PAGEPAGE1【NSE7_EFW-7.0】FortinetNSE7-企業(yè)防火墻認(rèn)證考試題庫（含答案）一、單選題1.Viewtheexhibit,whichcontainstheoutputofareal-timedebug,Whichstatementaboutthisoutputistrue?Whichofthefollowingstatementsistrueregardingthisoutput?A、TherequestedURLbelongstocategoryID255.B、TheserverhostnameIstraining,fortinet..C、FortiGatefoundtherequestedURLinitslocalcache.D、Thiswebrequestwasinspectedusingtheftgd-allowwebfillerprofile.答案：C2.Examinetheoutputfromthe'diagnosedebugauthdfssolist'mand;thenanswerthequestionbelow.

#diagnosedebugauthdfssolist—FSSOlogons-IP:User:STUDENTGroups:

TRAININGAD/USERSWorkstation:INTERNAL2.TRAINING.LABTheIPaddressisNOTtheoneusedbytheworkstationINTERNAL2.TRAINING.LAB.

Whatshouldtheadministratorcheck?A、TheIPaddressrecordedinthelogoneventfortheuserSTUDENT.B、TheDNSnameresolutionfortheworkstationnameINTERNAL2.TRAINING.LAB.C、ThesourceIPaddressofthetrafficarrivingtotheFortiGatefromtheworkstation

INTERNAL2.TRAINING.LAB.D、ThereserveDNSlookupfortheIPaddress.答案：C3.Refertotheexhibit,whichshowsasessiontableentry.WhichstatementaboutFortiGatebehaviorrelatingtothissessionistrue?A、FortiGateredirectedtheclienttothecaptiveportaltoauthenticate,sothatacorrectpolicymatchcouldbemade.B、FortiGateappliedonlyIPSinspectiontothissession.C、FortiGateisperformingsecurityprofileinspectionusingtheCPU.D、FortiGateforwardedthissessionwithoutanyinspection答案：C4.Whatisthediagnosetestapplicationipsmenitor5mandusedfor?A、ToprovideinformationregardingIPSsessionsB、ToenableIpsbypassmodeC、TodisabletheIPSengineD、TorestartallIPSenginesandmonitors答案：B5.AFortiGatehastwodefaultroutes:AllInternettrafficiscurrentlyusingport1.TheexhibitshowspartialinformationforonesamplesessionofInternettrafficfromaninternaluser:Whatwouldhappenwiththetrafficmatchingtheabovesessionifthepriorityonthefirstdefaultroute(IDd1)werechangedfrom5to20?A、Thesessionwouldbedeleted,andtheclientwouldneedtostartanewsession.B、Thesessionwouldremaininthesessiontable,anditstrafficwouldstarttoegressfromport2.C、Thesessionwouldremaininthesessiontable,butitstrafficwouldnowegressfromBothport1andport2.D、Thesessionwouldremaininthesessiontable,anditstrafficwouldstillegressfromport1.答案：D6.WhichofthefollowingstatementsistrueregardingaFortiGateconfiguredasanexplicitwebproxy?A、FortiGatelimitsthenumberofsimultaneoussessionsperexplicitwebproxyuser.ThislimitCANNOTbemodifiedbytheadministrator.B、FortiGatelimitsthetotalnumberofsimultaneousexplicitwebproxyusers.C、FortiGatelimitsthenumberofsimultaneoussessionsperexplicitwebproxyuserThelimitCANbemodifiedbytheadministratorD、FortiGatelimitsthenumberofworkstationsthatauthenticateusingthesamewebproxyusercredentials.ThislimitCANNOTbemodifiedbytheadministrator.答案：B7.Viewthesepartialoutputsfromtworoutingdebugmands:WhichoutboundinterfacewillFortiGateusetoroutewebtrafficfrominternaluserstotheInternet?A、Bothport1andport2B、port3C、port1D、port2答案：C8.ExaminetheIPsecconfigurationshownintheexhibit;thenanswerthequestionbelow.AnadministratorwantstomonitortheVPNbyenablingtheIKErealtimedebugusingthesemands:Diagnosevpnikelog-filtersrc-addr4Diagnosedebugapplicationike-1DiagnosedebugenableTheVPNiscurrentlyup,thereisnotrafficcrossingthetunnelandDPDpacketsarebeinginterchangedbetweenbothIPsecgateways.However,theIKErealtimedebugdoesNOTshowanyoutput.Whyisn’tthereanyoutput?A、TheIKErealtimeshowsthephases1and2negotiationsonly.Itdoesnotshowanymoreoutputoncethetunnelisup.B、Thelog-filtersettingissetincorrectly.TheVPN’strafficdoesnotmatchthisfilter.C、TheIKErealtimedebugshowsthephase1negotiationonly.Forinformationafterthat,theadministratormustusetheIPsecrealtimedebuginstead:diagnosedebugapplicationipsec-1.D、TheIKErealtimedebugshowserrormessagesonly.Ifitdoesnotprovideanyoutput,itindicatesthatthetunnelisoperatingnormally.答案：B9.WhichrealtimedebugshouldanadministratorenabletotroubleshootRADIUSauthenticationproblems?A、Diagnosedebugapplicationradius-1.B、Diagnosedebugapplicationfnbamd-1.C、Diagnoseauthdconsole–logenable.D、Diagnoseradiusconsole–logenable.答案：B10.Examinethefollowingpartialoutputsfromtworoutingdebugmands;thenanswerthequestionbelow.#getrouterinfokernelTab=254vf=0scope=0type=1proto=11prio=0//0->/0pref=Gwy=54dev=2(port1)Tab=254vf=0scope=0type=1proto=11prio=//0->/0pref=Gwy=54dev=3(port2)Tab=254vf=0scope=253type=1proto=2prio=0//.->/24pref=54Gwy=dev=4(port3)#getrouterinforouting-tablealls*/0[10/0]via54,portl[10/0]via54,port2,[10/0]dO.0.1.0/24isdirectlyconnected,port3dO.200.1.0/24isdirectlyconnected,portld/24isdirectlyconnected,port2WhichoutboundinterfaceorinterfaceswillbeusedbythisFortiGatetoroutewebtrafficfrominternaluserstotheInternet?A、port1B、port2.C、Bothport1andport2.D、port3.答案：A11.AnadministratorhasbeenassignedthetaskofcreatingasetoffirewallpolicieswhichmustbeevaluatedbeforeanycustompoliciesdefinedwithinthepolicypackagesofmanagedFortiGatedevices,acrossall25ADOMSsinFortiManager.Howshouldtheadministratoracplishthistask?A、MovetheFortiGatedevicesintoasinglegloballyscopedADOM,andmergepolicypackages,insertingthenewfirewallpoliciesatthetop.B、CreateaheaderpolicyintheGlobalADOMcontainingthefirewallpoliciesthatmustbeevaluatedfirst,andthenassignthisheaderpolicytoallotherADOMs.C、CreateafooterpolicyintheGlobalADOMcontainingthefirewallpoliciesthatmustbeevaluatedfirst,andthenassignthisfooterpolicytoallotherADOMs.D、UseaCLIscriptfromtherootADOMonFortiManagertopushthesenewpoliciestoallFortiGatedevices,throughtheFGFMtunnel.答案：B12.WhatisanOSPFareaborderrouter?A、Arouterthatisredistributingnon—OSPFroutesintotheOSPFnetwork.B、ArouterthatisredistributingconnectedsubnetsintotheOSPFnetwork.C、ArouterwithinterfacesinmultipleOSPFareas.D、Arouterwithallitsinterfacesinthebackbonearea.答案：C13.Whichstatementaboutprotocoloptionsistrue?A、ProtocoloptionsallowsadministratorsastreamlinedmethodtoinstructFortiGatetoblockallsessionscorrespondingtodisabledprotocols.B、ProtocoloptionsallowsadministratorstheabilitytoconfiguretheAnysettingforallenabledprotocolswhichprovidesthemostefficientuseofsystemresources.C、Protocoloptionsallowadministratorstoconfigureamaximumnumberofsessionsforeachconfiguredprotocol.D、ProtaocaloptionsallowsadministratorstoconfigurewhichLayer4portnumbersmaptoupper—layerprotocols,suchasHTTP,SMTP,FTP,andsoon.答案：D14.WhichofthefollowingtroubleshootingstepsisapplicablewheninvestigatingantivirusandIPSupdateissuesonFortiGate?A、ValidateDNS.B、VerifyoutboundICMPconnectivity.C、Usethediagnosedebugratingmandtocheckactiveservers.D、Usethealternateserviceport8888.答案：A15.Refertotheexhibit,whichcontainspartialoutputfromanIKEreal-timedebug.Basedonthedebugoutput,whichphase1settingisenabledintheconfigurationofthisVPN?A、auto-discovery-shortcutB、auto-discovery-forwarderC、auto-discovery-senderD、auto-discovery-receiver答案：D16.Viewtheexhibit,whichcontainstheoutputofdiagnosesyssessionlist,andthenanswerthequestionbelow.IftheHAIDfortheprimaryunitiszero(0),whichstatementiscorrectregardingtheoutput?A、ThissessionisforHAheartbeattraffic.B、Thissessionissyncedwiththeslaveunit.C、Theinspectionofthissessionhasbeenoffloadedtotheslaveunit.D、Thissessioncannotbesyncedwiththeslaveunit.答案：B17.Viewtheexhibit,thenanswerthequestionbelow.Whichofthefollowingmandswillbringupthetunnel?A、diagnosevpntunnelH2S_0upB、diagnosevpntunnelupH2S_0C、diagnosevpntunnelupD、diagnosevpntunnelupH2S_0_0答案：D18.Refertotheexhibit,whichcontainspartialoutputfromanIKEreal-timedebug.Theadministratordoesnothaveaccesstotheremotegateway.Basedonthedebugoutput,whichconfigurationchangecantheadministratormaketothelocalgatewaytoresolvethephase1negotiationerror?A、Inthephase1proposalconfiguration,addAESCBC-SHA2tothelistofencryptionalgorithms.B、Inthephase1proposalconfiguration,addAES256-SHA256tothelistofencryptionalgorithms.C、Inthephase1proposalconfiguration,addAES128-SHA128tothelistofencryptionalgorithms.D、Inthephase1networkconfiguration,settheIKEversionto2.答案：B19.WhichstepcanbetakentoensurethatonlyFortiAPdevicesreceiveIPaddressesfromaDHCPserveronFortiGate?A、ChangetheinterfaceaddressingmodetoFortiApdevicesB、UseDHCPoption138toassignIPstoFortiAPdevicesC、CreateareservationlistintheDHCPserversettingsD、ConfigureaVCIstringvalueofFortiApintheDHCPserversettings答案：D20.Viewtheexhibit,whichcontainsapartialoutputofanIKEreal-timedebug,andthenanswerthequestionbelow.Basedonthedebugoutput,whichphase-1settingisenabledintheconfigurationofthisVPN?A、auto-discovery-senderB、auto-discovery-forwarderC、auto-discovery-shortcutD、auto-discovery-receiver答案：D21.AnadministratoraddedthefollowingIpsecVPNtoaFortiGateconfiguration:configvpnipsecphasel-interfaceEdit"RemoteSite"SettypedynamicSetinterface"portl"SetmodemainSetpsksecretENCLCVkCiK2E2PhVUzZeNextEndConfigvpnipsecphase2-interfaceEdit"RemoteSite"Setphaselname"RemoteSite"Setproposal3des-sha256NextEndHowever,thephase1negotiationisfailing.TheadministratorexecutedtheIKFrealtimedebugwhileattemptingtheIpsecconnection.Theoutputisshownintheexhibit.WhatiscausingtheIPsecprobleminthephase1?A、TheiningIPsecconnectionismatchingthewrongVPNconfigurationB、Thephrase-1modemustbechangedtoaggressiveC、Thepre-sharedkeyiswrongD、NAT-Tsettingsdonotmatch答案：C22.WhichlayeroftheFortiOSarchitecturedoesanapplicationprocessordaemonrunon?A、KernelB、ConfigurationlayerC、UserspaceD、Hardware答案：C23.Refertotheexhibit,whichshowsaFortiGateconfiguration.AnadministratoristroubleshootingawebfilterissueonFortiGate.Theadministratorhasconfiguredawebfilterprofileandappliedittoapolicy;however,thewebfilterisnotinspectinganytrafficthatispassingthroughthepolicy.Whatmusttheadministratorchangetofixtheissue?A、Theadministratormustincreasewebfilter-timeout.B、Theadministratormustdisablewebfilter-force-off.C、TheadministratormustchangeprotocoltoTCP.D、Theadministratormustenablefortiguard-anycast.答案：B24.ViewthefollowingFortiGateconfiguration.AlltraffictotheInternetcurrentlyegressesfromport1.TheexhibitshowspartialsessioninformationforInternettrafficfromauserontheinternalnetwork:IfthepriorityonrouteID1werechangedfrom5to20,whatwouldhappentotrafficmatchingthatuser’ssession?A、Thesessionwouldremaininthesessiontable,anditstrafficwouldstillegressfromport1.B、Thesessionwouldremaininthesessiontable,butitstrafficwouldnowegressfrombothport1andport2.C、Thesessionwouldremaininthesessiontable,anditstrafficwouldstarttoegressfromport2.D、Thesessionwouldbedeleted,sotheclientwouldneedtostartanewsession.答案：A25.AnadministratorhasenabledHAsessionsynchronizationinaHAclusterwithtwomembers.

Whichflagisaddedtoaprimaryunit’ssessiontoindicatethatithasbeensynchronizedtothesecondaryunit?A、redir.B、dirty.C、syncedD、nds.答案：C26.Whichmandisusedtoenabletimestampinareal-timedebug?A、diagnosedebugapplicationtimestampenableB、diagnosedebugconsoletimestampenableC、diagnoseapplicationtimestampenableD、diagnosetimestampenable答案：B27.Refertotheexhibit,whichcontainstheoutputofdiagnosesyssessionlist.IftheHAIDfortheprimaryunitiszero(0),whichstatementabouttheoutputistrue?A、Thissessioncannotbesyncedwiththeslaveunit.B、Theinspectionofthissessionhasbeenoffloadedtotheslaveunit.C、Themasterunitisprocessingthistraffic.D、ThissessionisforHAheartbeattraffic.答案：C28.Viewtheexhibit,whichcontainstheoutputofawebdiagnosemand,andthenanswerthequestionbelow.Whichoneofthefollowingstatementsexplainswhythecachestatisticsareallzeros?A、Theadministratorhasreallocatedthecachememorytoaseparateprocess.B、Therearenousersmakingwebrequests.C、TheFortiGuardwebfiltercacheisdisabledintheFortiGate’sconfiguration.D、FortiGateisusingaflow-basedwebfilterandthecacheappliesonlytoproxy-basedinspection.答案：C29.Viewtheexhibit,whichcontainstheoutputofareal-timedebug,andthenanswerthequestionbelow.Whichoneofthefollowingstatementsdescribeswhytheupdateisfailing?A、FortiGateisunabletoestablishaTCpconnectionwithFDSB、Theupdateshouldbeusingport53orport8888,insteadofport443.C、Theadministratorshouldusetheexecuteupdate-wfmandinstead.D、FortiGateisunabletoresolvetherequiredFODN()forAVandIPSupdates.答案：A30.WhichconfigurationcanbeusedtoreducethenumberofBGPsessionsinanIBGPnetwork?A、route—reflector—peerenableB、route—reflactor—clientenableC、route—reflector—serverenableD、route—reflectorenable答案：B31.Examinetheoutputofthe‘getrouterinfobgpsummary’mandshownintheexhibit;thenanswerthequestionbelow.WhichstatementcanexplainwhythestateoftheremoteBGPpeerisConnect?A、ThelocalpeerisreceivingtheBGPkeepalivesfromtheremotepeerbutithasnotreceivedanyBGPprefixyet.B、TheTCPsessionfortheBGPconnectiontoisdown.C、ThelocalpeerhasreceivedtheBGPprefixedfromtheremotepeer.D、ThelocalpeerisreceivingtheBGPkeepalivesfromtheremotepeerbutithasnotreceivedtheOpenConfirmyet.答案：B32.Examinethefollowingpartialoutputfromasniffermand;thenanswerthequestionbelow.Whatisthemeaningofthepacketsdroppedcounterattheendofthesniffer?A、Numberofpacketsthatdidn’tmatchthesnifferfilter.B、NumberoftotalpacketsdroppedbytheFortiGate.C、NumberofpacketsthatmatchedthesnifferfilterandweredroppedbytheFortiGate.D、Numberofpacketsthatmatchedthesnifferfilterbutcouldnotbecapturedbythesniffer.答案：D33.TwoindependentFortiGateHAclustersareconnectedtothesamebroadcastdomain.TheadministratorhasreportedthatbothclustersareusingthesameHAvirtualMACaddress.ThiscreatesaduplicatedMACaddressprobleminthenetwork.

WhatHAsettingmustbechangedinoneoftheHAclusterstofixtheproblem?A、GroupID.B、Groupname.C、Sessionpickup.D、GratuitousARPs.答案：A34.DefaultVLANsarecreatedonFortiGatewhentheFortiLinkinterfaceiscreated.Bydefault,whichVLANissetasAllowedVLANsonallFortiSwitchports?A、QuarantineVLANB、voiceVLANC、SnifferVLAND、CameraVLAN答案：B35.AFortiGatedevicehasthefollowingLDAPconfiguration:Theadministratorexecutedthe‘dsquery’mandintheWindowsLDApserver0,andgotthefollowingoutput:>dsqueryuser–samidadministrator“CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab”Basedontheoutput,whatFortiGateLDAPsettingisconfiguredincorrectly?A、cnid.B、username.C、password.D、dn.答案：B36.WhatdoesthedirtyflagmeaninaFortiGatesessionconfiguredforNGFWpolicymode?A、Theexistingsessiontableentryhasbeenupdatedwiththeapp_idandthefirewallpolicytableneedstobecheckedforamatchB、TheapplicationorURLcategoryisunknownandneedstoberescannedbytheIPSenginetotrytoidentifytheLayer7details.C、TheURLcategoryforthissessionhasbeenupdatedbyFortiGuardandthesessionneedstobecheckedagainstthepolicyagaintoensureproperwebfilteringisapplied.D、Traffichasbeenidentifiedasingfromanapplicationthatisnatallowedandtherelevantreplacementmessageneedstobedisplayedtotheuser,ifconfigured.答案：A37.WhichactionwillFortiGatetakeifauserattemptstoaccess.dropbox.,whichiscategorizedasFileSharingandStorage?A、FortiGatewillblocktheconnection,basedontheFortiGuardcategorybasedfilterconfiguration.B、FortiGatewillblocktheconnectionasaninvalidURL.C、FortiGatewillexempttheconnection,basedontheWebContentFilterconfiguration.D、FortiGatewillallowtheconnection,basedontheURLFilterconfiguration.答案：A38.Viewtheexhibit,whichcontainsthepartialoutputofanIKEreal-timedebug,andthenanswerthequestionbelow.Theadministratordoesnothaveaccesstotheremotegateway.Basedonthedebugoutput,whatconfigurationchangescantheadministratormaketothelocalgatewaytoresolvethephase1negotiationerror?A、Changephase1encryptionto3DESandauthenticationtoSHA128.B、Changephase1encryptiontoAES128andauthenticationtoSHA512.C、Changephase1encryptiontoAESCBCandauthenticationtoSHA2.D、Changephase1encryptiontoAES256andauthenticationtoSHA256.答案：D39.Viewtheexhibit,whichcontainstheoutputofadebugmand,andthenanswerthequestionbelow.WhichoneofthefollowingstatementsaboutthisFortiGateiscorrect?A、ItiscurrentlyinsystemconservemodebecauseofhighCPUusage.B、Itiscurrentlyinextremeconservemodebecauseofhighmemoryusage.C、Itiscurrentlyinproxyconservemodebecauseofhighmemoryusage.D、Itiscurrentlyinmemoryconservemodebecauseofhighmemoryusage.答案：D40.Whatglobalconfigurationsettingchangesthebehaviorforcontent-inspectedtrafficwhileFortiGateisinsystemconservemode?A、av-failopenB、mem-failopenC、utm-failopenD、ips-failopen答案：A41.Examinetheoutputofthe‘diagnosesyssessionlistexpectation’mandshownintheexhibit;than答案thequestionbelow.Whichstatementistrueregardingthesessionintheexhibit?A、ItwascreatedbytheFortiGatekerneltoallowpushupdatesfromFotiGuard.B、ItisformanagementtrafficterminatingattheFortiGate.C、ItisfortrafficoriginatedfromtheFortiGate.D、ItwascreatedbyasessionhelperorALG.答案：D42.AnadministratorhasdecreasedalltheTCPsessiontimerstooptimizetheFortiGatememoryusage.

However,afterthechanges,onenetworkapplicationstartedtohaveproblems.Duringthetroubleshooting,theadministratornoticedthattheFortiGatedeletesthesessionsaftertheclientssendtheSYNpackets,andbeforethearrivaloftheSYN/ACKs.WhentheSYN/ACKpacketsarrivetothe

FortiGate,theunithasalreadydeletedtherespectivesessions.

WhichTCPsessiontimermustbeincreasedtofixthisproblem?A、TCPhalfopen.B、TCPhalfclose.C、TCPtimewait.D、TCPsessiontimetolive.答案：A43.ThelogsinaFSSOcollectoragent(CA)areshowingthefollowingerror:failedtoconnecttoregistry:PIKA1026(32)

Whatcanbethereasonforthiserror?A、TheCAcannotresolvethenameoftheworkstation.B、TheFortiGatecannotresolvethenameoftheworkstation.C、Theremoteregistryserviceisnotrunningintheworkstation32.D、TheCAcannotreachtheFortiGatewiththeIPaddress32.答案：C44.Examinetheoutputofthe‘diagnoseipsanomalylist’mandshownintheexhibit;thenanswerthequestionbelow.WhichIPaddressesareincludedintheoutputofthismand?A、ThosewhosetrafficmatchesaDoSpolicy.B、ThosewhosetrafficmatchesanIPSsensor.C、ThosewhosetrafficexceededathresholdofamatchingDoSpolicy.D、ThosewhosetrafficwasdetectedasananomalybyanIPSsensor.答案：C45.Refertotheexhibit,whichcontainstheoutputofaBGPdebugmand.Whichstatementabouttheexhibitistrue?A、ThelocalrouterhasreceivedatotalofthreeBGPprefixesfromallpeers.B、ThelocalrouterhasnotestablishedaTCPsessionwith.C、Sincethecounterswerelastreset,thepeerhasneverbeendown.D、ThelocalrouterBGPstateisOpenConfirmwiththe5peer.答案：B46.AnadministratorhascreatedaVPNmunitywithinVPNManageronFortiManager.TheyalsoaddedgatewaystotheVPNmunityandarenowtryingtocreatefirewallpoliciestopermittrafficoverthetunnel;however,theVPNinterfacesarenotlistedasavailableoptions.

Whatstepmusttheadministratortaketoresolvethisissue?A、InstalltheVPNmunityandgatewayconfigurationtotheFortiGatedevices,inorderfortheinterfacestobedisplayedwithinPolicy&ObjectsonFortiManagerB、Setupallofthephase1settingsintheVPNmunitythattheyneglectedtosetupinitially.Theinterfaceswillbeautomaticallygeneratedaftertheadministratorconfiguresalloftherequiredsettings.C、RefreshthedevicestatusfromtheDeviceManagersothatFortiGatewillpopulatetheIPsecinterfaces.D、CreateinterfacemappingsfortheIPsecVPNinterfaces,beforetheycanbeusedinapolicy.答案：A47.Refertotheexhibit,whichshowsasessionentry.Whichstatementaboutthissessionistrue?A、ItisanICMPsessionfrom0to.B、ItisaTCPsessioninclose_waitstate,from10.l.10.10to.C、ItisanICMPsessionfrom0to.D、ItisaTCPsessionintheestablishedstate,from0to.答案：A48.Viewtheexhibit,whichcontainstheoutputofadiagnosemand,andtheanswerthequestionbelow.WhichstatementsaretrueregardingtheWeightvalue?A、Itsinitialvalueiscalculatedbasedontheroundtripdelay(RTT).B、Itsinitialvalueisstaticallysetto10.C、Itsvalueisincrementedwitheachpacketlost.D、ItdetermineswhichFortiGuardserverisusedforlicensevalidation.答案：C49.AnadministratorwantstocaptureESPtrafficbetweentwoFortiGatesusingthebuilt-insniffer.

IftheadministratorknowsthatthereisnoNATdevicelocatedbetweenbothFortiGates,whatmandshouldtheadministratorexecute?A、diagnosesnifferpacketany‘udpport500’B、diagnosesnifferpacketany‘udpport4500’C、diagnosesnifferpacketany‘esp’D、diagnosesnifferpacketany‘udpport500orudpport4500’答案：C50.Viewtheexhibit,whichcontainstheoutputofadebugmand,andthenanswerthequestionbelow.WhatstatementiscorrectaboutthisFortiGate?A、ItiscurrentlyinsystemconservemodebecauseofhighCPUusage.B、ItiscurrentlyinFDconservemode.C、Itiscurrentlyinkernelconservemodebecauseofhighmemoryusage.D、Itiscurrentlyinsystemconservemodebecauseofhighmemoryusage.答案：D51.Viewthecentralmanagementconfigurationshownintheexhibit,andthenthequestionbelow.WhichserverwillFortiGatechooseforantivirusandIPSupdatesif43isexperiencinganoutage?A、40B、OneofthepublicFortiGuarddistributionserversC、44D、42答案：B52.WhichADVPNconfigurationmustbeconfiguredusingascriptonFortiManager,whenusingVPNManagertomanageFortiGateVPNtunnels?A、SetprotectednetworktoallB、EnableAD—VPNinIPsecphase1C、ConfigureIPaddressesonIPsecvirtualinterfacesD、Disableadd—routeonhub答案：B53.Whichstatementaboutthedesignatedrouter(DR)andbackupdesignatedrouter(BDR)inanOSPFmulti-accessnetworkistrue?A、FortiGatefirstcheckstheOSPFIDtoelectaDR.B、Non-DRandnon-BDRrouterswillformfulladjacenciestoDRandBDRonly.C、BDRisresponsibleforforwardinglinkstateinformationfromoneroutertoanother.D、OnlytheDRreceiveslinkstateinformationfromnon-DRrouters.答案：B54.Whichofthefollowingstatementsaboutadministrativedomains(ADOMs)onFortiManageristrue?A、TheADOMfeaturecanbeenabledbyanyadministratorwithsuper-userprivileges.B、ADOMsallowgroupingofmanageddevicesbasedonmanagementcriteriaandadministrativeaccess.C、ThenumberofconfigurableADOMsisbasedontheFortiManager'sFortiCareservicecontract.D、FortiGateswithmultipleVDOMsmustbeassignedtothesameADOMonFortiManager.答案：B55.AnadministratorhasconfiguredthefollowingCLIscriptonFortiManager,whichfailedtoapplyanychangestothemanageddeviceafterbeingexecuted.Whydidn’tthescriptmakeanychangestothemanageddevice?A、mandsthatstartwiththe#signarenotexecuted.B、CLIscriptswilladdobjectsonlyiftheyarereferencedbypolicies.C、InpletemandsareignoredinCLIscripts.D、StaticroutescanonlybeaddedusingTCLscripts.答案：A56.WhichstatementaboutNGFWpolicy-basedapplicationfilteringistrue?A、Aftertheapplicationhasbeenidentified,thekernelusesonlytheLayer4headertomatchthetraffic.B、TheIPSsecurityprofileistheonlysecurityoptionyoucanapplytothesecuritypolicywiththeaction

SettoACCEPT.C、AfterIPSidentifiestheapplication,itaddsanentrytoadynamicISDBtable.D、FortiGatewilldropallpacketsuntiltheapplicationcanbeidentified.答案：D57.Refertotheexhibit,whichshowstheoutputofadiagnosemand.Whatcanbeconcludedaboutthedebugoutputinthisscenario?A、ServerswithanegativeTZvaluearelesspreferredforratingrequests.B、ThereisanaturalcorrelationbetweenthevalueinthePacketsfieldandthevalueintheWeightfield.C、FortiGateused7astheinitialservertovalidateitscontract.D、ThefirstserverprovidedtoFortiGatewhenitperformedaDNSquerylookingforalistofratingservers,was79.答案：B58.Whatisthediagnosetestapplicationipsmonitor99mandusedfor?A、ToenableIPSbypassmodeB、ToprovideinformationregardingIPSsessionsC、TodisabletheIPSengineD、TorestartallIPSenginesandmonitors答案：D59.WhenusingtheSSLcertificateinspectionmethodforHTTPStraffic,howdoesFortiGatefilterwebrequestswhenthebrowserclientdoesnotprovidetheservernameindication(SNI)?A、FortiGateusestherequestedURLfromtheuser'swebbrowser.B、FortiGateusestheIssuedTo:fieldintheserver'scertificate.C、FortiGateswitchestothefullSSLinspectionmethodtodecryptthedata.D、FortiGateblockstherequestwithoutanyfurtherinspection.答案：B60.Viewtheexhibit,whichcontainsthepartialoutputofadiagnosemand,andthenanswerthequestionbelow.Basedontheoutput,whichofthefollowingstatementsiscorrect?A、Anti-replyisenabled.B、DPDisdisabled.C、Quickmodeselectorsaredisabled.D、RemotegatewayIPis.答案：A61.AFortiGatehastwodefaultroutes:ConfigrouterstaticEdit1Setgateway54Setpriority5Setdevice"port1"NextEdit2Setgateway54Setpriority10Setdevice"port2"NextEndAllInternettrafficiscurrentlyusingport1.TheexhibitshowspartialinformationforonesamplesessionofInternettrafficfromaninternaluser:Whatwouldhappenwiththetrafficmatchingtheabovesessionifthepriorityonthefirstdefaultroute(IDd1)werechangedfrom5to20?A、Sessionwouldbedeleted,sotheclientwouldneedtostartanewsession.B、Sessionwouldremaininthesessiontableanditstrafficwouldbesharedbetweenportandport2.C、Sessionwouldremaininthesessiontableanditstrafficwouldstartusingport2astheoutgoinginterface.D、Sessionwouldremaininthesessiontableanditstrafficwouldkeepusingport1astheoutgoinginterface,答案：D62.TheCLImandsetintelligent-mode<enable|disable>controlstheIPSengine’sadaptivescanningbehavior.

WhichofthefollowingstatementsdescribesIPSadaptivescanning?A、DeterminestheoptimalnumberofIPSenginesrequiredbasedonsystemload.B、DownloadssignaturesondemandfromFDSbasedonscanningrequirements.C、Determineswhenitissecureenoughtostopscanningsessiontraffic.D、Chooseamatchingalgorithmbasedonavailablememoryandthetypeofinspectionbeingperformed.答案：C63.Viewtheexhibit,whichcontainsahub—and—spokeVPNtopologywithtwohubs,thenanswerthequestionbelow.AnadministratorwantstoconfigureADVPN.WhichADVPNsettingneedstobeenabledinthetunnelbetweenHub1andHub2FortiGates?A、setauto—discovery—forwarderenabledB、setauto—discovery—receiverenabledC、setauto—discovery—senderenabledD、setauto—discovery—ipsecenabled答案：A64.WheninvestigatingFortiGuardconnectivityissues,whichofthefollowingisavalidtroubleshootingstep?A、VerifyDNSrequestsarebeingproxiedifauto—updatetunnelingisenabled.B、UsetheFortiGuardreal—timedebugmandtoverifyratingrequests.C、ConfigureavirtualIPtoforwardport443toFortiGate‘sexternalIP.D、VerifymanagementVDOM‘sinternetaccess.答案：D65.Viewtheexhibit,whichcontainsanentryinthesessiontable,andthenanswerthequestionbelow.WhichoneofthefollowingstatementsistrueregardingFortiGate’sinspectionofthissession?A、FortiGateappliedproxy-basedinspection.B、FortiGateforwardedthissessionwithoutanyinspection.C、FortiGateappliedflow-basedinspection.D、FortiGateappliedexplicitproxy-basedinspection.答案：A66.ViewtheIPSexitlog,andthenanswerthequestionbelow.#diagnosetestapplicationipsmonitor3Ipsengineexitlog”Pid=93(cfg),duration=5605322(s)atWedApr1909:57:262017Code=11,reason:manualWhatisthestatusofIPSonthisFortiGate?A、IPSenginememoryconsumptionhasexceededthemodel-specificpredefinedvalue.B、IPSdaemonexperiencedacrash.C、TherearemunicationproblemsbetweentheIPSengineandthemanagementdatabase.D、AllIPS-relatedfeatureshavebeendisabledinFortiGate’sconfiguration.答案：D67.WhatactiondoesFortiSwitchtakewhenitreceivesaloopguarddatapacket(LGDP)thatwassentbyitself?A、ThereceivingportismovedtotheSTpblockingstateB、ThesendingportismovedtotheSTpblockingstateC、ThesendingportisshutdownD、Thereceivingportisshutdown答案：C68.Whatisthepurposeofaninternalsegmentationfirewall(ISFW)?A、ItinspectsiningtraffictoprotectservicesinthecorporateDMZ.B、Itisthefirstlineofdefenseatthenetworkperimeter.C、Itsplitsthenetworkintomultiplesecuritysegmentstominimizetheimpactofbreaches.D、Itisanall-in-onesecurityappliancethatisplacedatremotesitestoextendtheenterprisenetwork.答案：C69.Refertotheexhibit,whichshowstheoutputofdiagnosesyssessionlist.IftheHAIDfortheprimarydeviceis0,whatwillhappeniftheprimaryfailsandthesecondarybeestheprimary?A、Trafficforthissessioncontinuestobepermittedonthenewprimarydeviceafterfailover,withoutrequiringtheclienttorestartthesessionwiththeserver.B、Thesecondarydevicehasthissessionsynchronized;however,becauseapplicationcontrolisapplied,thesessionwillbemarkeddirtyandhavetobere—evaluatedafterfailover.C、Thesessionstatewillbepreservedbutthekemelwillneedtore—evaluatethesessionduetoNATbeingappliedD、Thesessionwillberemovedfromthesessiontableofthesecondarydeviceduetothepresenceofallowederrorpackets,whichwillforcetheclienttorestartthesessionwiththeserver.答案：B70.ViewtheglobalIPSconfiguration,andthenanswerthequestionbelow.Whichofthefollowingstatementsistrueregardingthisconfiguration?A、IPSwillscaneverybyteineverysession.B、FortiGatewillspawnIPSengineinstancesbasedonthesystemload.C、NewpacketswillbepassedthroughwithoutinspectioniftheIPSsocketbufferrunsoutofmemory.D、IPSwillusethefastermatchingalgorithmwhichisonlyavailableforunitswithmorethan4GBmemory.答案：A71.Whenusingt