Sample questions
Fortinet NSE 4 Network Security Professional NSE4 practice questions
Drag and drop the steps to capture traffic on a FortiGate interface using the CLI into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure HA (High Availability) on a FortiGate pair into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to perform a factory reset on FortiGate via CLI into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Refer to the exhibit. A network administrator configured an IPsec VPN between the main office and a branch office. Remote users at the branch office report that they cannot access resources in the main office. The tunnel status shows up on both sides. What is the most likely cause of the connectivity issue?
Exhibit
Refer to the exhibit.
config vpn ipsec phase1-interface
edit "to_Branch"
set interface "wan1"
set ike-version 2
set keylife 86400
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dhgroup 14
set remote-gw 203.0.113.5
set psksecret ENC ...
next
end
config vpn ipsec phase2-interface
edit "to_Branch_p2"
set phase1name "to_Branch"
set proposal aes256-sha256
set pfs enable
set dhgrp 14
set auto-negotiate enable
set keylifeseconds 3600
next
endTrap 1: The phase1 keylife is longer than the phase2 keylife, causing rekey…
Different keylifes are acceptable; phase2 rekeys independently.
Trap 2: The 'set net-device disable' prevents the tunnel from being used…
net-device disable is typical for route-based VPNs; the tunnel interface is still used.
Trap 3: The phase2 proposal does not match the phase1 proposal.
Both use aes256-sha256; they match.
- A
The phase1 keylife is longer than the phase2 keylife, causing rekey issues.
Why wrong: Different keylifes are acceptable; phase2 rekeys independently.
- B
The 'set net-device disable' prevents the tunnel from being used for routing.
Why wrong: net-device disable is typical for route-based VPNs; the tunnel interface is still used.
- C
The phase2 configuration does not specify the local and remote subnets to protect.
Without 'set src-addr-type' and 'set dst-addr-type', the tunnel does not know which traffic to encrypt.
- D
The phase2 proposal does not match the phase1 proposal.
Why wrong: Both use aes256-sha256; they match.
Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?
Exhibit
Refer to the exhibit.
config firewall policy
edit 1
set name "Allow-Internet"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set logtraffic all
next
edit 2
set name "Block-SSH"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "SSH"
set logtraffic all
next
endTrap 1: The SSH connection will succeed because policy 2 is evaluated first.
Policies are evaluated from top to bottom; policy 1 is first.
Trap 2: The SSH connection will be blocked because policy 2 explicitly…
Firewall policies are evaluated in order; policy 1 (allow all) is before policy 2 (deny SSH), so policy 1 matches first and allows the traffic.
Trap 3: The SSH connection will be blocked because policy 1 does not…
Policy 1 uses service 'ALL', which includes SSH. The issue is the order.
- A
The SSH connection will succeed because policy 1 allows all services before policy 2 is evaluated.
Policy 1 matches all traffic from internal to wan1, so SSH is allowed before reaching the deny policy.
- B
The SSH connection will succeed because policy 2 is evaluated first.
Why wrong: Policies are evaluated from top to bottom; policy 1 is first.
- C
The SSH connection will be blocked because policy 2 explicitly denies SSH.
Why wrong: Firewall policies are evaluated in order; policy 1 (allow all) is before policy 2 (deny SSH), so policy 1 matches first and allows the traffic.
- D
The SSH connection will be blocked because policy 1 does not include SSH service specifically.
Why wrong: Policy 1 uses service 'ALL', which includes SSH. The issue is the order.
An administrator is configuring web filtering on a FortiGate. Which TWO statements about web filtering profiles are correct?
Trap 1: Web filtering profiles can only be applied to users who are…
Web filtering can be applied to all traffic regardless of authentication.
Trap 2: Web filtering profiles are applied globally by default.
Web filtering profiles are applied per firewall policy, not globally.
Trap 3: Web filtering profiles are used to configure SSL certificate…
SSL inspection is configured in SSL/SSH inspection profiles, not web filtering profiles.
- A
Web filtering profiles can be used together with application control profiles.
Correct; they can be applied to the same firewall policy.
- B
Web filtering profiles can only be applied to users who are authenticated.
Why wrong: Web filtering can be applied to all traffic regardless of authentication.
- C
Web filtering profiles can block access to websites based on URL categories and ratings.
Correct; this is a primary function of web filtering.
- D
Web filtering profiles are applied globally by default.
Why wrong: Web filtering profiles are applied per firewall policy, not globally.
- E
Web filtering profiles are used to configure SSL certificate inspection.
Why wrong: SSL inspection is configured in SSL/SSH inspection profiles, not web filtering profiles.
Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?
Exhibit
Refer to the exhibit.
config firewall policy
edit 1
set name "SSL-Inspection"
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set profile-protocol-options "default"
set av-profile "default"
set webfilter-profile "default"
next
endTrap 1: The ssl-ssh-profile is set to 'deep-inspection' but the policy is…
This is essentially the same as B, but B is more precise.
Trap 2: The source interface is 'wan1' but the traffic is coming from…
The exhibit shows the policy matches traffic from wan1 to internal, which is correct for inbound inspection.
Trap 3: The policy has 'set action deny' instead of 'set action accept'.
The action is accept, so traffic is allowed.
- A
The policy is missing the 'set inspection-mode proxy' command.
Deep inspection requires proxy-based inspection mode.
- B
The ssl-ssh-profile is set to 'deep-inspection' but the policy is using flow-based inspection.
Why wrong: This is essentially the same as B, but B is more precise.
- C
The source interface is 'wan1' but the traffic is coming from 'internal'.
Why wrong: The exhibit shows the policy matches traffic from wan1 to internal, which is correct for inbound inspection.
- D
The policy has 'set action deny' instead of 'set action accept'.
Why wrong: The action is accept, so traffic is allowed.
A company is deploying FortiGate for outbound web filtering. They want to block users from accessing social media sites during business hours, but still allow access to cloud-based productivity tools like Office 365. Which approach should the administrator use to meet this requirement?
Trap 1: Create a firewall policy to block all traffic to ports commonly…
Blocking port 443 would also block Office 365 and other HTTPS traffic, which is not the requirement.
Trap 2: Use a web filter profile to block URLs containing 'facebook' or…
Web filtering based on keywords is imprecise and may block legitimate content or miss social media apps using other URLs.
Trap 3: Implement a DNS filter to block DNS queries for social media…
DNS filtering would block the domain but not the application if the user accesses via IP or if the app uses a different domain.
- A
Create a firewall policy to block all traffic to ports commonly used by social media (e.g., TCP 443).
Why wrong: Blocking port 443 would also block Office 365 and other HTTPS traffic, which is not the requirement.
- B
Use a web filter profile to block URLs containing 'facebook' or 'twitter'.
Why wrong: Web filtering based on keywords is imprecise and may block legitimate content or miss social media apps using other URLs.
- C
Configure an application control profile with rules to block social media applications and allow Office 365 applications.
Application control profiles can precisely allow or block applications regardless of port/protocol, meeting the requirement exactly.
- D
Implement a DNS filter to block DNS queries for social media domains.
Why wrong: DNS filtering would block the domain but not the application if the user accesses via IP or if the app uses a different domain.
An administrator is configuring an IPS profile on FortiGate to detect and block SQL injection attacks. The profile must be applied to inbound traffic to a web server. Which TWO settings should the administrator enable to achieve this goal? (Choose two.)
Trap 1: Create a DoS policy to limit the number of connections per second.
DoS policy mitigates denial-of-service, not SQL injection.
Trap 2: Enable the HTTP protocol decoder in the application control profile.
Protocol decoders are for application control, not IPS. IPS uses signatures.
Trap 3: Configure the IPS sensor to bypass traffic from trusted IP…
Bypass would skip inspection, not detect attacks.
- A
Add the 'SQL.Injection' signature to the IPS sensor and set action to 'block'.
The specific signature for SQL injection must be included and configured to block.
- B
Create a DoS policy to limit the number of connections per second.
Why wrong: DoS policy mitigates denial-of-service, not SQL injection.
- C
Enable the HTTP protocol decoder in the application control profile.
Why wrong: Protocol decoders are for application control, not IPS. IPS uses signatures.
- D
Configure the IPS sensor to bypass traffic from trusted IP addresses.
Why wrong: Bypass would skip inspection, not detect attacks.
- E
Enable the IPS sensor in the firewall policy.
The IPS sensor must be applied to the firewall policy to inspect traffic.
Refer to the exhibit. An administrator has created an IPS sensor with two entries. The first entry sets severity 'medium' and action 'block'. The second entry sets severity 'critical' and action 'block'. What will happen when a packet triggers an IPS signature with severity 'low'?
Exhibit
Refer to the exhibit.
config ips sensor
edit "sensor1"
config entries
edit 1
set severity medium
set action block
next
edit 2
set severity critical
set action block
next
end
next
endTrap 1: The packet will be logged and a session will be created.
Logging is not configured; no log action is set.
Trap 2: The packet will be blocked if the signature severity is 'low' or…
Only severities defined in entries are processed; 'low' is not defined.
Trap 3: The packet will be blocked because the sensor is enabled.
The sensor only blocks signatures with explicitly configured severity.
- A
The packet will be allowed (pass).
Signatures not matching any entry use the default action 'pass'.
- B
The packet will be logged and a session will be created.
Why wrong: Logging is not configured; no log action is set.
- C
The packet will be blocked if the signature severity is 'low' or 'high'.
Why wrong: Only severities defined in entries are processed; 'low' is not defined.
- D
The packet will be blocked because the sensor is enabled.
Why wrong: The sensor only blocks signatures with explicitly configured severity.
Which TWO are best practices for configuring IPsec VPN on FortiGate to ensure high availability and security?
Trap 1: Disable DPD on the phase1 interface to reduce overhead.
Disabling DPD leaves the tunnel blind to peer failures.
Trap 2: Use aggressive mode for faster IKE negotiation.
Aggressive mode sends identity in cleartext, less secure.
Trap 3: Disable PFS to reduce CPU load on the firewall.
Disabling PFS weakens security; CPU impact is usually acceptable.
- A
Disable DPD on the phase1 interface to reduce overhead.
Why wrong: Disabling DPD leaves the tunnel blind to peer failures.
- B
Enable perfect forward secrecy (PFS) for phase2 to ensure session keys are not compromised if a private key is stolen.
PFS ensures that compromise of one key does not affect others.
- C
Use aggressive mode for faster IKE negotiation.
Why wrong: Aggressive mode sends identity in cleartext, less secure.
- D
Configure a dead peer detection (DPD) interval to detect tunnel failures.
DPD is essential for detecting peer failures in IPsec VPNs.
- E
Disable PFS to reduce CPU load on the firewall.
Why wrong: Disabling PFS weakens security; CPU impact is usually acceptable.
A FortiGate is configured in an A-P HA cluster. The administrator wants to ensure that session failover occurs for UDP-based voice traffic. Which TWO settings must be enabled?
Trap 1: Set HA override to enabled.
HA override controls which unit becomes primary, not session synchronization.
Trap 2: Enable configuration synchronization.
Config sync ensures policies are identical, but does not synchronize session states.
Trap 3: Set failover hold time to 1 second.
Hold time affects how quickly failover occurs, not session synchronization.
- A
Enable UDP session synchronization.
UDP sessions need explicit synchronization for failover.
- B
Set HA override to enabled.
Why wrong: HA override controls which unit becomes primary, not session synchronization.
- C
Enable configuration synchronization.
Why wrong: Config sync ensures policies are identical, but does not synchronize session states.
- D
Enable session pickup.
Session pickup allows the standby unit to continue sessions after failover.
- E
Set failover hold time to 1 second.
Why wrong: Hold time affects how quickly failover occurs, not session synchronization.
An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?
Trap 1: Source: port1, Destination: internal, Service: HTTP/HTTPS, Action:…
Source and destination are reversed; this would allow inbound traffic, not outbound.
Trap 2: Source: external, Destination: internal, Service: HTTP/HTTPS,…
This would allow inbound web traffic, not outbound.
Trap 3: Source: internal, Destination: port1, Service: ALL, Action: ACCEPT
Allowing all services is overly permissive and not a best practice.
- A
Source: internal, Destination: port1, Service: HTTP/HTTPS, Action: ACCEPT
This policy allows internal users to access web services on the Internet.
- B
Source: port1, Destination: internal, Service: HTTP/HTTPS, Action: ACCEPT
Why wrong: Source and destination are reversed; this would allow inbound traffic, not outbound.
- C
Source: external, Destination: internal, Service: HTTP/HTTPS, Action: ACCEPT
Why wrong: This would allow inbound web traffic, not outbound.
- D
Source: internal, Destination: port1, Service: ALL, Action: ACCEPT
Why wrong: Allowing all services is overly permissive and not a best practice.
Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?
Exhibit
Refer to the exhibit.
config router static
edit 1
set device port1
set gateway 203.0.113.1
set dst 0.0.0.0 0.0.0.0
set distance 10
next
edit 2
set device port2
set gateway 10.0.0.1
set dst 0.0.0.0 0.0.0.0
set distance 20
next
endTrap 1: The second route is overwriting the first route
FortiGate supports multiple default routes with different distances.
Trap 2: Both routes are equal-cost and load-balancing is not working
Routes have different distances, so they are not equal-cost.
Trap 3: The configuration is invalid because duplicate default routes are…
Multiple default routes are allowed with different distances.
- A
The second route is overwriting the first route
Why wrong: FortiGate supports multiple default routes with different distances.
- B
Both routes are equal-cost and load-balancing is not working
Why wrong: Routes have different distances, so they are not equal-cost.
- C
The configuration is invalid because duplicate default routes are not allowed
Why wrong: Multiple default routes are allowed with different distances.
- D
The gateway 203.0.113.1 (port1) is unreachable
The first route is preferred (distance 10), so if its gateway is unreachable, traffic fails.
A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?
Trap 1: The default route is incorrectly configured
The ping succeeds, so the default route works for the FortiGate itself.
Trap 2: An implicit deny policy is blocking traffic from internal to…
An implicit deny would block all traffic including the ping from the FortiGate.
Trap 3: External access profile is set to read-only
External access profiles control admin access, not user traffic.
- A
The default route is incorrectly configured
Why wrong: The ping succeeds, so the default route works for the FortiGate itself.
- B
An implicit deny policy is blocking traffic from internal to external
Why wrong: An implicit deny would block all traffic including the ping from the FortiGate.
- C
No NAT policy is configured for internal users
Without NAT, internal source IPs are not translated, so return traffic may be dropped.
- D
External access profile is set to read-only
Why wrong: External access profiles control admin access, not user traffic.
A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?
Trap 1: The policy is placed below a deny-all policy
The administrator checked policy order and it is correct.
Trap 2: NAT is not configured on the policy
NAT is not required for internal-to-internal traffic.
Trap 3: The policy is disabled
The administrator already verified the policy is enabled.
- A
The policy is placed below a deny-all policy
Why wrong: The administrator checked policy order and it is correct.
- B
NAT is not configured on the policy
Why wrong: NAT is not required for internal-to-internal traffic.
- C
The firewall does not have a route to the 10.0.0.0/8 network
Without a route, traffic from that network will be dropped.
- D
The policy is disabled
Why wrong: The administrator already verified the policy is enabled.
Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?
Exhibit
FGT # diagnose firewall auth list 1: authid=1 type=ldap user=jsmith src=10.0.0.5 dst=192.168.1.10 proto=6 port=80 duration=1200 timeout=3600 2: authid=2 type=ldap user=ajones src=10.0.0.6 dst=192.168.1.10 proto=6 port=80 duration=600 timeout=3600
Trap 1: The authentication session will remain active because the firewall…
Authentication sessions have their own idle timer.
Trap 2: The user will be automatically re-authenticated without prompting
Automatic re-authentication does not happen; the user must re-enter credentials.
Trap 3: The firewall session will be torn down immediately
The firewall session continues until it times out or traffic ends.
- A
The authentication session will remain active because the firewall session is still valid
Why wrong: Authentication sessions have their own idle timer.
- B
The user will be automatically re-authenticated without prompting
Why wrong: Automatic re-authentication does not happen; the user must re-enter credentials.
- C
The firewall session will be torn down immediately
Why wrong: The firewall session continues until it times out or traffic ends.
- D
The authentication session will expire, and the user must re-authenticate for new traffic
The user will be prompted for credentials again after idle timeout.
A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?
Trap 1: Change the encryption algorithm from AES256 to 3DES.
Algorithm mismatch would cause constant failure.
Trap 2: Increase the Phase 2 lifetime.
Longer lifetime may mask the problem but not fix intermittent negotiation.
Trap 3: Enable NAT traversal.
NAT-T is for NAT environments, not intermittent drops.
- A
Enable Dead Peer Detection (DPD) on the Phase 1 interface.
DPD detects peer failure and triggers renegotiation.
- B
Change the encryption algorithm from AES256 to 3DES.
Why wrong: Algorithm mismatch would cause constant failure.
- C
Increase the Phase 2 lifetime.
Why wrong: Longer lifetime may mask the problem but not fix intermittent negotiation.
- D
Enable NAT traversal.
Why wrong: NAT-T is for NAT environments, not intermittent drops.
A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?
Trap 1: An interface is in error-disable state causing CPU interrupts.
Error-disable typically affects forwarding, not CPU.
Trap 2: The firewall policy is misconfigured, causing packet drops.
Drops are handled in hardware, not CPU.
Trap 3: A DDoS attack is overwhelming the CPU.
DDoS would show traffic.
- A
An interface is in error-disable state causing CPU interrupts.
Why wrong: Error-disable typically affects forwarding, not CPU.
- B
The firewall policy is misconfigured, causing packet drops.
Why wrong: Drops are handled in hardware, not CPU.
- C
A DDoS attack is overwhelming the CPU.
Why wrong: DDoS would show traffic.
- D
A process such as the IPS engine is stuck in an infinite loop.
A runaway process can consume CPU even without traffic.
An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?
Trap 1: Configure two separate log settings for each server.
There is only one syslogd setting, but multiple servers can be listed.
Trap 2: Configure one syslog server and use a load balancer.
Not efficient; FortiGate supports multiple servers directly.
Trap 3: Use a FortiAnalyzer to forward logs to syslog servers.
This adds unnecessary complexity.
- A
Under 'config log syslogd setting', set 'status enable' and then add multiple servers using 'set server <ip1> <ip2>'.
Multiple servers can be added in a space-separated list.
- B
Configure two separate log settings for each server.
Why wrong: There is only one syslogd setting, but multiple servers can be listed.
- C
Configure one syslog server and use a load balancer.
Why wrong: Not efficient; FortiGate supports multiple servers directly.
- D
Use a FortiAnalyzer to forward logs to syslog servers.
Why wrong: This adds unnecessary complexity.
A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?
Trap 1: Use a FortiAnalyzer to generate alerts and send to SIEM.
No FortiAnalyzer available.
Trap 2: Configure a firewall policy to block the offending IPs manually…
Manual process not automated.
Trap 3: Enable 'set block-session-ttl' on the local-in policy.
This blocks sessions, not IPs for a duration.
- A
Create an automation stitch that triggers on local-in policy logging and adds the source IP to a blocked list via CLI script.
Automation stitch can execute a script to block the IP.
- B
Use a FortiAnalyzer to generate alerts and send to SIEM.
Why wrong: No FortiAnalyzer available.
- C
Configure a firewall policy to block the offending IPs manually based on logs.
Why wrong: Manual process not automated.
- D
Enable 'set block-session-ttl' on the local-in policy.
Why wrong: This blocks sessions, not IPs for a duration.
Which TWO actions can cause SSL inspection to fail with certificate errors on client browsers? (Choose two.)
Trap 1: The firewall policy allows the traffic.
Allowing traffic does not cause errors.
Trap 2: The web server's certificate is signed by a public CA.
Public CA is fine.
Trap 3: The client browser has the FortiGate CA certificate installed.
Installation helps avoid errors.
- A
The FortiGate's CA certificate has expired.
Expired CA certs cause trust errors.
- B
The firewall policy allows the traffic.
Why wrong: Allowing traffic does not cause errors.
- C
The web server's certificate is signed by a public CA.
Why wrong: Public CA is fine.
- D
The client browser has the FortiGate CA certificate installed.
Why wrong: Installation helps avoid errors.
- E
The FortiGate's generated server certificate does not match the requested domain name.
CN mismatch causes browser warnings.
An administrator has configured the policy shown in the exhibit. Traffic to the web server at 10.0.1.10 over HTTPS is allowed, but users complain that they cannot access the web server's login page. The IPS sensor 'High_Security_Sensor' has a signature that blocks SQL injection attempts. The application list 'Block_Social_Media' blocks Facebook and Twitter. What is the most likely cause of the issue?
Exhibit
Refer to the exhibit.
config firewall policy
edit 1
set name "Web-Server"
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "10.0.1.10"
set action accept
set schedule "always"
set service "HTTPS"
set utm-status enable
set ips-sensor "High_Security_Sensor"
set application-list "Block_Social_Media"
next
endTrap 1: The IPS sensor is blocking the login page due to a false positive.
IPS sensor blocks SQL injection, not typical login pages.
Trap 2: The firewall policy action is set to 'deny' but the exhibit shows…
The exhibit clearly shows action accept.
Trap 3: The HTTPS service is not correctly defined and blocking the traffic.
The service is set to HTTPS, which is a predefined service, so it should work.
- A
The IPS sensor is blocking the login page due to a false positive.
Why wrong: IPS sensor blocks SQL injection, not typical login pages.
- B
The firewall policy action is set to 'deny' but the exhibit shows 'accept'.
Why wrong: The exhibit clearly shows action accept.
- C
The HTTPS service is not correctly defined and blocking the traffic.
Why wrong: The service is set to HTTPS, which is a predefined service, so it should work.
- D
The application control profile is blocking the web application.
Application control may block the web application if it is misclassified.
Which TWO statements about IPS in FortiGate are true?
Trap 1: An IPS sensor can only be applied to one firewall policy.
An IPS sensor can be reused across multiple policies.
Trap 2: IPS is not supported in transparent mode.
IPS is supported in transparent mode.
Trap 3: IPS only works in flow-based inspection mode.
IPS works in both flow and proxy modes, though flow is recommended for performance.
- A
IPS can be applied to individual firewall policies via IPS sensors.
IPS sensors are attached to firewall policies to enable IPS on selected traffic.
- B
An IPS sensor can only be applied to one firewall policy.
Why wrong: An IPS sensor can be reused across multiple policies.
- C
IPS is not supported in transparent mode.
Why wrong: IPS is supported in transparent mode.
- D
IPS only works in flow-based inspection mode.
Why wrong: IPS works in both flow and proxy modes, though flow is recommended for performance.
- E
IPS signatures can have their actions overridden in an IPS filter.
IPS filters allow you to override the default action of a signature.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.