FCNSP.V5 Online Practice Questions and Answers

What are the requirements for a cluster to maintain TCP connections after device or link failover? (Select all that apply.)

A. Enable session pick-up.

B. Only applies to connections handled by a proxy.

C. Only applies to UDP and ICMP connections.

D. Connections must not be handled by a proxy.

Review the CLI configuration below for an IPS sensor and identify the correct statements regarding this configuration from the choices below. (Select all that apply.)

config ips sensor edit "LINUX_SERVER" set comment '' set replacemsg-group '' set log enable config entries edit 1 set action default set application all set location server set log enable set log-packet enable set os Linux set protocol all set quarantine none set severity all set status default next end next end

A. The sensor will log all server attacks for all operating systems.

B. The sensor will include a PCAP file with a trace of the matching packets in the log message of any matched signature.

C. The sensor will match all traffic from the address object `LINUX_SERVER'.

D. The sensor will reset all connections that match these signatures.

E. The sensor only filters which IPS signatures to apply to the selected firewall policy.

Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it.

config router static edit 1 set dst 172.20.168.0 255.255.255.0 set distance 20 set priority 10 set device port1 next edit 2 set dst 172.20.168.0 255.255.255.0 set distance 20 set priority 20 set device port2 next end

Which of the following statements correctly describes the static routing configuration provided above?

A. The FortiGate unit will evenly share the traffic to 172.20.168.0/24 through both routes.

B. The FortiGate unit will share the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic.

C. The FortiGate unit will send all the traffic to 172.20.168.0/24 through port1.

D. Only the route that is using port1 will show up in the routing table.

Examine the static route configuration shown below; then answer the question following it.

config router static edit 1 set dst 172.20.1.0 255.255.255.0 set device port1 set gateway 172.11.12.1 set distance 10 set weight 5 next edit 2 set dst 172.20.1.0 255.255.255.0 set blackhole enable set distance 5 set weight 10 next end

Which of the following statements correctly describes the static routing configuration provided? (Select all that apply.)

A. All traffic to 172.20.1.0/24 will always be dropped by the FortiGate unit.

B. As long as port1 is up, all the traffic to 172.20.1.0/24 will be routed by the static route number

1. If the interface port1 is down, the traffic will be routed using the blackhole route.

C. The FortiGate unit will NOT create a session entry in the session table when the traffic is being routed by the blackhole route.

D. The FortiGate unit will create a session entry in the session table when the traffic is being routed by the blackhole route.

E. Traffic to 172.20.1.0/24 will be shared through both routes.

An administrator is examining the attack logs and notices the following entry:

type=ips subtype=signature pri=alert vd=root serial=1995 attack_id=103022611 src=69.45.64.22 dst=192.168.1.100 src_port=80 dst_port=4887 src_int=wlan dst_int=internal status=detected proto=6 service=4887/tcp user=N/A group=N/A msg=web_client: IE.IFRAME.BufferOverflow.B

Based on the information displayed in this entry, which of the following statements are correct? (Select all that apply.)

A. This is an HTTP server attack.

B. The attack was detected and blocked by the FortiGate unit.

C. The attack was against a FortiGate unit at the 192.168.1.100 IP address.

D. The attack was detected and passed by the FortiGate unit.

Which of the following features could be used by an administrator to block FTP uploads while still allowing FTP downloads?

A. Anti-Virus File-Type Blocking

B. Data Leak Prevention

C. Network Admission Control

D. FortiClient Check

A static route is configured for a FortiGate unit from the CLI using the following commands:

config router static edit 1 set device "wan1" set distance 20 set gateway 192.168.100.1 next end

Which of the following conditions is NOT required for this static default route to be displayed in the FortiGate unit's routing table?

A. The Administrative Status of the wan1 interface is displayed as Up.

B. The Link Status of the wan1 interface is displayed as Up.

C. All other default routes should have an equal or higher distance.

D. You must disable DHCP client on that interface.

In the Tunnel Mode widget of the web portal, the administrator has configured an IP Pool and enabled split tunneling.

Which of the following statements is true about the IP address used by the SSL VPN client?

A. The IP pool specified in the SSL-VPN Tunnel Mode Widget Options will override the IP address range defined in the SSL-VPN Settings.

B. Because split tunneling is enabled, no IP address needs to be assigned for the SSL VPN tunnel to be established.

C. The IP address range specified in SSL-VPN Settings will override the IP address range in the SSL-VPN Tunnel Mode Widget Options.

What advantages are there in using a fully Meshed IPSec VPN configuration instead of a hub and spoke set of IPSec tunnels?

A. Using a hub and spoke topology is required to achieve full redundancy.

B. Using a full mesh topology simplifies configuration.

C. Using a full mesh topology provides stronger encryption.

D. Full mesh topology is the most fault-tolerant configuration.

A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity.

The following troubleshooting commands are executed from the DOS prompt on the PC and from the CLI.

C:\>ping 10.0.1.1 Pinging 10.0.1.1 with 32 bytes of data: Reply from 10.0.1.1: bytes=32 time=1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255

Reply from 10.0.1.1: bytes=32 time<1ms TTL=255

Reply from 10.0.1.1: bytes=32 time<1ms TTL=255

user1 # get system interface

== [ internal ]

namE. internal modE. static ip: 10.0.1.254 255.255.255.128 status: up netbios-forwarD. disable typE.

physical mtu-overridE. disable == [ vlan1 ]

namE. vlan1 modE. static ip: 10.0.1.1 255.255.255.128 status: up netb ios-forwarD. disable typE. vlan mtuoverridE. disable

user1 # diagnose debug flow trace start 100

user1 # diagnose debug ena

user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1

id=20085 trace_id=274 msg="vd-root received a packet(proto=6, 10.0.1.130:47927- >10.0.1.1:443) from

internal."

id=20085 trace_id=274 msg="allocate a new session-00000b1b" id=20085 trace_id=274 msg="find SNAT:

IP-10.0.1.1, port-43798" id=20085 trace_id=274 msg="iprope_in_check() check failed, drop"

Based on the output from these commands, which of the following explanations is a possible cause of the

problem?

A. The Fortigate unit has no route back to the PC.

B. The PC has an IP address in the wrong subnet.

C. The PC is using an incorrect default gateway IP address.

D. The FortiGate unit does not have the HTTPS service configured on the VLAN1 interface.

E. There is no firewall policy allowing traffic from INTERNAL-> VLAN1.