An administrator has configured a route-based IPsec VPN between two FortiGates. Which statement about this IPsec VPN configuration is true?

Response:

A. A phase 2 configuration is not required.

B. This VPN cannot be used as part of a hub and spoke topology.

C. The IPsec firewall policies must be placed at the top of the list.

D. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

A FortiGate interface is configured with the following commands:

What statements about the configuration are correct?

(Choose two.)

Response:

A. IPv6 clients connected to port1 can use SLAAC to generate their IPv6 addresses.

B. FortiGate can provide DNS settings to IPv6 clients.

C. FortiGate can send IPv6 router advertisements (RAs.)

D. FortiGate can provide IPv6 addresses to DHCPv6 client.

How do you configure inline SSL inspection on a firewall policy?

(Choose two.)

Response:

A. Enable one or more flow-based security profiles on the firewall policy.

B. Enable the SSL/SSH Inspection profile on the firewall policy.

C. Execute the inline ssl inspection CLI command.

D. Enable one or more proxy-based security profiles on the firewall policy.

Under which circumstance is the IPsec ESP traffic encapsulated over UDP? Response:

A. When using IKE version 2 (IKEv2)

B. When the phase 1 is configured to use aggressive mode

C. When the IPsec VPN is configured as dial-up

D. When NAT-T detects there is a device between both IPsec peers doing NAT over the IPsec traffic

Which statements about an IPv6-over-IPv4 IPsec configuration are correct?

(Choose two.)

Response:

A. The remote gateway IP must be an IPv6 address.

B. The source quick mode selector must be an IPv4 address.

C. The local gateway IP must an IPv4 address.

D. The destination quick mode selector must be an IPv6 address.

You have enabled a web filter security profile in a firewall policy to log all blocked websites. What options do you have to either actively or passively monitor these logs? (Choose two.)

Response: A. Alert Message console

B. FortiView menu

C. Alert email

D. Monitor menu

Which statements about the firmware upgrade process on an active-active high availability (HA) cluster are

true?

(Choose two.)

Response:

A. The firmware image must be manually uploaded to each FortiGate.

B. Only secondary FortiGate devices are rebooted.

C. Uninterruptable upgrade is enabled by default.

D. Traffic load balancing is temporally disabled while upgrading the firmware.

Examine the log message attributes. Which statements are correct?

(Choose two.)

hostname=www.youtube.com profiletype="Webfilter_Profile"

profile="default"

status="passthrough"

msg="URL belongs to a category with warnings enabled"

Response:

A. The website was allowed on the first attempt

B. The user failed authentication

C. The category action was set to warning.

D. The user was prompted whether to proceed or go back.

What FortiGate feature can be used to prevent a cross-site scripting (XSS) attack? Response:

A. Web application firewall (WAF)

B. DoS policies

C. Rate based IPS signatures

D. One-arm sniffer

Which of the following protocols can you use for secure administrative access to a FortiGate?

(Choose two.)

Response:

A. HTTPS

B. Telnet

C. SSH

D. FortiTelemetry