Fortinet Fortinet Certification FCNSP.V5 Questions & Answers

• Question 111:

  Review the CLI configuration below for an IPS sensor and identify the correct statements regarding this configuration from the choices below. (Select all that apply.)

  config ips sensor edit "LINUX_SERVER" set comment '' set replacemsg-group '' set log enable config entries edit 1 set action default set application all set location server set log enable set log-packet enable set os Linux set protocol all set quarantine none set severity all set status default next end next end

  A. The sensor will log all server attacks for all operating systems.

  B. The sensor will include a PCAP file with a trace of the matching packets in the log message of any matched signature.

  C. The sensor will match all traffic from the address object `LINUX_SERVER'.

  D. The sensor will reset all connections that match these signatures.

  E. The sensor only filters which IPS signatures to apply to the selected firewall policy.

  Correct Answer: BE

• Question 112:

  Identify the correct properties of a partial mesh VPN deployment:

  A. VPN tunnels interconnect between every single location.

  B. VPN tunnels are not configured between every single location.

  C. Some locations are reached via a hub location.

  D. There are no hub locations in a partial mesh.

  Correct Answer: BC

• Question 113:

  Review the IPsec phase1 configuration in the Exhibit shown below; then answer the question following it.

  

  Which of the following statements are correct regarding this configuration? (Select all that apply).

  A. The phase1 is for a route-based VPN configuration.

  B. The phase1 is for a policy-based VPN configuration.

  C. The local gateway IP is the address assigned to port1.

  D. The local gateway IP address is 10.200.3.1.

  Correct Answer: AC

• Question 114:

  Review the IPsec Phase2 configuration shown in the Exhibit; then answer the question following it.

  

  Which of the following statements are correct regarding this configuration? (Select all that apply).

  A. The Phase 2 will re-key even if there is no traffic.

  B. There will be a DH exchange for each re-key.

  C. The sequence number of ESP packets received from the peer will not be checked.

  D. Quick mode selectors will default to those used in the firewall policy.

  Correct Answer: AB

• Question 115:

  Review the static route configuration for IPsec shown in the Exhibit below; then answer the question following it.

  

  Which of the following statements are correct regarding this configuration? (Select all that apply).

  A. Remote_1 is a Phase 1 object with interface mode enabled

  B. The gateway address is not required because the interface is a point-to-point connection

  C. The gateway address is not required because the default route is used

  D. Remote_1 is a firewall zone

  Correct Answer: AB

• Question 116:

  Review the IKE debug output for IPsec shown in the Exhibit below.

  

  Which one of the following statements is correct regarding this output?

  A. The output is a Phase 1 negotiation.

  B. The output is a Phase 2 negotiation.

  C. The output captures the Dead Peer Detection messages.

  D. The output captures the Dead Gateway Detection packets.

  Correct Answer: C

• Question 117:

  Review the IPsec diagnostics output of the command diag vpn tunnel list shown in the Exhibit.

  

  Which of the following statements is correct regarding this output? (Select one answer).

  A. One tunnel is rekeying

  B. Two tunnels are rekeying

  C. Two tunnels are up

  D. One tunnel is up

  Correct Answer: C

• Question 118:

  Review the configuration for FortiClient IPsec shown in the Exhibit below.

  

  Which of the following statements is correct regarding this configuration?

  A. The connecting VPN client will install a route to a destination corresponding to the STUDENT_INTERNAL address object

  B. The connecting VPN client will install a default route

  C. The connecting VPN client will install a route to the 172.20.1.[1-5] address range

  D. The connecting VPN client will connect in web portal mode and no route will be installed

  Correct Answer: A

• Question 119:

  Review the IPsec diagnostics output of the command diag vpn tunnel list shown in the Exhibit below.

  

  Which of the following statements are correct regarding this output? (Select all that apply.)

  A. The connecting client has been allocated address 172.20.1.1.

  B. In the Phase 1 settings, dead peer detection is enabled.

  C. The tunnel is idle.

  D. The connecting client has been allocated address 10.200.3.1.

  Correct Answer: AB

• Question 120:

  Examine the Exhibit shown below; then answer the question following it.

  

  In this scenario, the Fortigate unit in Ottawa has the following routing table: S* 0.0.0.0/0 [10/0] via 172.20.170.254, port2 C 172.20.167.0/24 is directly connected, port1 C 172.20.170.0/24 is directly connected, port2

  Sniffer tests show that packets sent from the Source IP address 172.20.168.2 to the Destination IP address 172.20.169.2 are being dropped by the FortiGate unit located in Ottawa. Which of the following correctly describes the cause for the dropped packets?

  A. The forward policy check.

  B. The reverse path forwarding check.

  C. The subnet 172.20.169.0/24 is NOT in the Ottawa FortiGate unit's routing table.

  D. The destination workstation 172.20.169.2 does NOT have the subnet 172.20.168.0/24 in its routing table.

  Correct Answer: B