What are two features of collector agent advanced mode? (Choose two.)
Correct Answer: A,D
Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.
Question 22
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
Correct Answer: A,C
To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required: * A. Enable Dead Peer Detection (DPD): Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down. * C. Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel: The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly. The other options are not suitable: * B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels: This option is not directly related to the requirements of failover between two IPsec VPN tunnels. * D. Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel: This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration. References * FortiOS 7.4.1 Administration Guide - Configuring IPsec VPN, page 1320. * FortiOS 7.4.1 Administration Guide - Redundant VPN Configuration, page 1335.
Question 23
Refer to the exhibits. Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command. Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
Correct Answer: A,D
A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source. D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary. Incorrect: B. The traffic sourced from the client and destined to the server is sent to FGT-1. (not primary) C. The cluster can load balance ICMP connections to the secondary. (not enabled) To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses. The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic.
Question 24
Refer to the exhibits. The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details. Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
Correct Answer: D
Based on the application sensor configuration and the filter details: D . Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting. The other options are not correct: A . Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it. B . Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this. C . Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail. Reference FortiOS 7.4.1 Administration Guide - Application Control and Filtering, page 978. FortiOS 7.4.1 Administration Guide - Application Sensor Configuration, page 982.
Question 25
An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface. In this scenario, what prevents the administrator from enabling DHCP service?
Correct Answer: A
FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration. Reference: FortiOS 7.4.1 Administration Guide: DHCP Server Configuration
