Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1 diagnose debug application ike -1 diagnose debug enable The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

B. The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.

C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

D. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network. What HA setting must be changed in one of the HA clusters to fix the problem?

A. Group ID.

B. Group name.

C. Session pickup.

D. Gratuitous ARPs.

Which statement about IKE and IKE NAT-T is true?

A. IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.

B. IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.

C. They both use UDP as their transport protocol and the port number is configurable.

D. They each use their own IP protocol number.

Refer to the exhibit, which contains partial output from an IKE real-time debug.

The administrator does not have access to the remote gateway.

Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error?

A. In the phase 1 network configuration, set the IKE version to 2.

B. In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

C. In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

D. In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, which two pings will FortiGate route? (Choose two.)

A. Source IP address: 10.1.0.10. Destination IP address: 10.64.1.52

B. Source IPaddress: 10.72.3.52. Destination IP address: 10.1.0.254

C. Source IPaddress: 10.10.4.24, Destination IPaddress: 10.72.3.20

D. Source IPaddress: 10.73.9.10, Destination IPaddress: 10.72.3.15

A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)

A. Firewall monitor.

B. Policy monitor.

C. Logs.

D. Crashlogs.

Refer to the exhibit, which shows partial outputs from two routing debug commands.

Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?

A. Set the priority of the static default route using port1 to 10. Most Voted

B. Set the priority of the static default route using port2 to 1.

C. Set preserve-session-route to enable.

D. Set snat-route-change to enable.

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

A. For the peer 10.125.0.60, the BGP state of is Established.

B. The local BGP peer has received a total of three BGP prefixes.

C. Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.

D. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

A. FortiGate uses CN information from the Subject field in the server's certificate.

B. FortiGate switches to the full SSL inspection method to decrypt the data.

C. FortiGate blocks the request without any further inspection.

D. FortiGate uses the requested URL from the user's web browser.

Refer to the exhibit, which contains partial output from an IKE real-time debug.

Why did the tunnel not come up?

A. The local gateway has configured less secure encryption and hashing algorithms compared to the remote gateway.

B. The Diffie-Hellman group does not match on the local and remote gateways.

C. The proposal ID does not match between local and remote gateways.

D. The encapsulation method for phase 2 is set to none on local and remote gateways.