Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

FCSS_NST_SE-7.4 Questions and Answers

Question # 6

Which exchange lakes care of DoS protection in IKEv2?

A.

Create_CHILD_SA

B.

IKE_Auth

C.

IKE_Req_INIT

D.

IKE_SA_NIT

Full Access
Question # 7

Refer to the exhibit, which shows one way communication of the downstream FortiGate with the upstream FortiGate within a Security Fabric.

What three actions must you take to ensure successful communication? (Choose three.)

A.

You must authorize the downstream FortiGate on the root FortiGate.

B.

FortiGate must not be in NAT mode.

C.

Ensure TCP port 8013 is not blocked along the way.

D.

You must enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate.

E.

Ensure the port for Neighbor Discovery has been changed.

Full Access
Question # 8

Refer to the exhibit, which shows a partial output from the get router info routing-table database command.

The administrator wants to configure a default static route for port3 and assign a distance of 50 and a priority of 0.

What will happen to the port1 and port2 default static routes after the port3 default static route is created?

A.

The port2 default static route will be injected into the forwarding information base (FIB).

B.

The port1 default static route will be injected into the FIB.

C.

Neither of the routes shown in the output will be injected into the FIB.

D.

Both default static routes shown in the output will be injected into the FIB.

Full Access
Question # 9

Which two statements about conserve mode are true? (Choose two.)

A.

FortiGate enters conserve mode when the system memory reaches the configured extreme threshold.

B.

FortiGate starts taking the configured action for new sessions requiring content inspection when the system memory reaches the configured red threshold.

C.

FortiGate exits conserve mode when the system memory goes below the configured green threshold.

D.

FortiGate starts dropping all new sessions when the system memory reaches the configured red threshold.

Full Access
Question # 10

Refer to the exhibit, which shows the partial output of FortiOS kernel slabs.

Which statement is true?

A.

The total slab size of the sctp_session slab is 0 kB and is associated with the user space.

B.

The total slab size of the ip_session slab is 3600 kB and is associated with the user space.

C.

The total slab size of the ip6_session slab is 1300 kB and is associated with the kernel.

D.

The total slab size of the tcp_session slab is 7500 kB and is associated with the kernel.

Full Access
Question # 11

Exhibit.

Refer to the exhibit, which shows the output of a session. Which two statements are true? (Choose Iwo.)

A.

The TCP session has been successfully established.

B.

The session was initiated from an authenticated user.

C.

The session is being inspected using flow inspection.

D.

The session is being offloaded.

Full Access
Question # 12

Exhibit.

Refer to the exhibit, which shows the output of get system ha status.

NGFW-1 and NGFW-2 have been up for a week.

Which two statements about the output are true? (Choose two.)

A.

If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a synchronization reset.

B.

If port 7 becomes disconnected on the secondary, both FortiGate devices will elect itself as primary.

C.

If FGVM...649 is rebooted. FGVM...650 will become the primary and retain that role, even after FGVM...649 rejoins the cluster.

D.

If no action is taken, the primary FortiGate will leave the cluster because of the current sync status.

Full Access
Question # 13

Refer to the exhibit, which contains the output of diagnose vpn tunnel list.

Which command will capture ESP traffic for the VPN named DialUp_0?

A.

diagnose sniffer packet any 'ip proto 50'

B.

diagnose sniffer packet any 'host 10.0.10.10'

C.

diagnose sniffer packet any 'esp and host 10.200.3.2'

D.

diagnose sniffer packet any 'port 4500'

Full Access
Question # 14

In the SAML negotiation process, which section does the Identity Provider (IdP) provide the SAML attributes utilized in the authentication process to the Service Provider (SP)?

A.

SP Login dump

B.

Authentication Response

C.

Authentication Request

D.

Assertion dump

Full Access
Question # 15

Exhibit.

Refer to the exhibit, which shows two entries that were generated in the FSSO collector agent logs.

What three conclusions can you draw from these log entries? {Choose three.)

A.

Remote registry is not running on the workstation.

B.

The user's status shows as "not verified" in the collector agent.

C.

DNS resolution is unable to resolve the workstation name.

D.

The FortiGate firmware version is not compatible with that of the collector agent.

E.

A firewall is blocking traffic to port 139 and 445.

Full Access
Question # 16

Refer to the exhibit, which shows the output of the command get router info bgp neighbors 100.64.2.254 advertised-routes.

What can you conclude from the output?

A.

The BGP state of the two BGP participants is OpenConfirm.

B.

The router ID of the neighbor is 100.64.2.254.

C.

The BGP neighbor is advertising the 10.20.30.40/24 network to the local router.

D.

The local router is advertising the 10.20.30.40/24 network to its BGP neighbor.

Full Access
Question # 17

Refer to the exhibit, which shows the output of diagnose sys session list.

If the HA ID for the primary device is 0, what happens if the primary fails and the secondary becomes the primary?

A.

The secondary device has this session synchronized; however, because application control is applied, the session is marked dirty and has to be re-evaluated after failover.

B.

Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

C.

The session will be removed from the session table of the secondary device because of the presence of allowed error packets, which will force the client to restart the session with the server.

D.

The session state is preserved but the kernel will need to re-evaluate the session because NAT was applied.

Full Access
Question # 18

Exhibit.

Refer to the exhibit, which shows a partial web fillet profile configuration.

Which action does FortiGate lake if a user attempts to access www. dropbox. com, which is categorized as File Sharing and Storage?

A.

FortiGate allows the connection, based on the URL Filter configuration.

B.

FortiGate blocks the connection as an invalid URL.

C.

FortiGate exempts the connection, based on the Web Content Filter configuration.

D.

FortiGate blocks the connection, based on the FortiGuard category based filter configuration.

Full Access
Question # 19

Refer to the exhibit, which shows a session entry.

Which statement about this session is true?

A.

Return traffic to the initiator is sent to 10.1.0.1.

B.

Return traffic to the initiator is sent lo 10.200.1.254.

C.

It is an ICMP session from 10.1.10.10 to 10.200.1.1.

D.

It is an ICMP session from 10.1.10.1 to 10.200.5.1.

Full Access