更多"[单选题]Which Security rating scorecar"的相关试题:
[单选题]
Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?
A. Denial of Service
B. Application control
C. Antivirus
D. Web application firewall
[单选题]
Which statement regarding the firewall policy authentication timeout is true?
A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.
[多选题]
Which two configuration settings are synchronized when FortiGate devices are in an active- active HA cluster? (Choose two.)
A. FortiGuard web filter cache
B. FortiGate hostname
C. NTP
D. DNS
[单选题]
Which CLI command allows administrators to troubleshoot Layer 2 issues such as an IP address conflict?
A. get system status
B. get system performance status
C. diagnose sys top
D. get system arp
[多选题]
Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)
A. For a stronger authentication you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
B. FortiGate supports pre-shared key and signature as authentication methods.
C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
D. A certificate is not required on the remote peer when you set the signature as the authentication method.
[单选题]
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?
A. Subject Key Identifier value
B. SMMIE Capabilities value
C. Subject value
D. Subject Alternative Name value
[多选题]
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
B. ADVPN is only supported with IKEv2.
C. Tunnels are negotiated dynamically between spokes.
D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
[多选题]
Which two statements about antivirus scanning mode are true? (Choose two.)
A. In proxy-based inspection mode files bigger than the buffer size are scanned.
B. In flow-based inspection mode. FortiGate buffers the file but also simultaneously transmits it to the client.
C. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning before sending it to the client.
D. In flow-based inspection mode files bigger than the buffer size are scanned.
[单选题]
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?
A. diagnose wad session list
B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list | grep "hook=pre"&"hook=out"
[单选题]
Examine the exhibit which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
A. 10.200.1.10
B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
C. 10.200.1.1
D. 10.0.1.254
[单选题]
Which statement about the IP authentication header (AH) used by IPsec is true?
A. AH does not provide any data integrity or encryption.
B. AH does not support perfect forward secrecy.
C. AH provides data integrity bur no encryption.
D. AH provides strong data integrity but weak encryption.
[多选题]
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)
A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
B. An SA never expires.
C. A phase 1 SA is bidirectional while a phase 2 SA is directional.
D. Phase 2 SA expiration can be time-based volume-based or both.
E. Both the phase 1 SA and phase 2 SA are bidirectional.
[多选题]
Which two statements are true about collector agent standard access mode? (Choose two.)
A. Standard mode uses Windows convention-NetBios: Domain\Username.
B. Standard mode security profiles apply to organizational units (OU).
C. Standard mode security profiles apply to user groups.
D. Standard access mode supports nested groups.
[多选题]
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)
A. Lookup is done on the first packet from the session originator
B. Lookup is done on the last packet sent from the responder
C. Lookup is done on every packet regardless of direction
D. Lookup is done on the trust reply packet from the responder
[多选题]
Which two statements are true when FortiGate is in transparent mode? (Choose two.)
A. By default all interfaces are part of the same broadcast domain.
B. The existing network IP schema must be changed when installing a transparent mode.
C. Static routes are required to allow traffic to the next hop.
D. FortiGate forwards frames without changing the MAC address.
[多选题]
Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)
A. Web filter in flow-based inspection
B. Antivirus in flow-based inspection
C. DNS filter
D. Web application firewall
E. Application control
[单选题]
Refer to the exhibit which contains a static route configuration.
An administrator created a static route for Amazon Web Services.
What CLI command must the administrator use to view the route?
A. get router info routing-table all
B. get internet service route list
C. get router info routing-table database
D. diagnose firewall proute list
[多选题]
Which of the following statements about central NAT are true? (Choose two.)
A. IP tool references must be removed from existing firewall policies before enabling central NAT.
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT using central NAT requires at least one central SNAT policy.
D. Destination NAT using central NAT requires a VIP object as the destination address in a firewall.
