NSE5 Online Practice Questions and Answers

Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it. config router static edit 1 set dst 172.20.168.0 255.255.255.0 set distance 20 set priority 10 set device port1 next edit 2

set dst 172.20.168.0 255.255.255.0 set distance 20 set priority 20

set device port2 next end Which of the following statements correctly describes the static routing configuration provided above?

A. The FortiGate unit will evenly share the traffic to 172.20.168.0/24 through both routes.

B. The FortiGate unit will share the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic.

C. The FortiGate unit will send all the traffic to 172.20.168.0/24 through port1.

D. Only the route that is using port1 will show up in the routing table.

A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity.

The following troubleshooting commands are executed from the CLI:

user1 # get system interface

== [ internal ]

name. internal mode. static ip: 10.0.1.254 255.255.255.128 status: up

netbios-forward. disable type. physical mtu-override. disable

== [ vlan1 ]

name. vlan1 mode. static ip: 10.0.1.1 255.255.255.128 status: up netb

ios-forward. disable type. vlan mtu-override. disable

user1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S 10.0.0.0/8 [10/0] is a summary, Null

C 10.0.1.0/25 is directly connected, vlan1

C 10.0.1.128/25 is directly connected, internal

user1 # diagnose debug flow trace start 100

user1 # diagnose debug ena

user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1

id=20085 trace_id=277 msg="vd-root received a packet(proto=6, 10.0.1.130

:47922->10.0.1.1:443) from internal."

id=20085 trace_id=277 msg="allocate a new session-00000b21"

id=20085 trace_id=277 msg="iprope_in_check() check failed, drop"

Based on the output from these commands, which of the following is a possible cause of the problem?

A. The FortiGate unit has no route back to the PC.

B. The PC has an IP address in the wrong subnet.

C. The PC is using an incorrect default gateway IP address.

D. There is no firewall policy allowing traffic from INTERNAL -> VLAN1.

Which statement correctly compares FortiManager physical and virtual appliances?

A. Physical and virtual FortiManager appliances may manage unlimited devices and have unrestricted storage.

B. Physical and virtual FortiManager appliances use licenses to increase managed device and storage capacity limits.

C. Physical and virtual FortiManager appliances have an unrestricted daily logging rate.

D. Physical and virtual FortiManager appliances use model types and licenses respectively, to differentiate managed device and storage capacity limits.

Which of the following are FortiManager features? (Choose two.)

A. Administrative Domains

B. Virtual Domains

C. Centralized Management

D. Cloud-based Management

Which of the following items represent the minimum configuration steps an administrator must perform to enable Data Leak Prevention for traffic flowing through the FortiGate unit? (Select all that apply.)

A. Assign a DLP sensor in a firewall policy.

B. Apply one or more DLP rules to a firewall policy.

C. Enable DLP globally using the config sys dlp command in the CLI.

D. Define one or more DLP rules.

E. Define a DLP sensor.

F. Apply a DLP sensor to a DoS sensor policy.

In a High Availability cluster operating in Active-Active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a subordinate unit?

A. Request: Internal Host; Master FortiGate; Slave FortiGate; Internet; Web Server

B. Request: Internal Host; Master FortiGate; Slave FortiGate; Master FortiGate; Internet; Web Server

C. Request: Internal Host; Slave FortiGate; Internet; Web Server

D. Request: Internal Host; Slave FortiGate; Master FortiGate; Internet; Web Server

A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity.

The following troubleshooting commands are executed from the DOS prompt on the PC and from the CLI. C:\>ping 10.0.1.1 Pinging 10.0.1.1 with 32 bytes of data: Reply from 10.0.1.1: bytes=32 time=1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255

user1 # get system interface == [ internal ] name. internal mode. static ip: 10.0.1.254 255.255.255.128 status: up netbios-forward. disable type. physical mtu-override. disable

== [ vlan1 ]

name. vlan1 mode. static ip: 10.0.1.1 255.255.255.128 status: up netb

ios-forward. disable type. vlan mtu-override. disable

user1 # diagnose debug flow trace start 100

user1 # diagnose debug ena

user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1

id=20085 trace_id=274 msg="vd-root received a packet(proto=6, 10.0.1.130:47927- >10.0.1.1:443) from

internal."

id=20085 trace_id=274 msg="allocate a new session-00000b1b"

id=20085 trace_id=274 msg="find SNAT: IP-10.0.1.1, port-43798"

id=20085 trace_id=274 msg="iprope_in_check() check failed, drop"

Based on the output from these commands, which of the following explanations is a possible cause of the

problem?

A. The Fortigate unit has no route back to the PC.

B. The PC has an IP address in the wrong subnet.

C. The PC is using an incorrect default gateway IP address.

D. The FortiGate unit does not have the HTTPS service configured on the VLAN1 interface.

E. There is no firewall policy allowing traffic from INTERNAL-> VLAN1.

Based on the web filtering configuration illustrated in the exhibit

Which one of the following statements is not a reasonable conclusion?

A. Users can access both the www.google.com site and the www.fortinet.com site.

B. When a user attempts to access the www.google.com site, the FortiGate unit will not perform web filtering on the content of that site.

C. When a user attempts to access the www.fortinet.com site, any remaining web filtering will be bypassed.

D. Downloaded content from www.google.com will be scanned for viruses if antivirus is enabled.

Which Fortinet products and features could be considered part of a comprehensive solution to monitor and prevent the leakage of senstive data? (Select all that apply.)

A. Archive non-compliant outgoing e-mails using FortiMail.

B. Restrict unofficial methods of transferring files such as P2P using Application Control lists on a FortiGate.

C. Monitor database activity using FortiAnalyzer.

D. Apply a DLP sensor to a firewall policy.

E. Configure FortiClient to prevent files flagged as sensitive from being copied to a USB disk.

Because changing the operational mode to Transparent resets device (or vdom) to all defaults, which precautions should an Administrator take prior to performing this? (Select all that apply.)

A. Backup the configuration.

B. Disconnect redundant cables to ensure the topology will not contain layer 2 loops.

C. Set the unit to factory defaults.

D. Update IPS and AV files.