WHTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could resolve this problem? (Choose two.)
A. Enable Allow Invalid SSL Certificates for the relevant security profile.
B. Change web browsers to one that does not support HPKP.
C. Exempt those web sites that use HPKP from full SSL inspection.
D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers.
Which action can be applied to each filter in the application control profile?
A. Block, monitor, warning, and quarantine
B. Allow, monitor, block and learn
C. Allow, block, authenticate, and warning
D. Allow, monitor, block, and quarantine
How does FortiGate verify the login credentials of a remote LDAP user?
A. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.
B. FortiGate sends the user-entered credentials to the LDAP server for authentication.
C. FortiGate queries the LDAP server for credentials.
D. FortiGate queries its own database for credentials.
An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is configured with a web filter and an SSL inspection profile configured for deep inspection. Which of the following are possible actions to eliminate the certificate error generated by deep inspection? (Choose two.)
A. Implement firewall authentication for all users that need access to fortinet.com.
B. Manually install the FortiGate deep inspection certificate as a trusted CA.
C. Configure fortinet.com access to bypass the IPS engine.
D. Configure an SSL-inspection exemption for fortinet.com.
What settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy called Full Access? (Choose two.)
A. Enable Event Logging.
B. Enable a web filter security profile on the Full Access firewall policy.
C. Enable Log Allowed Traffic on the Full Access firewall policy.
D. Enable disk logging.
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
A. A CRL
B. A person
C. A subordinate CA
D. A root CA
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?
A. A phase 2 configuration is not required.
B. This VPN cannot be used as part of a hub-and-spoke topology.
C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
D. The IPsec firewall policies must be placed at the top of the list.
An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy Options is not listed under Security Profiles on the GUI. What can cause this issue?
A. FortiGate needs to be switched to NGFW mode.
B. Proxy options section is hidden by default and needs to be enabled from the Feature Visibility menu.
C. Proxy options are no longer available starting in FortiOS 5.6.
D. FortiGate is in flow-based inspection mode.
Which statements about HA for FortiGate devices are true? (Choose two.)
A. Sessions handled by proxy-based security profiles cannot be synchronized.
B. Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs.
C. HA management interface settings are synchronized between cluster members.
D. Heartbeat interfaces are not required on the primary device.
How can you block or allow to Twitter using a firewall policy?
A. Configure the Destination field as Internet Service objects for Twitter.
B. Configure the Action field as Learn and select Twitter.
C. Configure the Service field as Internet Service objects for Twitter.
D. Configure the Source field as Internet Service objects for Twitter.
When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster? A. Connected monitored ports > HA uptime > priority > serial number B. Priority > Connected monitored ports > HA uptime > serial number C. Connected monitored ports > priority > HA uptime > serial number D. HA uptime > priority > Connected monitored ports > serial number QuestionDiscussion forum
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)
A. Include the group of guest users in a policy.
B. Extend timeout timers.
C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.
D. Ensure all firewalls allow the FSSO required ports.
Which of the following statements about policy-based IPsec tunnels are true? (Choose two.)
A. They can be configured in both NAT/Route and transparent operation modes.
B. They support L2TP-over-IPsec.
C. They require two firewall policies: one for each directions of traffic flow.
D. They support GRE-over-IPsec.
Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple dialup tunnels?
A. In aggressive mode, the remote peers are able to provide their peer IDs in the first message.
B. FortiGate is able to handle NATed connections only in aggressive mode.
C. FortiClient only supports aggressive mode.
D. Main mode does not support XAuth for user authentication.