPSoption.B、TheHTTPSsignatureshavenotbeenaddedtothesensor.C、ADoSpolicyshouldbeused,insteadofanIPSsensor.D、ADoSpolicyshouldbeused,insteadofanIPSsensor.E、ThefirewallpolicyisnotusingafullSSLinspectionprofile.答案：E11.IftheIssuerandSubjectvaluesarethesameinadigitalcertificate,whichtypeofentitywasthecertificateissuedto?A、ACRLB、ApersonC、AsubordinateCAD、ArootCA答案：D12.WhichcertificatevaluecanFortiGateusetodeterminetherelationshipbetweentheissuerandthecertificate?A、SubjectKeyIdentifiervalueB、SMMIECapabilitiesvalueC、SubjectvalueD、SubjectAlternativeNamevalue答案：A13.AFortiGateisoperatinginNATmodeandconfiguredwithtwovirtualLAN(VLAN)subinterfacesaddedtothephysicalinterface.WhichstatementsabouttheVLANsubinterfacescanhavethesameVLANID,onlyiftheyhaveIPaddressesindifferentsubnets.A、ThetwoVLANsubinterfacescanhavethesameVLANID,onlyiftheyhaveIPaddressesindifferentsubnets.B、ThetwoVLANsubinterfacesmusthavedifferentVLANIDs.C、ThetwoVLANsubinterfacescanhavethesameVLANID,onlyiftheybelongtodifferentVDOMs.D、ThetwoVLANsubinterfacescanhavethesameVLANID,onlyiftheyhaveIPaddressesinthesamesubnet.答案：B14.WhichofstatementistrueaboutSSLVPNwebmode?A、Thetunnelisupwhiletheclientisconnected.B、Itsupportsalimitednumberofprotocols.C、TheexternalnetworkapplicationsendsdatathroughtheVPN.D、ItassignsavirtualIPaddresstotheclient.答案：B15.WhichscanningtechniqueonFortiGatecanbeenabledonlyontheCLI?A、HeuristicsscanB、TrojanscanC、AntivirusscanD、Ransomwarescan答案：A16.Refertotheexhibit.

Theexhibitcontainsanetworkdiagram,virtualIP,IPpool,andfirewallpoliciesconfiguration.

TheWAN(port1)interfacehastheIPaddress/24.

TheLAN(port3)interfacehastheIPaddress10..0.1.254./24.

ThefirstfirewallpolicyhasNATenabledusingIPPool.

ThesecondfirewallpolicyisconfiguredwithaVIPasthedestinationaddress.

WhichIPaddresswillbeusedtosourceNATtheinternettrafficingfromaworkstationwiththeIPaddress0?A、.B、.C、00.D、0.答案：A17.AnadministratorwantstoconfigureDeadPeerDetection(DPD)onIPSECVPNfordetectingdeadtunnels.

TherequirementisthatFortiGatesendsDPDprobesonlywhennotrafficisobservedinthetunnel.

WhichDPDmodeonFortiGatewillmeettheaboverequirement?A、DisabledB、OnDemandC、EnabledD、OnIdle答案：D18.WhichstatementaboutvideofilteringonFortiGateistrue?A、VideofilteringFortiGuardcategoriesarebasedonwebfilterFortiGuardcategories.B、ItdoesnotrequireaseparateFortiGuardlicense.C、FullSSLinspectionisnotrequired.D、Otisavailableonlyonaproxy-basedfirewallpolicy.答案：B19.Refertotheexhibit.

Examinetheintrusionpreventionsystem(IPS)diagnosticmand.

WhichstatementiscorrectIfoption5wasusedwiththeIPSdiagnosticmandandtheoutewasa

DecreaseintheCPUusage?A、TheIPSenginewasinspectinghighvolumeoftraffic.B、TheIPSenginewasunabletopreventanintrusionattack.C、TheIPSenginewasblockingalltraffic.D、TheIPSenginewillcontinuetoruninanormalstate.答案：A20.WhichCLImandwilldisplaysessionsbothfromclienttotheproxyandfromtheproxytotheservers?A、diagnosewadsessionlistB、diagnosewadsessionlist|grephook-pre&&hook-outC、diagnosewadsessionlist|grephook=pre&&hook=outD、diagnosewadsessionlist|grep"hook=pre"&"hook=out"答案：A21.ExaminethisFortiGateconfiguration:Examinetheoutputofthefollowingdebugmand:Basedonthediagnosticoutputsabove,howistheFortiGatehandlingthetrafficfornewsessionsthatrequireinspection?A、Itisallowed,butwithnoinspectionB、ItisallowedandinspectedaslongastheinspectionisflowbasedC、Itisdropped.D、Itisallowedandinspected,aslongastheonlyinspectionrequiredisantivirus.答案：C22.Refertothewebfilterrawlogs.Basedontherawlogsshownintheexhibit,whichstatementiscorrect?A、Socialnetworkingwebfiltercategoryisconfiguredwiththeactionsettoauthenticate.B、TheactiononfirewallpolicyID1.issettowarning.C、Accesstothesocialnetworkingwebfiltercategorywasexplicitlyblockedtoallusers.D、Thenameofthefirewallpolicyisall_users_web.答案：A23.Refertotheexhibit.

Whichcontainsanetworkdiagramandroutingtableoutput.

TheStudentisunabletoaccessWebserver.

Whatisthecauseoftheproblemandwhatisthesolutionfortheproblem?A、ThefirstpacketsentfromStudentfailedtheRPFcheck.

Thisissuecanberesolvedbyaddingastaticrouteto/24throughwan1.B、ThefirstreplypacketforStudentfailedtheRPFcheck.

Thisissuecanberesolvedbyaddingastaticrouteto/24throughwan1.C、ThefirstreplypacketforStudentfailedtheRPFcheck.

Thisissuecanberesolvedbyaddingastaticrouteto4/32throughport3.D、ThefirstpacketsentfromStudentfailedtheRPFcheck.答案：D24.WhichfeatureintheSecurityFabrictakesoneormoreactionsbasedoneventtriggers?A、FabricConnectorsB、AutomationStitchesC、SecurityRatingD、LogicalTopology答案：B25.Refertotheexhibitstoviewthefirewallpolicy(ExhibitA)andtheantivirusprofile(ExhibitB).

Whichstatementiscorrectifauserisunabletoreceiveablockreplacementmessagewhendownloadingan

Infectedfileforthefirsttime?A、Thefirewallpolicyperformsthefullcontentinspectiononthefile.B、Theflow-basedinspectionisused,whichresetsthelastpackettotheuser.C、ThevolumeoftrafficbeinginspectedistoohighforthismodelofFortiGate.D、Theintrusionpreventionsecurityprofileneedstobeenabledwhenusingflow-basedinspectionmode.答案：B26.AnetworkadministratorisconfiguringanewIPsecVPNtunnelonFortiGate.TheremotepeerIPaddressisdynamic.Inaddition,theremotepeerdoesnotsupportadynamicDNSupdateservice.WhattypeofremotegatewayshouldtheadministratorconfigureonFortiGateforthenewIPsecVPNtunneltowork?A、StaticIPAddressB、DialupUserC、DynamicDNSD、Pre-sharedKey答案：B27.Refertotheexhibit,whichcontainsasessiondiagnosticoutput.

Whichstatementistrueaboutthesessiondiagnosticoutput?A、ThesessionisaUDPunidirectionalstate.B、ThesessionisinTCPESTABLISHEDstate.C、ThesessionisabidirectionalUDPconnection.D、ThesessionisabidirectionalTCPconnection.答案：C28.Refertotheexhibit.Examinetheintrusionpreventionsystem(IPS)diagnosticmand.

WhichstatementiscorrectIfoption5.wasusedwiththeIPSdiagnosticmandandtheoutewasadecreaseintheCPUusage?A、TheIPSenginewasinspectinghighvolumeoftraffic.B、TheIPSenginewasunabletopreventanintrusionattack.C、TheIPSenginewasblockingalltraffic.D、TheIPSenginewillcontinuetoruninanormalstate.答案：A29.WhydoesFortiGateKeepTCPsessionsinthesessiontableforseveralseconds,evenafterbothsides(client

Andserver)haveterminatedthesession?A、Toallowforout-of-orderpacketsthatcouldarriveaftertheFIN/ACKpacketsB、TofinishanyinspectionoperationsC、ToremovetheNAToperationD、Togeneratelogs答案：A30.AnetworkadministratorhasenabledfullSSLinspectionandwebfilteringonFortiGate.Whenvisitingany

HTTPSwebsites,thebrowserreportscertificatewarningerrors.WhenvisitingHTTPwebsites,thebrowser

Doesnotreporterrors.

Whatisthereasonforthecertificatewarningerrors?A、Thebrowserrequiresasoftwareupdate.B、FortiGatedoesnotsupportfullSSLinspectionwhenwebfilteringisenabled.C、TheCAcertificatesetontheSSL/SSHinspectionprofilehasnotbeenimportedintothebrowser.D、Therearenetworkconnectivityissues.答案：C31.Refertotheexhibit.

TheglobalsettingsonaFortiGatedevicemustbechangedtoalignwithpanysecuritypolicies.Whatdoes

TheAdministratoraccountneedtoaccesstheFortiGateglobalsettings?A、ChangepasswordB、EnablerestrictaccesstotrustedhostsC、ChangeAdministratorprofileD、Enabletwo-factorauthentication答案：C32.Which

Statementiscorrectregardingtheinspectionofsomeoftheservicesavailablebywebapplicationsembedded

Inthird-partywebsites?A、Thesecurityactionsappliedonthewebapplicationswillalsobeexplicitlyappliedonthethird-partywebsites.B、Theapplicationsignaturedatabaseinspectstrafficonlyfromtheoriginalwebapplicationserver.C、FortiGuardmaintainsonlyonesignatureofeachwebapplicationthatisunique.D、FortiGatecaninspectsub-applicationtrafficregardlesswhereitwasoriginated.答案：D33.OnFortiGate,whichtypeoflogsrecordinformationabouttrafficdirectlytoandfromtheFortiGate

ManagementIPaddresses?A、SystemeventlogsB、ForwardtrafficlogsC、LocaltrafficlogsD、Securitylogs答案：C34.Refertotheexhibit.

AnadministratoraddedaconfigurationforanewRADIUSserver.Whileconfiguring,theadministrator

SelectedtheIncludeineveryusergroupoption.

WhatistheimpactofusingtheIncludeineveryusergroupoptioninaRADIUSconfiguration?A、ThisoptionplacestheRADIUSserver,andalluserswhocanauthenticateagainstthatserver,intoevery

FortiGateusergroup.B、ThisoptionplacesallFortiGateusersandgroupsrequiredtoauthenticateintotheRADIUSserver,

Which,inthiscase,isFortiAuthenticator.C、ThisoptionplacesallusersintoeveryRADIUSusergroup,includinggroupsthatareusedfortheLDAP

ServeronFortiGate.D、ThisoptionplacestheRADIUSserver,andalluserswhocanauthenticateagainstthatserver,intoevery

RADIUSgroup.答案：A35.Refertotheexhibits.

TheSSLVPNconnectionfailswhenauserattemptstoconnecttoit.Whatshouldtheuserdotosuccessfully

ConnecttoSSLVPN?A、ChangetheSSLVPNportontheclient.B、ChangetheServerIPaddress.C、Changetheidle-timeout.D、ChangetheSSLVPNportaltothetunnel.答案：A36.Refertotheexhibittoviewtheapplicationcontrolprofile.UserswhouseAppleFaceTimevideoconferencesareunabletosetupmeetings.Inthisscenario,whichstatementistrue?A、AppleFaceTimebelongstothecustommonitoredfilter.B、ThecategoryofAppleFaceTimeisbeingmonitored.C、AppleFaceTimebelongstothecustomblockedfilter.D、ThecategoryofAppleFaceTimeisbeingblocked.答案：C37.Refertotheexhibittoviewthefirewallpolicy.Whichstatementiscorrectifwell-knownvirusesarenotbeingblocked?A、Thefirewallpolicydoesnotapplydeepcontentinspection.B、Thefirewallpolicymustbeconfiguredinproxy-basedinspectionmode.C、Theactiononthefirewallpolicymustbesettodeny.D、Webfiltershouldbeenabledonthefirewallpolicytoplementtheantivirusprofile.答案：A38.WhichSecurityratingscorecardhelpsidentifyconfigurationweaknessandbestpracticeviolationsinyournetwork?A、FabricCoverageB、AutomatedResponseC、SecurityPostureD、Optimization答案：C39.WhichfeatureintheSecurityFabrictakesoneormoreactionsbasedoneventtriggers?A、FabricConnectorsB、AutomationStitchesC、SecurityRatingD、LogicalTopology答案：B40.AnetworkadministratorhasenabledfullSSLinspectionandwebfilteringonFortiGate.WhenvisitinganyHTTPSwebsites,thebrowserreportscertificatewarningerrors.WhenvisitingHTTPwebsites,thebrowserdoesnotreporterrors.Whatisthereasonforthecertificatewarningerrors?A、Thebrowserrequiresasoftwareupdate.B、FortiGatedoesnotsupportfullSSLinspectionwhenwebfilteringisenabled.C、TheCAcertificatesetontheSSL/SSHinspectionprofilehasnotbeenimportedintothebrowser.D、Therearenetworkconnectivityissues.答案：C41.Ateammanagerhasdecidedthat,whilesomemembersoftheteamneedaccesstoaparticularwebsite,the

MajorityoftheteamdoesnotWhichconfigurationoptionisthemosteffectivewaytosupportthisrequest?A、ImplementawebfiltercategoryoverrideforthespecifiedwebsiteB、ImplementaDNSfilterforthespecifiedwebsite.C、ImplementwebfilterquotasforthespecifiedwebsiteD、Implementwebfilterauthenticationforthespecifiedwebsite.答案：D42.WhichtimeoutsettingcanberesponsiblefordeletingSSLVPNassociatedsessions?A、SSLVPNidle-timeoutB、SSLVPNhttp-request-body-timeoutC、SSLVPNlogin-timeoutD、SSLVPNdtls-hello-timeout答案：A43.Refertotheexhibits.ExhibitAExhibitBAnadministratorcreatesanewaddressobjectontherootFortiGate(Local-FortiGate)inthesecurityfabric.Aftersynchronization,thisobjectisnotavailableonthedownstreamFortiGate(ISFW).Whatmusttheadministratordotosynchronizetheaddressobject?A、ChangethecsfsettingonLocal-FortiGate(root)tosecconfiguration-synclocal.B、ChangethecsfsettingonISFW(downstream)tosecconfiguracion-synclocal.C、ChangethecsfsettingonLocal-FortiGate(root)tosecfabric-objecc-unificaciondefaulc.D、ChangethecsfsettingonISFW(downstream)tosecfabric-objecc-unificaciondefaulc.答案：A44.WhatisthelimitationofusingaURLlistandapplicationcontrolonthesamefirewallpolicy,inNGFW

Policy-basedmode?A、ItlimitsthescanningofapplicationtraffictotheDNSprotocolonly.B、Itlimitsthescanningofapplicationtraffictouseparentsignaturesonly.C、Itlimitsthescanningofapplicationtraffictothebrowser-basedtechnologycategoryonly.D、Itlimitsthescanningofapplicationtraffictotheapplicationcategoryonly.答案：D45.hichstatementaboutthepolicyIDnumberofafirewallpolicyistrue?A、ItisrequiredtomodifyafirewallpolicyusingtheCLI.B、Itrepresentsthenumberofobjectsusedinthefirewallpolicy.C、Itchangeswhenfirewallpoliciesarereordered.D、Itdefinestheorderinwhichrulesareprocessed.答案：A46.Examinethetwostaticroutesshownintheexhibit,then答案thefollowingquestion.WhichofthefollowingistheexpectedFortiGatebehaviorregardingthesetworoutestothesamedestination?A、FortiGatewillloadbalancealltrafficacrossbothroutes.B、FortiGatewillusetheport1.routeastheprimarycandidate.C、FortiGatewillroutetwiceasmuchtraffictotheport2.routeD、FortiGatewillonlyactuatetheport1.routeintheroutingtable答案：B47.Refertotheexhibit,whichcontainsastaticrouteconfiguration.AnadministratorcreatedastaticrouteforAmazonWebServices.WhatCLImandmusttheadministratorusetoviewtheroute?A、getrouterinforouting-tableallB、getinternetserviceroutelistC、getrouterinforouting-tabledatabaseD、diagnosefirewallproutelist答案：D48.WhichstatementcorrectlydescribesNetAPIpollingmodefortheFSSOcollectoragent?A、ThecollectoragentusesaWindowsAPItoqueryDCsforuserlogins.B、NetAPIpollingcanincreasebandwidthusageinlargenetworks.C、Thecollectoragentmustsearchsecurityeventlogs.D、TheNetSessionEnumfunctionisusedtotrackuserlogouts.答案：D49.WhatinspectionmodedoesFortiGateuseifitisconfiguredasapolicy-basednext-generationfirewall

(NGFW)?A、FullContentinspectionB、Proxy-basedinspectionC、CertificateinspectionD、Flow-basedinspection答案：D50.AnadministratordoesnotwanttoreportthelogoneventsofserviceaccountstoFortiGate.Whatsettingonthecollectoragentisrequiredtoachievethis?A、AddthesupportofNTLMauthentication.B、AdduseraccountstoActiveDirectory(AD).C、AdduseraccountstotheFortiGategroupfitter.D、AdduseraccountstotheIgnoreUserList.答案：D51.Whichstatementregardingthefirewallpolicyauthenticationtimeoutistrue?A、Itisanidletimeout.TheFortiGateconsidersausertobe"idle"ifitdoesnotseeanypacketsingfromtheuser'ssourceIP.B、Itisahardtimeout.TheFortiGateremovesthetemporarypolicyforauser'ssourceIPaddressafterthistimerhasexpired.C、Itisanidletimeout.TheFortiGateconsidersausertobe"idle"ifitdoesnotseeanypacketsingfromtheuser'ssourceMAC.D、Itisahardtimeout.TheFortiGateremovesthetemporarypolicyforauser'ssourceMACaddressafterthistimerhasexpired.答案：A52.Examinethisoutputfromadebugflow:

WhydidtheFortiGatedropthepacket?A、Thenext-hopIPaddressisunreachable.B、ItfailedtheRPFcheck.C、ItmatchedanexplicitlyconfiguredfirewallpolicywiththeactionDENY.D、Itmatchedthedefaultimplicitfirewallpolicy.答案：D53.AnadministratormustdisableRPFchecktoinvestigateanissue.WhichmethodisbestsuitedtodisableRPFwithoutaffectingfeatureslikeantivirusandintrusionpreventionsystem?A、Enableasymmetricrouting,sotheRPFcheckwillbebypassed.B、DisabletheRPFcheckattheFortiGateinterfacelevelforthesourcecheck.C、DisabletheRPFcheckattheFortiGateinterfacelevelforthereplycheck.D、Enableasymmetricroutingattheinterfacelevel.答案：B54.WhichtypeoflogsonFortiGaterecordinformationabouttrafficdirectlytoandfromthe

FortiGatemanagementIPaddresses?A、SystemeventlogsB、ForwardtrafficlogsC、LocaltrafficlogsD、Securitylogs答案：C55.Refertotheexhibit.TheexhibitcontainstheconfigurationforanSD-WANPerformanceSLA,aswellastheoutputofdiagnosesysvirtual-wan-linkhealth-check.Whichinterfacewillbeselectedasanoutgoinginterface?A、port2.B、port4.C、port3.D、port1.答案：D56.Refertotheexhibits.TheSSLVPNconnectionfailswhenauserattemptstoconnecttoit.WhatshouldtheuserdotosuccessfullyconnecttoSSLVPN?A、ChangetheSSLVPNportontheclient.B、ChangetheServerIPaddress.C、Changetheidle-timeout.D、ChangetheSSLVPNportaltothetunnel.答案：A57.WhichscanningtechniqueonFortiGatecanbeenabledonlyontheCLI?A、HeuristicsscanB、TrojanscanC、AntivirusscanD、Ransomwarescan答案：A58.Whenconfiguringafirewallvirtualwirepairpolicy,whichfollowingstatementistrue?A、Onlyasinglevirtualwirepaircanbeincludedineachpolicy.B、Anynumberofvirtualwirepairscanbeincludedineachpolicy,regardlessofthepolicytrafficdirectionsettings.C、Anynumberofvirtualwirepairscanbeincluded,aslongasthepolicytrafficdirectionisthesame.D、Exactlytwovirtualwirepairsneedtobeincludedineachpolicy.答案：A59.WhichstatementaboutthepolicyIDnumberofafirewallpolicyistrue?A、Itchangeswhenfirewallpoliciesarereordered.B、Itrepresentsthenumberofobjectsusedinthefirewallpolicy.C、ItisrequiredtomodifyafirewallpolicyusingtheCLI.D、Itdefinestheorderinwhichrulesareprocessed.答案：C60.Refertotheexhibits.

TheexhibitsshowtheSSLandauthenticationpolicy(ExhibitA)andthesecuritypolicy(ExhibitB)for

Facebook.

UsersaregivenaccesstotheFacebookwebapplication.TheycanplayvideocontenthostedonFacebookbut

Theyareunabletoleavereactionsonvideosorothertypesofposts.

Whichpartofthepolicyconfigurationmustyouchangetoresolvetheissue?A、MakeSSLinspectionneedstobeadeepcontentinspection.B、ForceaccesstoFacebookusingtheHTTPservice.C、Gettheadditionalapplicationsignaturesarerequiredtoaddtothesecuritypolicy.D、AddFacebookintheURLcategoryinthesecuritypolicy.答案：A61.Refertotheexhibit.Theexhibitcontainsanetworkinterfaceconfiguration,firewallpolicies,andaCLIconsoleconfiguration.HowwillFortiGatehandleuserauthenticationfortrafficthatarrivesontheLANinterface?A、Ifthereisafull-throughpolicyinplace,userswillnotbepromptedforauthentication.B、UsersfromtheSalesgroupwillbepromptedforauthenticationandcanauthenticatesuccessfullywiththecorrectcredentials.C、Authenticationisenforcedatapolicylevel;alluserswillbepromptedforauthentication.D、UsersfromtheHRgroupwillbepromptedforauthenticationandcanauthenticatesuccessfullywiththecorrectcredentials.答案：C62.Refertotheexhibit.AnetworkadministratoristroubleshootinganIPsectunnelbetweentwoFortiGatedevices.Theadministratorhasdeterminedthatphase1.statusisup.butphase2.failstoeup.Basedonthephase2.configurationshownintheexhibit,whatconfigurationchangewillbringphase2.up?A、OnHQ-FortiGate,enableAuto-negotiate.B、OnRemote-FortiGate,setSecondsto43200.C、OnHQ-FortiGate,enableDiffie-HellmanGroup2.D、OnHQ-FortiGate,setEncryptiontoAES256.答案：D63.IftheIssuerandSubjectvaluesarethesameinadigitalcertificate,whichtypeofentitywasthecertificate

Issuedto?A、ACRLB、ApersonC、AsubordinateCAD、ArootCA答案：D64.AnadministratorwantstoconfigureDeadPeerDetection(DPD)onIPSECVPNfordetectingdeadtunnels.TherequirementisthatFortiGatesendsDPDprobesonlywhennotrafficisobservedinthetunnel.WhichDPDmodeonFortiGatewillmeettheaboverequirement?A、DisabledB、OnDemandC、EnabledD、OnIdle答案：D65.Examinethisoutputfromadebugflow:WhydidtheFortiGatedropthepacket?A、Thenext-hopIPaddressisunreachable.B、ItfailedtheRPFcheck.C、ItmatchedanexplicitlyconfiguredfirewallpolicywiththeactionDENY.D、Itmatchedthedefaultimplicitfirewallpolicy.答案：D66.TheHTTPinspectionprocessinwebfilteringfollowsaspecificorderwhenmultiplefeaturesareenabledinthewebfilterprofile.WhatordermustFortiGateusewhenthewebfilterprofilehasfeaturesenabled,suchassafesearch?A、DNS-basedwebfilterandproxy-basedwebfilterB、StaticURLfilter,FortiGuardcategoryfilter,andadvancedfiltersC、Staticdomainfilter,SSLinspectionfilter,andexternalconnectorsfiltersD、FortiGuardcategoryfilterandratingfilter答案：B67.Refertotheexhibit,whichcontainsaradiusserverconfiguration.

AnadministratoraddedaconfigurationforanewRADIUSserver.Whileconfiguring,the

AdministratorselectedtheIncludeineveryusergroupoption.

WhatwillbetheimpactofusingIncludeineveryusergroupoptioninaRADIUSconfiguration?A、ThisoptionplacestheRADIUSserver,andalluserswhocanauthenticateagainstthatserver,intoeveryFortiGateusergroup.B、ThisoptionplacesallFortiGateusersandgroupsrequiredtoauthenticateintotheRADIUSserver,which,inthiscase,isFortiAuthenticator.C、ThisoptionplacesallusersintoeveryRADIUSusergroup,includinggroupsthatareusedfortheLDAPserveronFortiGate.D、ThisoptionplacestheRADIUSserver,andalluserswhocanauthenticateagainstthatserver,intoeveryRADIUSgroup.答案：A68.Whichstatementiscorrectregardingtheuseofapplicationcontrolforinspectingwebapplications?A、Applicationcontrolcanidentitychildandparentapplications,andperformdifferentactionsonthem.B、Applicationcontrolsignaturesareorganizedinanonhierarchicalstructure.C、ApplicationcontroldoesnotrequireSSLinspectiontoidentitywebapplications.D、Applicationcontroldoesnotdisplayareplacementmessageforablockedwebapplication.答案：A69.Inanexplicitproxysetup,whereistheauthenticationmethodanddatabaseconfigured?A、ProxyPolicyB、AuthenticationRuleC、FirewallPolicyD、Authenticationscheme答案：D70.HowdoesFortiGateactwhenusingSSLVPNinwebmode?A、FortiGateactsasanFDSserver.B、FortiGateactsasanHTTPreverseproxy.C、FortiGateactsasDNSserver.D、FortiGateactsasrouter.答案：B71.WhydoesFortiGatekeepTCPsessionsinthesessiontableforsomesecondsevenafterbothsides

(clientandserver)haveterminatedthesession?A、ToremovetheNAToperation.B、TogeneratelogsC、Tofinishanyinspectionoperations.D、Toallowforout-of-orderpacketsthatcouldarriveaftertheFIN/ACKpackets.答案：D72.Examinethenetworkdiagramshownintheexhibit,then答案thefollowingquestion:WhichoneofthefollowingroutesisthebestcandidaterouteforFGT1.toroutetrafficfromtheWorkstationtotheWebserver?A、/16.[50/0]via,port2.[5/0]B、/0.[20/0]via,port2.C、/30.isdirectlyconnected,port2.D、/24.isdirectlyconnected,port1.答案：D73.Anorganization'semployeeneedstoconnecttotheofficethroughahigh-latencyinternetconnection.WhichSSLVPNsettingshouldtheadministratoradjusttopreventtheSSLVPNnegotiationfailure?A、Changethesession-ttl.B、Changethelogintimeout.C、Changetheidle-timeout.D、Changetheudpidletimer.答案：B74.Whenafirewallpolicyiscreated,whichattributeisaddedtothepolicytosupportrecordinglogstoa

FortiAnalyzeroraFortiManagerandimprovesfunctionalitywhenaFortiGateisintegratedwiththese

Devices?A、LogIDB、UniversallyUniqueIdentifierC、PolicyIDD、SequenceID答案：B75.AnadministratorhasconfiguredoutgoingInterfaceanyinafirewallpolicy.Whichstatementistrueaboutthepolicylistview?A、Policylookupwillbedisabled.B、BySequenceviewwillbedisabled.C、SearchoptionwillbedisabledD、InterfacePairviewwillbedisabled.答案：D76.WhichsecurityfeaturedoesFortiGateprovidetoprotectserverslocatedintheinternalnetworksfromattackssuchasSQLinjections?A、DenialofServiceB、WebapplicationfirewallC、AntivirusD、Applicationcontrol答案：B77.Whatistheeffectofenablingauto-negotiateonthephase2.configurationofanIPsectunnel?A、FortiGateautomaticallynegotiatesdifferentlocalandremoteaddresseswiththeremotepeer.B、FortiGateautomaticallynegotiatesanewsecurityassociationaftertheexistingsecurityassociationexpires.C、FortiGateautomaticallynegotiatesdifferentencryptionandauthenticationalgorithmswiththeremotepeer.D、FortiGateautomaticallybringsuptheIPsectunnelandkeepsitup,regardlessofactivityontheIPsectunnel.答案：D78.WhichCLImandwilldisplaysessionsbothfromclienttotheproxyandfromtheproxytotheservers?A、diagnosewadsessionlistB、diagnosewadsessionlist|grephook-pre&&hook-outC、diagnosewadsessionlist|grephook=pre&&hook=outD、diagnosewadsessionlist|grep"hook=pre"&"hook=out"答案：A79.Refertotheexhibits.

AnadministratorcreatesanewaddressobjectontherootFortiGate(Local-FortiGate)inthesecurityfabric.

Aftersynchronization,thisobjectisnotavailableonthedownstreamFortiGate(ISFW).

Whatmusttheadministratordotosynchronizetheaddressobject?A、ChangethecsfsettingonLocal-FortiGate(root)tosetconfiguration-synclocal.B、ChangethecsfsettingonISFW(downstream)tosetconfiguration-synclocal.C、ChangethecsfsettingonLocal-FortiGate(root)tosetfabric-object-unificationdefault.D、ChangethecsfsettingonISFW(downstream)tosetfabric-object-unificationdefault.答案：C80.Refertoexhibit.

Anadministratorconfiguredthewebfilteringprofileshownintheexhibittoblockaccesstoallsocial

NetworkingsitesexceptTwitter.However,whenuserstrytoaccesstwitter.,theyareredirectedtoa

FortiGuardwebfilteringblockpage.

Basedontheexhibit,whichconfigurationchangecantheadministratormaketoallowTwitterwhileblocking

Allothersocialnetworkingsites?A、OntheFortiGuardCategoryBasedFilterconfiguration,setActiontoWarningforSocial

NetworkingB、OntheStaticURLFilterconfiguration,setTypetoSimpleC、OntheStaticURLFilterconfiguration,setActiontoExempt.D、OntheStaticURLFilterconfiguration,setActiontoMonitor.答案：C81.WhydoesFortiGateKeepTCPsessionsinthesessiontableforseveralseconds,evenafter

Bothsides(clientandserver)haveterminatedthesession?A、Toallowforout-of-orderpacketsthatcouldarriveaftertheFIN/ACKpacketsB、TofinishanyinspectionoperationsC、ToremovetheNAToperationD、Togeneratelogs答案：A82.HowdoesFortiGateactwhenusingSSLVPNinwebmode?A、FortiGateactsasanFDSserver.B、FortiGateactsasanHTTPreverseproxy.C、FortiGateactsasDNSserver.D、FortiGateactsasrouter.答案：B83.Refertotheexhibit.

AnetworkadministratoristroubleshootinganIPsectunnelbetweentwoFortiGatedevices.Theadministrator

Hasdeterminedthatphase1statusisup,butphase2failstoeup.

Basedonthephase2configurationsh