[单选题]
Which statement regarding the firewall policy authentication timeout is true?
A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

[多选题]
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)
A. This is known as many-to-one NAT.
B. Source IP is translated to the outgoing interface IP.
C. Connections are tracked using source port and source MAC address.
D. Port address translation is not used.

[单选题]
When a firewall policy is created which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?
A. Log ID
B. Universally Unique Identifier
C. Policy ID
D. Sequence ID

[单选题]
Which statement about the policy ID number of a firewall policy is true?
A. It is required to modify a firewall policy using the CLI.
B. It represents the number of objects used in the firewall policy.
C. It changes when firewall policies are reordered.
D. It defines the order in which rules are processed.

[单选题]
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
A. The collector agent uses a Windows API to query DCs for user logins.
B. NetAPI polling can increase bandwidth usage in large networks.
C. The collector agent must search security event logs.
D. The NetSessionEnum function is user] to track user logouts.

[单选题]
Which statement about the IP authentication header (AH) used by IPsec is true?
A. AH does not provide any data integrity or encryption.
B. AH does not support perfect forward secrecy.
C. AH provides data integrity bur no encryption.
D. AH provides strong data integrity but weak encryption.

[多选题]
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
C. Virtual IP addresses are used to distinguish between cluster members.
D. The primary device in the cluster is always assigned IP address 169.254.0.1.

[多选题]
Which three statements are true regarding session-based authentication? (Choose three.)
A. HTTP sessions are treated as a single user.
B. IP sessions from the same source IP address are treated as a single user.
C. It can differentiate among multiple clients behind the same source IP address.
D. It requires more resources.
E. It is not recommended if multiple users are behind the source NAT

[单选题]
Which of statement is true about SSL VPN web mode?
A. The tunnel is up while the client is connected.
B. It supports a limited number of protocols.
C. The external network application sends data through the VPN.
D. It assigns a virtual IP address to the client.

[多选题]以下描述正确的是（ ）。 Which of the following statements are correct: ( ).
A.plat_common_release_0xB4B9A.pkg是平台版本 plat_common_release_0xB4B9A.pkg is the platform version.
B.serv_0xB4B99.pkg 是业务版本 serv_0xB4B99.pkg is the service version.
C.sspi_common_release_0xB4B9B.pkg是接口机版本 sspi_common_release_0xB4B9B.pkg is the interface machine version.
D.sss_common_release_0xB4B99.pkg是通用版本 sss_common_release_0xB4B99.pkg is the general version.

[单选题]
BGP可使用的路由策略工具主要有Filter-policy和Route-policy, 其中Fiter-policy只能过滤路由, Route-policy只能修改路由
A.TRUE
B.FALSE

[单选题]
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).
Which statement is correct if a user is unable to receive a block replacement message when
Downloading an infected file for the first time?
A. The firewall policy performs the full content inspection on the file.
B. The flow-based inspection is used which resets the last packet to the user.
C. The volume of traffic being inspected is too high for this model of FortiGate.
D. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

[多选题]
In consolidated firewall policies IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)
A. The IP version of the sources and destinations in a firewall policy must be different.
B. The Incoming Interface. Outgoing Interface. Schedule and Service fields can be shared with both IPv4 and IPv6.
C. The policy table in the GUI can be filtered to display policies with IPv4 IPv6 or IPv4 and IPv6 sources and destinations.
D. The IP version of the sources and destinations in a policy must match.
E. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

[单选题]
Refer to the exhibit to view the firewall policy.
Which statement is correct if well-known viruses are not being blocked?
A. The firewall policy does not apply deep content inspection.
B. The firewall policy must be configured in proxy-based inspection mode.
C. The action on the firewall policy must be set to deny.
D. Web filter should be enabled on the firewall policy to complement the antivirus profile.

[单选题]
Examine the IPS sensor and DoS policy configuration shown in the exhibit then Answer the question below.
When detecting attacks which anomaly signature or filter will FortiGate evaluate first?
A. SMTP.Login.Brute.Force
B. IMAP.Login.brute.Force
C. ip_src_session
D. Location: server Protocol: SMTP

[单选题]
NGFW mode allows policy-based configuration for most inspection rules. Which security profile's configuration does not change when you enable policy-based inspection?
A. Web filtering
B. Antivirus
C. Web proxy
D. Application control

[多选题]
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)
A. Antivirus scanning
B. File filter
C. DNS filter
D. Intrusion prevention

[单选题]
现有Route-policy如下:
Ip community-filter 1 permit 100:1
Ip as-path-filter 2 permit ^100$
Oute-policy test permit node 10
If-match community-filter 1
If-match as-path-filter 2
Apply as-path 200
关于上述配置描述正确的是?(已确认)
A.仅当BGP路由携带团体属性值为100:1或者AS_PATH为100时,该BGP路由会匹配上面的route-policy.匹配路由的AS-PATH属性会被改为200
B.仅当BGP路由携带团体属性值为100:1且AS-PATH为100时,该BGP路由会匹配上面的route policy.匹配路由的AS_PATH性会被改为200
C.仅当BGP路由携带AS-PATH为100,该BGP路由会匹配上面的route-policy.匹配路由的AS_PATH属性会被改为200
D.只要BGP路由携带团体属性值为100:1时,该BGP路由会匹配上面的route-policy.匹配路由的AS_PATH属性会被改为200

[单选题]PDF(Policy Decision Function，策略决策功能)根据从( )获得的会话和媒体相关的信息制定策略。
A.SBC
B.P-CSCF
C.I-CSCF
D.S-CSCF