Answer:

C

Answer:

CD

Explanation:
C. NGFW policy-based mode policies support only flow inspection. This is correct.
This is a feature of
the NGFW policy-based mode, according to the Fortinet documentation "Profile-based NGFW vs
policy-based NGFW"1
. The documentation states that “In policy-based NGFW mode, you can only
select flow inspection. Proxy inspection is not supported.”
D. NGFW policy-based mode supports creating applications and web filtering categories directly in a
firewall policy. This is correct.
This is a feature of the NGFW policy-based mode, according to the
Fortinet documentation "Profile-based NGFW vs policy-based NGFW"1
. The documentation states
that “In policy-based NGFW mode, you allow applications and URL categories to be used directly in
security policies, without requiring web filter or application control profiles.”

Answer:

B

Answer:

ABE

Explanation:
A) The server name indication (SNI) extension in the client hello message. This is correct. This is a
piece of information that FortiGate uses to identify the hostname of the SSL server when SSL
certificate inspection is enabled. The SNI extension is a feature of the TLS protocol that allows a client
to indicate the hostname of the server it wants to connect to during the TLS handshake.
This helps
the server to present the appropriate certificate for the requested hostname, especially when the
server hosts multiple domains on the same IP address1
.
FortiGate can use the SNI extension in the
client hello message to identify the hostname of the SSL server and verify it against the server
certificate2
.
B) The subject alternative name (SAN) field in the server certificate. This is correct. This is a piece of
information that FortiGate uses to identify the hostname of the SSL server when SSL certificate
inspection is enabled. The SAN field is an extension of the X.509 certificate standard that allows a
certificate to specify multiple hostnames or IP addresses that are valid for the certificate.
This helps
the certificate to support multiple domains or subdomains on the same server, or multiple servers
with different IP addresses3
.
FortiGate can use the SAN field in the server certificate to identify the
hostname of the SSL server and verify it against the client request2
.
E) The subject field in the server certificate. This is correct. This is a piece of information that
FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled.
The subject field is a part of the X.509 certificate standard that contains information about the
identity of the entity that owns the certificate, such as common name, organization, country, and so
on.
The common name usually specifies the hostname or domain name of the server that owns the
certificate4
.
FortiGate can use the subject field in the server certificate to identify the hostname of
the SSL server and verify it against the client request2
.

Answer:

D

Answer:

B

Answer:

A

Answer:

D

Explanation:
This solution will help the administrator troubleshoot the problem by tracing the packet flow through
the FortiGate device and displaying the details of each step.
A debug flow can show the source and
destination interfaces, the firewall policy, the routing table, the NAT translation, the security profiles,
and the session information of the packet1
. A debug flow can also show any errors or anomalies that
occur during the packet processing.
To execute a debug flow, the administrator can use the diagnose
debug flow command in the CLI

Answer:

AB

Explanation:
FortiGate Security 7.2 Study Guide (p.341):
"Like viruses, which use many methods to avoid detection, FortiGate uses many techniques to detect
viruses. These detection techniques include:
• Antivirus scan
• Grayware scan
• Machine learning (AI) scan
If all antivirus features are enabled, FortiGate applies the following scanning order: antivirus scan,
followed by grayware scan, followed by AI scan."

Answer:

ADE

Answer:

AC

Explanation:
The debug flow output shows the result of a diagnose command that captures the traffic flow
between the source and destination IP addresses1
.
The debug flow output reveals the following
information about the traffic flow1
:
The protocol is 1, which means that the traffic uses ICMP protocol2
.
ICMP is a protocol that is used to
send error messages and test connectivity between devices2
.
The session state is 0, which means that a new traffic session was created3
.
A session is a data
structure that stores information about a connection between two devices3
.
The policy ID is 1, which means that the traffic matched the firewall policy with ID 14
.
A firewall
policy is a rule that defines how FortiGate processes traffic based on the source, destination, service,
and action parameters4
.
The action is 0, which means that the traffic was allowed by the firewall policy. An action is a
parameter that specifies what FortiGate does with the traffic that matches a firewall policy.
Therefore, two conclusions that can be made from the debug flow output are:
The debug flow is for ICMP traffic.
A new traffic session was created.

Answer:

D

Explanation:
"If you use multiple source or destination interfaces, or the any interface in a firewall policy, you
cannot separate policies into sections by interface pairs—some would be triplets or more. So
instead, policies are then always displayed in a single list (By Sequence)."

Answer:

BD

Explanation:
A ZTNA rule is a policy that enforces access control and applies security profiles to protect traffic
between the client and the access proxy1
.
A ZTNA rule defines the following parameters1
:
Incoming interface: The interface that receives the client request.
Source: The address and user group of the client.
ZTNA tag: The tag that identifies the domain that the client belongs to.
ZTNA server: The server that hosts the access proxy.
Destination: The address of the application that the client wants to access.
Action: The action to take for the traffic that matches the rule. It can be accept, deny, or redirect.
Security profiles: The security features to apply to the traffic, such as antivirus, web filter, application
control, and so on.
A ZTNA rule does not redirect the client request to the access proxy.
That is the function of a policy
route that matches the ZTNA tag and sends the traffic to the ZTNA server2
.
A ZTNA rule does not define the access proxy.
That is done by creating a ZTNA server object that
specifies the IP address, port, and certificate of the access proxy3
.
FortiGate Infrastructure 7.2 Study Guide (p.177): "A ZTNA rule is a proxy policy used to enforce
access control. You can define ZTNA tags or tag groups to enforce zero-trust role-based access. To
create a rule, type a rule name, and add IP addresses and ZTNA tags or tag groups that are allowed or
blocked access. You also select the ZTNA server as the destination. You can also apply security
profiles to protect this traffic."

Answer:

B

Explanation:
ISDB static route will not create entry directly in routing-table. Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for-Predefined-
Internet/ta-p/198756
and here
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-
route/ta-p/190640
FortiGate Infrastructure 7.2 Study Guide (p.16 and p.59): "Even though they are configured as static
routes, ISDB routes are actually policy routes and take precedence over any other routes in the
routing table. As such, ISDB routes are added to the policy routing table." "FortiOS maintains a policy
route table that you can view by running the diagnose firewall proute list command."

Answer:

B

Explanation:
FortiGate Infrastructure 7.2 Study Guide (p.198): "Tunnel mode requires FortiClient to connect to
FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user’s PC. This virtual
adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new
VPN connection. Inside the tunnel, all traffic is SSL/TLS encapsulated. The main advantage of tunnel
mode over web mode is that after the VPN is established, any IP network application running on the
client can send traffic through the tunnel."
An SSL VPN tunnel allows remote users to establish a secure and encrypted Virtual Private Network
(VPN) connection to the private network using the SSL/TLS protocol1
.
An SSL VPN tunnel can provide
access to network resources such as FTP servers, as well as external applications running on the
user’s PC1
.
An SSL VPN bookmark is a web link that provides access to network resources through the SSL VPN
web portal1
. It does not support external applications running on the user’s PC.
Zero trust network access (ZTNA) is a security model that provides role-based application access to
remote users without exposing the private network to the internet2
. It does not use SSL/TLS
protocol, but rather a proprietary ZTNA protocol.
SSL VPN quick connection is a feature that allows users to connect to an SSL VPN tunnel without
installing FortiClient or any other software on their PC3
. It requires a web browser that supports Java
or ActiveX. It does not support external applications running on the user’s PC.