Which of the following statements are true about route-based IPsec VPNs?
(Choose two.)
Response:
A. A virtual IPsec interface is automatically created after a phase 1 is added to the configuration
B. They require firewall policies with the Action set to IPsec
C. They support L2TP-over-IPsec tunnels
D. They can be created in transparent mode VDOMs
Why must you use aggressive mode when a local FortiGate IPsec gateway hosts multiple dialup tunnels? Response:
A. The FortiGate is able to handle NATed connections only with aggressive mode.
B. FortiClient supports aggressive mode.
C. The remote peers are able to provide their peer IDs in the first message with aggressive mode.
D. Main mode does not support XAuth for user authentication.
Which statements are true of public key infrastracture (PKI) users on FortiGate?
(Choose two.)
Response:
A. FortiGate must include the CA certificate that issued the PKI peer user certificate.
B. PKI users can belong to firewall user groups.
C. PKI users must authenticate with both a certificate and a password.
D. The first PKI user must be added to FortiGate through the GUI.
View the exhibit.
In this scenario, FGT1 has the following routing table: S*0. 0. 0. 0/0 [10/0] via 10. 40.
72. 2, port1 C172. 16. 32. 0/24 is directly connected, port2
C10. 40. 72. 0/30 is directly connected, port1
A user at 192.168.32.15 is trying to access the web server at 172.16.32.254. Which of the following
statements best describe how the FortiGate will perform reverse path forwarding checks on this traffic?
(Choose two.)
Response:
A. Strict RPF check will deny the traffic.
B. Strict RPF check will allow the traffic.
C. Loose RPF check will allow the traffic.
D. Loose RPF check will deny the traffic.
What is the Unknown Applications category option in the application control profile?
Response:
A. Any traffic that does not match the RFC pattern for its protocol.
B. Any traffic that does not match an application control signature.
C. Any traffic whose packet fails the CRC check.
D. Any traffic that matches custom application control signatures.
How do you configure inline SSL inspection on a firewall policy?
(Choose two.)
Response:
A. Enable one or more flow-based security profiles on the firewall policy.
B. Enable the SSL/SSH Inspection profile on the firewall policy.
C. Execute the inline ssl inspection CLI command.
D. Enable one or more proxy-based security profiles on the firewall policy.
Which of the following network settings can an IPsec gateway assign to an IPsec client using IP config
mode?
(Choose two.)
Response:
A. Quick mode selectors
B. DNS IP address
C. NAT-T
D. IP address
Which FortiGate interface does source device type enable device detection on? Response:
A. All interfaces of FortiGate
B. Source interface of the firewall policy only
C. Destination interface of the firewall policy only
D. Both source interface and destination interface of the firewall policy
Which of the following settings and protocols can be used to provide secure and restrictive administrative
access to FortiGate?
(Choose three.)
Response:
A. Trusted host
B. HTTPS
C. Trusted authentication
D. SSH
E. FortiTelemetry
What step is required to configure an SSL VPN to access to an internal server using port forward mode? Response:
A. Configure the virtual IP addresses to be assigned to the SSL VPN users.
B. Install FortiClient SSL VPN client
C. Create a SSL VPN realm reserved for clients using port forward mode.
D. Configure the client application to forward IP traffic to a Java applet proxy.
