Refer to the exhibit.
You created a custom health-check for your FortiWeb deployment.
Given the output shown in the exhibit, which statement is true?
Question 6 of 53
Correct Answer: B
The custom health-check configuration includes three types of checks: TCP half-open, HTTP, and ICMP. The HTTP check specifically mentions matching the response code of the URL path '/index.html'. Therefore, the FortiWeb must receive an HTTP 200 response code from the server to pass this check.
Question 7 of 53
Refer to the exhibit.
You created an aggregate interface between a FortiGate and a switch consisting of two 1 Gbps links as shown in the exhibit. However, the maximum bandwidth never exceeds 1 Gbps and employees are reporting that the network is slow. After troubleshooting, you notice that only one member interface is being used. The configuration for the aggregate interface is shown in the exhibit.
In this scenario, which command will solve this problem?
A.
B.
C.
D.
Correct Answer:
The problem mentioned indicates that only one member interface is being used in the aggregate link, which implies that the load is not being properly balanced across both links. The current configuration uses the 'L2' algorithm for balancing, which might not be ensuring an appropriate distribution of traffic across both links. To resolve this issue, changing the load balancing algorithm to 'L4' can be more effective. The L4 algorithm allows for better load distribution by considering both layer 2 (MAC/IP) and layer 3 (TCP/UDP port) headers. Therefore, the correct command to solve this problem is: config system interface edit Agg1 set algorithm L4 end.
Question 8 of 53
Refer to the exhibit.
A FortiGate device is configured to authenticate SSL VPN users using digital certificates. A partial FortiGate configuration is shown in the exhibit.
Referring to the exhibit, which two statements about this configuration are true? (Choose two.)
Correct Answer: A, C
The configuration is set to use the Online Certificate Status Protocol (OCSP) to verify the status of user certificates and requires the certificates to contain specific information. The authentication will fail if the user certificate does not contain the User Principal Name (UPN) information because this is specified in the configuration under the ldap-mode principal-name setting. Additionally, authentication will fail if the OCSP server is down, as the OCSP status is enabled and strict checking is required. OCSP does not verify if a certificate has expired but validates if the certificate has been revoked.
Question 9 of 53
Consider the following FortiGate configuration:
Which command-line option for deep inspection SSL would have the FortiGate re-sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSL certificate?
Correct Answer: D
To have the FortiGate re-sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSL certificate during deep inspection SSL, the 'ignore' option should be used. This option changes untrusted certificates to trusted ones.
Question 10 of 53
Refer to the exhibit.
A FortiGate is configured for a dial-up IPsec VPN to allow multiple remote FortiGate devices to connect to it. However, FortiGate A and B have problems connecting to the VPN. Only one of them can be connected at a time. If site B tries to connect while site A is connected, site A is disconnected. The IKE real-time debug shows the output in the exhibit when site A is disconnected.
Referring to the exhibit, which configuration setting should be executed in the dial-up configuration to allow both VPNs to be connected at the same time?
Correct Answer: A
To address the issue of both FortiGate A and B being unable to connect simultaneously, the configuration should allow overlapping routes, ensuring that each connection can be maintained without interfering with the other. The setting 'set route-overlap allow' is appropriate as it permits overlapping routes and resolves conflicts that may cause one connection to drop when another is established.