NSE5: Fortinet Network Security Analyst Practice Questions
Identify the correct properties of a partial mesh VPN deployment:
A. VPN tunnels interconnect between every single location.
B. VPN tunnels are not configured between every single location.
C. Some locations are reached via a hub location.
D. There are no hub locations in a partial mesh.
Review the CLI configuration below for an IPS sensor and identify the correct statements regarding this configuration from the choices below. (Select all that apply.) config ips sensor edit “LINUX_SERVER” set comment ” set replacemsg-group ” set log enable config entries edit 1 set action default set application all set location server set log enable set log-packet enable set os Linux set protocol all set quarantine none set severity all set status default next end next end
A. The sensor will log all server attacks for all operating systems.
B. The sensor will include a PCAP file with a trace of the matching packets in the log message of any matched signature.
C. The sensor will match all traffic from the address object ‘LINUX_SERVER’.
D. The sensor will reset all connections that match these signatures.
E. The sensor only filters which IPS signatures to apply to the selected firewall policy.
Identify the statement which correctly describes the output of the following command: diagnose ips anomaly list
A. Lists the configured DoS policy.
B. List the real-time counters for the configured DoS policy.
C. Lists the errors captured when compiling the DoS policy.
Examine the following log message for IPS and identify the valid responses below. (Select all that apply.) 2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity=”critical” src=”192.168.3.168″ dst=”192.168.3.170″ src_int=”port2″ serial=0 status=”detected” proto=1 service=”icmp” count=1 attack_name=”icmp_flood” icmp_id=”0xa8a4″ icmp_type=”0x08″ icmp_code=”0x00″ attack_id=16777316 sensor=”1″ ref=”http://www.fortinet.com/ids/VID16777316″ msg=”anomaly: icmp_flood, 51 > threshold 50″
A. The target is 192.168.3.168.
B. The target is 192.168.3.170.
C. The attack was detected and blocked.
D. The attack was detected only.
E. The attack was TCP based.
Which of the following statements are correct about the HA diag command diagnose sys ha reset-uptime? (Select all that apply.)
A. The device this command is executed on is likely to switch from master to slave status if master override is disabled.
B. The device this command is executed on is likely to switch from master to slave status if master override is enabled.
C. This command has no impact on the HA algorithm.
D. This command resets the uptime variable used in the HA algorithm so it may cause a new master to become elected.
What are the requirements for a cluster to maintain TCP connections after device or link failover? (Select all that apply.)
A. Enable session pick-up.
B. Only applies to connections handled by a proxy.
C. Only applies to UDP and ICMP connections.
D. Connections must not be handled by a proxy.
With FSSO, a domain user could authenticate either against the domain controller running the Collector Agent and Domain Controller Agent, or a domain controller running only the Domain Controller Agent. If you attempt to authenticate with the Secondary Domain Controller running only the Domain Controller Agent, which of the following statements are correct? (Select all that apply.)
A. The login event is sent to the Collector Agent.
B. The FortiGate unit receives the user information from the Domain Controller Agent of the Secondary Controller.
C. The Collector Agent performs the DNS lookup for the authenticated client’s IP address.
D. The user cannot be authenticated with the FortiGate device in this manner because each Domain Controller Agent requires a dedicated Collector Agent.
How can DLP file filters be configured to detect Office 2010 files? (Select all that apply.)
A. File TypE. Microsoft Office(msoffice)
B. File TypE. Archive(zip)
C. File TypE. Unknown Filetype(unknown)
D. File NamE. “*.ppt”, “*.doc”, “*.xls”
E. File NamE. “*.pptx”, “*.docx”, “*.xlsx”
For Data Leak Prevention, which of the following describes the difference between the block and quarantine actions?
A. A block action prevents the transaction. A quarantine action blocks all future transactions, regardless of the protocol.
B. A block action prevents the transaction. A quarantine action archives the data.
C. A block action has a finite duration. A quarantine action must be removed by an administrator.
D. A block action is used for known users. A quarantine action is used for unknown users.
Which of the following statements are correct regarding Application Control?
A. Application Control is based on the IPS engine.
B. Application Control is based on the AV engine.
C. Application Control can be applied to SSL encrypted traffic.
D. Application Control cannot be applied to SSL encrypted traffic.
Data Leak Prevention archiving gives the ability to store files and message data onto a FortiAnalyzer unit for which of the following types of network traffic? (Select all that apply.)
What advantages are there in using a hub-and-spoke IPSec VPN configuration instead of a fully-meshed set of IPSec tunnels? (Select all that apply.)
A. Using a hub and spoke topology is required to achieve full redundancy.
B. Using a hub and spoke topology simplifies configuration because fewer tunnels are required.
C. Using a hub and spoke topology provides stronger encryption.
D. The routing at a spoke is simpler, compared to a meshed node.
Which of the following statements are correct regarding virtual domains (VDOMs)? (Select all that apply.)
A. VDOMs divide a single FortiGate unit into two or more virtual units that function as multiple, independent units.
B. A management VDOM handles SNMP, logging, alert email, and FDN-based updates.
C. VDOMs share firmware versions, as well as antivirus and IPS databases.
D. Only administrative users with a ‘super_admin’ profile will be able to enter multiple VDOMs to make configuration changes.
In a High Availability cluster operating in Active-Active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a subordinate unit?
A. Request: Internal Host; Master FortiGate; Slave FortiGate; Internet; Web Server
B. Request: Internal Host; Master FortiGate; Slave FortiGate; Master FortiGate; Internet; Web Server
C. Request: Internal Host; Slave FortiGate; Internet; Web Server
D. Request: Internal Host; Slave FortiGate; Master FortiGate; Internet; Web Server
Which of the following represents the correct order of criteria used for the selection of a Master unit within a FortiGate High Availability (HA) cluster when master override is disabled?
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number
B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number
C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number
D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number