Ensurepass

QUESTION 131

Review the IPsec Phase2 configuration shown in the Exhibit; then answer the question following it. Which of the following statements are correct regarding this configuration? (Select all that apply).

 

clip_image001

 

A.

The Phase 2 will re-key even if there is no traffic.

B.

There will be a DH exchange for each re-key.

C.

The sequence number of ESP packets received from the peer will not be checked.

D.

Quick mode selectors will default to those used in the firewall policy.

 

Correct Answer: AB

 

 

QUESTION 132

In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate unit when searching for a suitable gateway?

 

A.

A look-up is done only when the first packet coming from the client (SYN) arrives.

B.

A look-up is done when the first packet coming from the client (SYN) arrives, and a second is performed when the first packet coming from the server (SYNC/ACK) arrives.

C.

A look-up is done only during the TCP 3-way handshake (SYNC, SYNC/ACK, ACK).

D.

A look-up is always done each time a packet arrives, from either the server or the client side.

 

Correct Answer: B

 

 

QUESTION 133

Review the output of the command get router info routing-table all shown in the Exhibit below; then answer the question following it. Which one of the following statements correctly describes this output?

 

clip_image003

 

A.

The two routes to the 10.0.2.0/24 subnet are ECMP routes and traffic will be load balanced based on the configured ECMP settings.

B.

The route to the 10.0.2.0/24 subnet via interface Remote_1 is the active and the route via Remote_2 is the backup.

C.

OSPF does not support ECMP therefore only the first route to subnet 10.0.1.0/24 is used.

D.

172.16.2.1 is the preferred gateway for subnet 10.0.2.0/24.

 

Correc
t Answer:
A

 

 

QUESTION 134

What are the requirements for a cluster to maintain TCP connections after device or link failover? (Select all that apply.)

 

A.

Enable session pick-up.

B.

Only applies to connections handled by a proxy.

C.

Only applies to UDP and ICMP connections.

D.

Connections must not be handled by a proxy.

 

Correct Answer: AD

 

 

QUESTION 135

With FSSO, a domain user could authenticate either against the domain controller running the Collector Agent and Domain Controller Agent, or a domain controller running only the Domain Controller Agent. If you attempt to authenticate with the Secondary Domain Controller running only the Domain Controller Agent, which of the following statements are correct? (Select all that apply.)

 

A.

The login event is sent to the Collector Agent.

B.

The FortiGate unit receives the user information from the Domain Controller Agent of the Secondary Controller.

C.

The Collector Agent performs the DNS lookup for the authenticated client’s IP address.

D.

The user cannot be authenticated with the FortiGate device in this manner because each Domain Controller Agent requires a dedicated Collector Agent.

 

Correct Answer: AC

 

 

QUESTION 136

Which of the following statements are TRUE for Port Pairing and Forwarding Domains? (Select all that apply.)

 

A.

They both create separate broadcast domains.

B.

Port Pairing works only for physical interfaces.

C.

Forwarding Domains only apply to virtual interfaces.

D.

They may contain physical and/or virtual interfaces.

E.

They are only available in high-end models.

 

Correct Answer: AD

 

 

QUESTION 137

For Data Leak Prevention, which of the following describes the difference between the block and quarantine actions?

 

A.

A block action prevents the transaction. A quarantine action blocks all future transactions, regardless of the protocol.

B.

A block action prevents the transaction. A quarantine action archives the data.

C.

A block action has a finite duration. A quarantine action must be removed by an administrator.

D.

A block action is used for known users. A quarantine action is used for unknown users.

 

Correct Answer: A

 

 

QUESTION 138

What advantages are there in using a hub-and-spoke IPSec VPN configuration instead of a fully-meshed set of IPSec tunnels? (Select all that apply.)

 

A.

Using a hub and spoke topology is required to achieve full redundancy.

B.

Using a hub and spoke topology simplifies configuration because fewer tunnels are required.

C.

Using a hub and spoke topology provides stronger encryption.

D.

The routing at a spoke is simpler, compared to a meshed node.

 

Correct Answer: BD

 

 

QUESTION 139

FSSO provides a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows Active Directory. Which of the following statements are correct regarding FSSO in a Windows domain environment when NTLM and Polling Mode are not used? (Select all that apply.)

 

A.

An FSSO Collector Agent must be installed on every domain controller.

B.

An FSSO Domain Controller Agent must be installed on every domain controller.

C.

The FSSO Domain Controller Agent will regularly update user logon information on the FortiGate unit.

D.

The FSSO Collector Agent will retrieve user information from the Domain Controller Agent and will send the user logon information to the FortiGate unit.

E.

For non-domain computers, the only way to allow FSSO authentication is to install an FSSO client.

 

Correct Answer: BD

 

 

QUESTION 140

Examine the static route configuration shown below; then answer the question following it.

 

config router static

 

edit 1

 

set dst 172.20.1.0 255.255.255.0

 

set device port1

 

set gateway 172.11.12.1

 

set distance 10

 

set weight 5

 

next

 

edit 2

 

set dst 172.20.1.0 255.255.255.0

 

set blackhole enable

 

set distance 5

 

set weight 10

 

next

 

end

 

Which of the following statements correctly describes the static routing configuration provided? (Select all that apply.)

 

A.

All traffic to 172.20.1.0/24 will always be dropped by the FortiGate unit.

B.

As long as port1 is up, all the traffic to 172.20.1.0/24 will be routed by the static route number 1. If the interface port1 is down, the traffic will be routed using the blackhole route.

C.

The FortiGate unit will NOT create a session entry in the session table when the traffic is being routed by the blackhole route.

D.

The FortiGate unit will create a session entry in the session table when the traffic is being routed by the blackhole route.

E.

Traffic to 172.20.1.0/24 will be shared through both routes.

 

Correct Answer: AC

 

Free VCE & PDF File for Fortinet NSE5 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.