Which statement about IKE and IKE NAT-T is true?
IKE without NAT-T runs over UDP port 500. IKE with NAT-T runs over UDP port 4500. It can be configurable - https://docs.fortinet.com/document/fortigate/7.0.0/new-features/33578/configurable-ike-port
A FortiGate has two default routes:
All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:
What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?
View the IPS exit log, and then answer the question below.
# diagnose test application ipsmonitor 3
ipsengine exit logâ€
pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017
code = 11, reason: manual
What is the status of IPS on this FortiGate?
The command diagnose test application ipsmonitor includes many options that are useful for troubleshooting purposes.Option 3 displays the log entries generated every time an IPS engine process stopped. There are various reasons why these logs are generated:Manual: Because of the configuration, IPS no longer needs to run (that is, all IPS-releated features have been disabled)
Examine the output from the BGP real time debug shown in the exhibit, then the answer the question below:
Which statements are true regarding the output in the exhibit? (Choose two.)
Which statement about NGFW policy-based application filtering is true?
Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?
View the exhibit, which contains the output of a diagnose command, and then answer the question below.
What statements are correct regarding the output? (Choose two.)
A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the â€˜diagnose debug authd fsso listâ€™ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)
In which two states is a given session categorized as ephemeral? (Choose two.)
What are two functions of automation stitches? (Choose two.)
Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 23, 26
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:
Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)
An administrator added the following Ipsec VPN to a FortiGate configuration:
configvpn ipsec phasel -interface
set type dynamic
set interface "portl"
set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe
config vpn ipsec phase2-interface
set phasel name "RemoteSite"
set proposal 3des-sha256
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.
What is causing the IPsec problem in the phase 1 ?
A FortiGate device has the following LDAP configuration:
The administrator executed the â€˜dsqueryâ€™ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user â€“samid administrator
â€œCN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=labâ€
Based on the output, what FortiGate LDAP setting is configured incorrectly?
Refer to the exhibit, which shows the output of get system ha status. NGFW-1 and NGFW-2 have been up for a week.
Which two statements about the output are true? (Choose two.)
A. If FGVM...649 is rebooted, FGVM...650 will become the primary that is normal since it will be the only active firewall and retain that role since override is disabled. Even after FGVM...649 rejoins the cluster, 650 will not fail over as slave. C. If port7 (heartbeat port) becomes disconnected on the secondary, both FortiGate devices will elect itself the primary because when heartbeat communication fails, all cluster members think they are the primary unit (condition referred to as Split Brain) https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/493254/heartbeat-interfaces
When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?
Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator configured the CLI script on FortiManager, but the script failed to apply any changes to the managed device after being executed.
What are two reasons why the script did not make any changes to the managed device? (Choose two.)
ref CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not â€œ#!â€ as it is for Tcl scripts. https://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scripts/1000_Script%20samples/0200_CLI%20scripts+.htm
Refer to the exhibit, which contains partial output from an IKE real-time debug.
The administrator does not have access to the remote gateway.
Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error?
Refer to the exhibit, which shows partial outputs from two routing debug commands.
Why is the port2 default route not in the second command output?
Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.)
Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)
Which two statements about OCVPN are true? (Choose two.)