FCNSP.V5 Online Practice Questions and Answers

In HA, what is the effect of the Disconnect Cluster Member command as given in the Exhibit.

A. The HA mode changes to standalone.

B. Port3 is configured with an IP address for management access.

C. The Firewall rules are purged on the disconnected unit.

D. All other interface IP settings are maintained.

Review the CLI configuration below for an IPS sensor and identify the correct statements regarding this configuration from the choices below. (Select all that apply.)

config ips sensor edit "LINUX_SERVER" set comment '' set replacemsg-group '' set log enable config entries edit 1 set action default set application all set location server set log enable set log-packet enable set os Linux set protocol all set quarantine none set severity all set status default next end next end

A. The sensor will log all server attacks for all operating systems.

B. The sensor will include a PCAP file with a trace of the matching packets in the log message of any matched signature.

C. The sensor will match all traffic from the address object `LINUX_SERVER'.

D. The sensor will reset all connections that match these signatures.

E. The sensor only filters which IPS signatures to apply to the selected firewall policy.

Review the IPsec Phase2 configuration shown in the Exhibit; then answer the question following it.

Which of the following statements are correct regarding this configuration? (Select all that apply).

A. The Phase 2 will re-key even if there is no traffic.

B. There will be a DH exchange for each re-key.

C. The sequence number of ESP packets received from the peer will not be checked.

D. Quick mode selectors will default to those used in the firewall policy.

Review the output of the command config router ospf shown in the Exhibit below; then answer the question following it.

Which one of the following statements is correct regarding this output?

A. OSPF Hello packets will only be sent on interfaces configured with the IP addresses 172.16.1.1 and

172.16.1.2.

B. OSPF Hello packets will be sent on all interfaces of the FortiGate device.

C. OSPF Hello packets will be sent on all interfaces configured with an address matching the 10.0.1.0/24 and 172.16.0.0/12 networks.

D. OSPF Hello packets are not sent on point-to-point networks.

Which of the following statements is correct about how the FortiGate unit verifies username and password during user authentication?

A. If a remote server is included in a user group, it will be checked before local accounts.

B. An administrator can define a local account for which the password must be verified by querying a remote server.

C. If authentication fails with a local password, the FortiGate unit will query the authentication server if the local user is configured with both a local password and an authentication server.

D. The FortiGate unit will only attempt to authenticate against Active Directory if Fortinet Server Authentication Extensions are installed and configured.

A firewall policy has been configured for the internal email server to receive email from external parties through SMTP. Exhibits A and B show the AntiVirus and Email Filter profiles applied to this policy.

What is the correct behavior when the email attachment is detected as a virus by the FortiGate AntiVirus engine?

A. The FortiGate unit will remove the infected file and deliver the email with a replacement message to alert the recipient that the original attachment was infected.

B. The FortiGate unit will reject the infected email and notify both the sender and recipient.

C. The FortiGate unit will remove the infected file and add a replacement message. Both sender and recipient are notified that the infected file has been removed.

D. The FortiGate unit will reject the infected email and notify the sender.

SSL Proxy is used to decrypt the SSL-encrypted traffic. After decryption, where is the traffic buffered in preparation for content inspection?

A. The file is buffered by the application proxy.

B. The file is buffered by the SSL proxy.

C. In the upload direction, the file is buffered by the SSL proxy. In the download direction, the file is buffered by the application proxy.

D. No file buffering is needed since a stream-based scanning approach is used for SSL content inspection.

If Open Shortest Path First (OSPF) has already been configured on a FortiGate unit, which of the following statements is correct if the routes learned through OSPF need to be announced by Border Gateway Protocol (BGP)?

A. The FortiGate unit will automatically announce all routes learned through OSPF to its BGP peers if the FortiGate unit is configured as an OSPF Autonomous System Boundary Router (ASBR).

B. The FortiGate unit will automatically announce all routes learned through OSPF to its BGP peers if the FortiGate unit is configured as an OSPF Area Border Router (ABR).

C. At a minimum, the network administrator needs to enable Redistribute OSPF in the BGP settings.

D. The BGP local AS number must be the same as the OSPF area number of the routes learned that need to be redistributed into BGP.

E. By design, BGP cannot redistribute routes learned through OSPF.

A FortiGate unit is configured with three Virtual Domains (VDOMs) as illustrated in the exhibit.

Which of the following statements are correct regarding these VDOMs? (Select all that apply.)

A. The FortiGate unit supports any combination of these VDOMs in NAT/Route and Transparent modes.

B. The FortiGate unit must be a model 1000 or above to support multiple VDOMs.

C. A license had to be purchased and applied to the FortiGate unit before VDOM mode could be enabled.

D. All VDOMs must operate in the same mode.

E. Changing a VDOM operational mode requires a reboot of the FortiGate unit.

F. An admin account can be assigned to one VDOM or it can have access to all three VDOMs.

Which of the following items is NOT a packet characteristic matched by a firewall service object?

A. ICMP type and code

B. TCP/UDP source and destination ports

C. IP protocol number

D. TCP sequence number