Fortinet EMEA-Advanced-Support Exam Info and Free Practice Test | GuideTorrent Pass Fortinet EMEA-Advanced-Support Premium Files Test Engine pdf - Free Dumps Collection NEW QUESTION # 18 Which FortiGate feature allows for dynamic routing protocol updates to be propagated through an IPsec VPN tunnel? A. Dynamic Routing Gateway B. Virtual Routing and Forwarding (VRF) C. Route-based VPN D. Auto Discovery [...]

All Products Contact now

Fortinet EMEA-Advanced-Support Exam Info and Free Practice Test GuideTorrent [Q18-Q43]

Share

Fortinet EMEA-Advanced-Support Exam Info and Free Practice Test | GuideTorrent

Pass Fortinet EMEA-Advanced-Support Premium Files Test Engine pdf - Free Dumps Collection

NEW QUESTION # 18
Which FortiGate feature allows for dynamic routing protocol updates to be propagated through an IPsec VPN tunnel?

  • A. Dynamic Routing Gateway
  • B. Virtual Routing and Forwarding (VRF)
  • C. Route-based VPN
  • D. Auto Discovery VPN (ADVPN)

Answer: D

Explanation:
Auto Discovery VPN (ADVPN) in FortiGate enables dynamic routing protocols (e.g., OSPF, BGP) to propagate updates through IPsec VPN tunnels by automatically creating shortcut paths between spokes. This simplifies configuration and enhances scalability in hub-and-spoke topologies. Route-based VPN (D) supports routing but not dynamic discovery, VRF (C) is for segmentation, and Dynamic Routing Gateway (B) is not a standard Fortinet feature. Exact extract: "ADVPN allows dynamic routing protocols to be used over IPsec VPN tunnels, enabling spokes to discover and communicate directly via shortcuts, improving efficiency in hub-and-spoke setups."


NEW QUESTION # 19
What happens when a FortiGate detects a SYN flood attack?

  • A. It enables proxy-based inspection
  • B. It applies rate limiting to SYN packets
  • C. It redirects traffic to a backup gateway
  • D. It drops all incoming packets

Answer: B

Explanation:
When FortiGate detects a SYN flood attack, it applies rate limiting to SYN packets via a DoS policy, dropping excessive packets to mitigate the attack. It does not drop all packets (A), enable proxy inspection (B), or redirect traffic (D). Exact extract: "FortiGate mitigates SYN flood attacks using DoS policies, which apply rate limiting to SYN packets to prevent overwhelming the system."


NEW QUESTION # 20
Which FortiGate feature allows inspection of encrypted SSL/TLS traffic?

  • A. SSL Inspection
  • B. Web Filtering
  • C. Deep Packet Inspection
  • D. Application Control

Answer: A

Explanation:
FortiGate's SSL Inspection feature decrypts and inspects SSL/TLS traffic to detect threats or enforce policies, using techniques like full SSL inspection or certificate inspection. Deep Packet Inspection (A) is a broader term, Application Control (C) identifies apps, and Web Filtering (D) blocks URLs, not specific to SSL. Exact extract: "SSL Inspection allows FortiGate to decrypt and inspect SSL/TLS traffic to detect hidden threats or enforce security policies, supporting full or certificate-based inspection."


NEW QUESTION # 21
Which of the below technology(ies) could reduce CPU load and memory utilization used by an IPS engine?

  • A. IPS does not compare traffic to each signature individually. Instead it compiles them into a decision tree
  • B. All of the above
  • C. Using IPS sensors and IPS filter to determine which traffic should be examined for which signatures, instead of examine network traffic for all signatures
  • D. Using multiple engines, aligned with load balancing technologies like Turbo that uses round robin algorithms to dispatch traffic up to specific IPS engine
  • E. Using regular instead of extended database, to reduce memory footprint

Answer: A,C,E

Explanation:
IPS efficiency is improved by: A) Compiling signatures into a decision tree to reduce comparison overhead; B) Using IPS sensors/filters to selectively apply signatures to relevant traffic, reducing unnecessary processing; D) Using a regular database instead of an extended one to lower memory usage. Option C's
"Turbo" and round-robin load balancing is not a standard Fortinet IPS feature. Option E is incorrect as C is not valid. Exact extract: "IPS efficiency is improved by compiling signatures into decision trees to minimize CPU usage... IPS sensors and filters allow selective signature application to reduce processing... Using the regular signature database instead of extended reduces memory footprint."


NEW QUESTION # 22
Which of the following are classful addresses? (Select all that apply below)

  • A. 10.225.30.0/8
  • B. 10.225.30.0/16
  • C. 172.16.0.0/16
  • D. 172.16.0.0/24

Answer: A,C

Explanation:
Classful addressing follows the original IP address classes: Class A (/8), Class B (/16), and Class C (/24).
Option A (10.225.30.0/8) is a Class A address, and C (172.16.0.0/16) is a Class B address. Option B (10.225.30.0/16) and D (172.16.0.0/24) use non-standard masks for their respective ranges, making them classless (CIDR). The original document incorrectly lists only A. Fortinet routing supports both classful and classless addressing. Exact extract: "Classful addressing uses fixed subnet masks: Class A (/8), Class B (/16), and Class C (/24)... Addresses like 10.0.0.0/8 and 172.16.0.0/16 are classful, while non-standard masks indicate classless addressing."


NEW QUESTION # 23
Which term refers to the OSPF router that connects area 0 to a nonbackbone area?

  • A. autonomous system boundary router
  • B. area border router
  • C. backbone router
  • D. area boundary router

Answer: B

Explanation:
The standard term in OSPF for a router connecting the backbone area (Area 0) to a non-backbone area is "area border router" (ABR). It maintains separate LSDBs for each area and performs summarization. "Area boundary router" is similar but not the standard term; ASBR connects to external AS; backbone router is in Area 0. Exact extract: Go to Network > OSPF. Set Router ID to 10.11.101.1. In the Areas table, click Create New and set the following: Area ID. 0.0. Click OK. In the Networks ... A router connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is located between an OSPF autonomous ... This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas. OSPF areas are groupings of OSPF routers or logical parts of a network. An area's routing information can be sent as a summary to other areas. This article describes that routes learned from the other OSPF areas will be removed on the ABR router when it has multiple areas and has no backbone ...


NEW QUESTION # 24
Hybrid cloud means that

  • A. Some of the customer's systems are virtualized in the public cloud and some are in the local datacenter
  • B. The cloud provider uses AMD, Intel and possibly also other CPU vendors
  • C. One customer uses VMs with multiple different operating systems in the same cloud account
  • D. Cloud provider provides both 32-bit and 64-bit virtual machines

Answer: A

Explanation:
A hybrid cloud combines on-premises infrastructure (local datacenter) with public cloud resources, allowing workloads to operate across both environments for flexibility and scalability. Fortinet solutions like FortiGate- VM support hybrid cloud deployments. Option A refers to hardware diversity, C to OS variety, and D to architecture types, none of which define hybrid cloud. Exact extract: "Hybrid cloud is the combination of public cloud services with an on-premises private cloud or datacenter... This allows customers to run some systems in the public cloud and others in their local datacenter, managed seamlessly."


NEW QUESTION # 25
What are source and destination MAC addresses of an ARP request?

  • A. The source MAC is that of the sending device and the destination of the targeted device
  • B. The source MAC is that of the sending device and the destination MAC is a broadcast address
  • C. The source MAC is that of the forwarding switch and destination of the targeted device
  • D. The source MAC is that of the sending device and the destination is a multicast address

Answer: B

Explanation:
An ARP (Address Resolution Protocol) request is broadcast to resolve an IP address to a MAC address. The source MAC is the sender's MAC address, and the destination MAC is the broadcast address (FF:FF:FF:FF:
FF:FF) to reach all devices on the local network. Fortinet devices handle ARP for Layer 2 communication.
Options B, C, and D are incorrect as switches don't originate ARP requests, the target's MAC is unknown, and ARP uses broadcast, not multicast. Exact extract: "In an ARP request, the source MAC address is that of the sending device, and the destination MAC address is the broadcast address (FF:FF:FF:FF:FF:FF), sent to all devices in the local network segment."


NEW QUESTION # 26
What happens when a FortiGate's CPU enters conserve mode?

  • A. All traffic is blocked
  • B. New sessions are dropped
  • C. Routing protocols are disabled
  • D. Proxy-based inspection is disabled

Answer: D

Explanation:
When a FortiGate's CPU enters conserve mode due to high load, proxy-based inspection (e.g., web filtering, DLP) is disabled to reduce resource usage, while flow-based inspection continues. Traffic isn't fully blocked (A), new sessions may still be processed (C), and routing protocols (D) are unaffected. Exact extract: "In conserve mode, FortiGate disables proxy-based inspection to reduce CPU and memory load, switching to flow-based inspection to maintain performance."


NEW QUESTION # 27
What does the below route indicate?

  • A. The destination network is locally connected on that interface
  • B. The device does not know the destination
  • C. It is a dummy route in the routing table
  • D. The destination network can be reached via any gates

Answer: A

Explanation:
A route with a directly connected interface (no gateway) indicates the destination network is locally attached to that interface on the FortiGate. This is common for networks directly connected to the device's interfaces.
Option A is vague, B is incorrect as it's not a dummy route, and D suggests an unknown route, which isn't the case. Exact extract: "A directly connected route indicates that the destination network is locally attached to the interface specified in the routing table... No gateway is required for such routes as the FortiGate is directly connected to the network."


NEW QUESTION # 28
Which protocol does FortiGate use for secure management access by default?

  • A. Telnet
  • B. SSH
  • C. HTTP
  • D. SNMP

Answer: B

Explanation:
FortiGate uses SSH (Secure Shell) by default for secure management access, providing encrypted command- line access. Telnet (A) and HTTP (C) are insecure, and SNMP (D) is for monitoring, not management. Exact extract: "FortiGate enables SSH by default for secure management access, providing encrypted CLI access to administrators."


NEW QUESTION # 29
Which of these BGP paths will be the preferred one ?

  • A. Prefer the path with the shortest AS Path
  • B. Prefer External path (learned via EBGP) over Internal path (IBGP)
  • C. Prefer the path with the lowest Multi-Exit Discriminator (MED)
  • D. Prefer the path with the highest Local Preference value

Answer: D

Explanation:
BGP path selection follows a specific order of attributes to determine the best path. The process prefers the path with the highest local preference first, as it is one of the earliest steps in the decision process. Local preference is used within an AS to influence outbound traffic. Only if local preferences are equal does it move to the next criteria, such as shortest AS path. The AS path length is considered after local preference, MED after that, and eBGP over iBGP even later. Therefore, among the options, the highest local preference (D) is the most preferred criterion. The original document's answer B is incorrect based on standard BGP selection rules implemented in Fortinet. Exact extract: This article describes the BGP route selection process. Scope FortiGate. Solution Consider only routes with no AS loops and a valid next hop. BGP makes routing decisions based on path, network policies and rulesets ... select the route with the lowest router ID as the best path. Network. Type. To achieve this, multiple route selection techniques can be used. Some are protocol- agnostic (for example, weight) and others are protocol-specific (for example ...).


NEW QUESTION # 30
In a FortiGate high availability (HA) cluster, what happens if the primary unit fails?

  • A. A secondary unit takes over as the primary unit
  • B. The cluster is disabled, and traffic stops
  • C. The cluster switches to active-passive mode
  • D. Traffic is rerouted through an external gateway

Answer: A

Explanation:
In a FortiGate HA cluster (active-active or active-passive), if the primary unit fails, a secondary unit automatically takes over as the primary, ensuring continuity of traffic with minimal disruption. Option A is incorrect as traffic continues, C is incorrect as the mode doesn't change post-failure, and D is unrelated. Exact extract: "In a FortiGate HA cluster, if the primary unit fails, a secondary unit is elected as the new primary, taking over all roles to maintain traffic flow and session continuity."


NEW QUESTION # 31
Which parts of the IKE protocol below are responsible for authenticating the User (username/password) of a dialup IPsec tunnel? (Check all correct answers)

  • A. IKEv1 phase1
  • B. IKEv1 phase2
  • C. IKEv1 Xauth
  • D. IKEv2 EAP
  • E. IKEv2 SA_INIT

Answer: C,D

Explanation:
For user authentication in dialup IPsec, IKEv1 uses XAuth (Extended Authentication) after Phase 1 for username/password. IKEv2 uses EAP (Extensible Authentication Protocol) for similar user auth. Phase 1 and SA_INIT are for peer auth, Phase 2 for child SA negotiation. Exact extract: XAuth increases security by requiring remote dialup client users to authenticate in a separate exchange at the end of phase 1. IPsec IKEv2 VPNs now support certificate authentication and EAP authentication at the same time from a dialup FortiClient. With the eap-cert-auth setting ... IPsec IKEv2 VPNs now support certificate authentication and EAP authentication at the same time from a dialup FortiClient. IPsec IKEv1 uses XAUTH for user authentication, and IPsec IKEv2 uses EAP for user authentication. Only EAP-TTLS is interoperable with LDAP. For LDAP based user ... In your scenario, the user cannot authenticate by providing both a PSK and their credentials (using one of multiple EAP methods).


NEW QUESTION # 32
Which of the following is a network monitoring protocol?

  • A. Telnet
  • B. SSH
  • C. RDP
  • D. SNMP

Answer: D

Explanation:
SNMP (Simple Network Management Protocol) is specifically designed for monitoring and managing network devices, allowing administrators to query device status, performance metrics, and configure alerts for issues. It operates by using agents on devices that report to a central manager. In contrast, RDP is for remote desktop access, Telnet for unsecure remote command-line access, and SSH for secure remote access. SNMP is the standard protocol for network monitoring in Fortinet products like FortiGate, FortiSwitch, etc. Exact extract: SNMP enables administrators to monitor how devices are performing and make changes to network devices so that data moves through the network more efficiently. Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. The FortiSwitch SNMP implementation is read- only. Monitoring FortiAP with SNMP. You can enable SNMP directly on FortiAP by implementing a SNMPD daemon/subagent on the FortiAP side. The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiProxy SNMP agent.


NEW QUESTION # 33
Which FortiGate log type records denied traffic events?

  • A. System Log
  • B. Event Log
  • C. Security Log
  • D. Traffic Log

Answer: D

Explanation:
Traffic Logs in FortiGate record all traffic events, including denied packets, with details like source, destination, and policy ID. Security Logs (B) cover UTM events, Event Logs (C) system events, and System Logs (D) hardware or system status, not specifically denied traffic. Exact extract: "Traffic Logs record all packet activity, including allowed and denied traffic, with details such as source/destination IPs, ports, and the firewall policy applied."


NEW QUESTION # 34
In Active FTP who sends the PORT command?

  • A. The FTP Server
  • B. Both
  • C. There is no PORT command in Active FTP
  • D. The FTP Client

Answer: D

Explanation:
In Active FTP, the client sends the PORT command to the server, specifying an ephemeral port for the server to initiate the data connection back to the client. This distinguishes Active FTP from Passive FTP, where the server provides the port. The server does not send PORT, and the command is a key part of Active FTP. Exact extract: "In Active FTP, the client sends a PORT command to the server, specifying the IP address and port number for the data connection... The server then initiates the data connection to the client's specified port."


NEW QUESTION # 35
What is the role of the FortiGate 'set srcintf' command in a firewall policy?

  • A. Configures the source NAT interface
  • B. Specifies the source interface for traffic matching
  • C. Defines the destination interface for traffic
  • D. Sets the source IP address range

Answer: B

Explanation:
The 'set srcintf' command in a FortiGate firewall policy specifies the source interface from which traffic originates, helping define the policy's scope. It does not set the destination interface (B), source IP range (C), or NAT interface (D). Exact extract: "The 'set srcintf' command in a firewall policy specifies the source interface for incoming traffic, allowing FortiGate to match packets based on their entry interface."


NEW QUESTION # 36
What is the default FortiGate behavior when a packet matches no firewall policy?

  • A. The packet is forwarded to the default gateway
  • B. The packet is sent to the IPS engine
  • C. The packet is dropped
  • D. The packet is logged and allowed

Answer: C

Explanation:
FortiGate operates on a default-deny principle; if a packet does not match any firewall policy, it is dropped to ensure security. No forwarding (A), IPS processing (C), or automatic allowing (D) occurs without a matching policy. Exact extract: "FortiGate uses a default-deny approach; packets that do not match any configured firewall policy are dropped to prevent unauthorized traffic."


NEW QUESTION # 37
How many layers does the OSI Model contain?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: D

Explanation:
The OSI (Open Systems Interconnection) model consists of seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. This framework is used in Fortinet documentation to explain protocol operations. Options A, C, and D are incorrect as they do not match the standard OSI model.
Exact extract: "The OSI model defines seven layers for network communication: 1. Physical, 2. Data Link, 3.
Network, 4. Transport, 5. Session, 6. Presentation, 7. Application."


NEW QUESTION # 38
How does a stateful firewall control a TCP session?

  • A. TCP destination ports are used to control the session
  • B. TCP ack numbers are used to control the session
  • C. TCP sequence numbers and TCP flags are used to control the session
  • D. TCP source ports are used to control the session

Answer: C

Explanation:
A stateful firewall, like FortiGate, tracks TCP sessions by maintaining a state table that includes TCP sequence numbers and flags (e.g., SYN, ACK, FIN) to monitor the connection's lifecycle (establishment, data transfer, termination). This ensures proper session handling, detecting out-of-order packets or invalid states.
Source and destination ports identify the session but don't control its state, and ACK numbers alone are insufficient. Exact extract: "Stateful inspection tracks TCP sessions using sequence numbers and TCP flags (SYN, ACK, FIN, etc.) to ensure packets are valid and part of an established session... FortiGate maintains a state table to monitor the TCP connection states."


NEW QUESTION # 39
......

Updated Official licence for EMEA-Advanced-Support Certified by EMEA-Advanced-Support Dumps PDF: https://testking.guidetorrent.com/EMEA-Advanced-Support-dumps-questions.html

Related Articles

more
Fortinet EMEA-Advanced-Support Certification Practice Exam