The following diagnostic output is displayed in the CLI:
diag firewall auth list
policy iD. 9, srC. 192.168.3.168, action: accept, timeout: 13427
user: forticlient_chk_only, group:
flag (80020): auth timeout_ext, flag2 (40): exact group iD. 0, av group: 0
----- 1 listed, 0 filtered -----
Based on this output, which of the following statements is correct?
A. This user has been associated with a guest profile as evidenced by the group id of 0.
B. Firewall policy 9 has endpoint compliance enabled but not firewall authentication.
C. The client check that is part of an SSL VPN connection attempt failed.
D. An auth-keepalive value has been enabled.
正解:B
質問 2:
Which of the following statements is correct regarding the FortiGuard Services Web Filtering Override configuration as illustrated in the exhibit?

A. A client with an IP of address 10.10.10.12 is allowed access to any subdirectory that is part of the www.yahoo.com web site.
B. A client with an IP address of 10.10.10.12 is allowed access to the www.yahoo.com/images/ web site and any of its offsite URLs.
C. Any client on the same subnet as the authenticated user is allowed to access www.yahoo.com/images/ until August 7, 2009.
D. Any client on the same subnet as the authenticated user is allowed to access www.yahoo.com/images/.
E. A client with an IP address of 10.10.10.12 is allowed access to any URL under the www.yahoo.com web site, including any subdirectory URLs, until August 7, 2009.
正解:B
質問 3:
An administrator sets up a new FTP server on TCP port 2121. A FortiGate unit is located between the FTP clients and the server. The administrator has created a policy for TCP port 2121.
Users have been complaining that when downloading data they receive a 200 Port command successful message followed by a 425 Cannot build data connection message.
Which of the following statements represents the best solution to this problem?
A. Place the client and server interface in the same zone and enable intra-zone traffic.
B. Disable any protection profiles being applied to FTP traffic.
C. Create a new session helper for the FTP service monitoring port 2121.
D. Enable the ANY service in the firewall policies for both incoming and outgoing traffic.
正解:C
質問 4:
Review the output of the command get router info routing-table all shown in the Exhibit below; then answer the question following it.

Which one of the following statements correctly describes this output?
A. OSPF does not support ECMP therefore only the first route to subnet 10.0.1.0/24 is used.
B. The two routes to the 10.0.2.0/24 subnet are ECMP routes and traffic will be load balanced based on the configured ECMP settings.
C. 172.16.2.1 is the preferred gateway for subnet 10.0.2.0/24.
D. The route to the 10.0.2.0/24 subnet via interface Remote_1 is the active and the route via Remote_2 is the backup.
正解:B
質問 5:
Which spam filter is not available on a FortiGate device?
A. Spam grey listing
B. Email addresses included in the body of known SPAM messages.
C. Sender IP reputation database
D. Spam object checksums
E. URLs included in the body of known SPAM messages.
正解:A
質問 6:
If Open Shortest Path First (OSPF) has already been configured on a FortiGate unit, which of the following statements is correct if the routes learned through OSPF need to be announced by Border Gateway Protocol (BGP)?
A. The BGP local AS number must be the same as the OSPF area number of the routes learned that need to be redistributed into BGP.
B. By design, BGP cannot redistribute routes learned through OSPF.
C. The FortiGate unit will automatically announce all routes learned through OSPF to its BGP peers if the FortiGate unit is configured as an OSPF Area Border Router (ABR).
D. At a minimum, the network administrator needs to enable Redistribute OSPF in the BGP settings.
E. The FortiGate unit will automatically announce all routes learned through OSPF to its BGP peers if the FortiGate unit is configured as an OSPF Autonomous System Boundary Router (ASBR).
正解:D
質問 7:
Which of the following is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying the FortiGate unit?
A. MIB-based report uploads
B. Packet encryption
C. SNMP access limits through access lists
D. Running SNMP service on a non-standard port is possible
正解:B
質問 8:
The Host Check feature can be enabled on the FortiGate unit for SSL VPN connections. When this feature is enabled, the FortiGate unit probes the remote host computer to verify that it is "safe" before access is granted.
Which of the following items is NOT an option as part of the Host Check feature?
A. FortiClient Firewall software
B. Third-party Antivirus software
C. Microsoft Windows Firewall software
D. FortiClient Antivirus software
正解:C
質問 9:
A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity.
The following troubleshooting commands are executed from the DOS prompt on the PC and from
the CLI.
C:\>ping 10.0.1.1
Pinging 10.0.1.1 with 32 bytes of data:
Reply from 10.0.1.1: bytes=32 time=1ms TTL=255
Reply from 10.0.1.1: bytes=32 time<1ms TTL=255
Reply from 10.0.1.1: bytes=32 time<1ms TTL=255
Reply from 10.0.1.1: bytes=32 time<1ms TTL=255
user1 # get system interface
== [ internal ]
namE. internal modE. static ip: 10.0.1.254 255.255.255.128 status: up
netbios-forwarD. disable typE. physical mtu-overridE. disable
== [ vlan1 ]
namE. vlan1 modE. static ip: 10.0.1.1 255.255.255.128 status: up netb
ios-forwarD. disable typE. vlan mtu-overridE. disable
user1 # diagnose debug flow trace start 100
user1 # diagnose debug ena
user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1
id=20085 trace_id=274 msg="vd-root received a packet(proto=6, 10.0.1.130:47927->10.0.1.1:443)
from internal."
id=20085 trace_id=274 msg="allocate a new session-00000b1b"
id=20085 trace_id=274 msg="find SNAT: IP-10.0.1.1, port-43798"
id=20085 trace_id=274 msg="iprope_in_check() check failed, drop"
Based on the output from these commands, which of the following explanations is a possible cause of the problem?
A. The PC has an IP address in the wrong subnet.
B. The PC is using an incorrect default gateway IP address.
C. The Fortigate unit has no route back to the PC.
D. There is no firewall policy allowing traffic from INTERNAL-> VLAN1.
E. The FortiGate unit does not have the HTTPS service configured on the VLAN1 interface.
正解:E
903 お客様のコメント
クリック」





山冈** -
FCNSP問題集ぽく、この一冊でだけで合格できました。Pass4Testありがとうございました。