An administrator applied a block-all IPS profile for client and server targets to secure the server, but the database team reported the application stopped working immediately after.
How can an administrator apply IPS in a way that ensures it does not disrupt existing applications in the network?

Correct Answer:A
Applying anaggressive IPS profilewithout prior testing candisrupt legitimate applicationsby incorrectly identifying normal traffic as malicious. To prevent disruptions while still monitoring for threats:
Enable IPS in "Monitor Mode" first:
This allows FortiGate tolog and analyzepotential threatswithout actively blockingtraffic. Administrators can review logs and fine-tune IPS signatures to minimize false positives before switching to blocking mode.
Verify and adjust signature patterns:
Some signatures might trigger unnecessary blocks for legitimate application traffic. By analyzing logs, administrators candisable or modifyspecific rules causing false positives.

Refer to the exhibit, which shows an ADVPN network.

The client behind Spoke-1 generates traffic to the device located behind Spoke-2.
What is the first message that the hub sends to Spoke-1 to bring up the dynamic tunnel?

Correct Answer:B
In anADVPN (Auto-Discovery VPN) network, adynamic VPN tunnelis establishedon- demandbetween spokes to optimize traffic flow and reduce latency.
Process:
* 1.Traffic Initiation:
A client behindSpoke-1sends traffic to a device behindSpoke-2.
The traffic initially flows through thehub, following the pre-established overlay tunnel.
* 2.Hub Detection:
Thehubdetects that Spoke-1 is communicating with Spoke-2 and determines that adirect shortcut tunnelbetween the spokes can optimize the connection.
* 3.Shortcut Offer:
Thehub sends a "Shortcut Offer"message to Spoke-1, informing it that a direct
dynamic tunnelto Spoke-2 is possible. 4.Tunnel Establishment:
Spoke-1 and Spoke-2 then negotiate and establish a directIPsec tunnelfor communication.

Refer to the exhibit, which shows a corporate network and a new remote office network.

An administrator must integrate the new remote office network with the corporate enterprise network.
What must the administrator do to allow routing between the two networks?

Correct Answer:D
In this scenario, thecorporate networkand thenew remote office networkneed to communicate over theInternet, which requires asecure and dynamic routing method. Since both networks are usingOSPF (Open Shortest Path First)as the routing protocol, the best approach is to establish anOSPF over IPsec VPNto ensure secure and dynamic route propagation.
OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows dynamic route exchange between the corporate FortiGate and the remote office FortiGate.IPsec provides encryptionfor traffic over the Internet, ensuring secure communication.OSPF over IPsec eliminates the need for manual static routes, allowing automatic route updates if networks change.
The new remote office's192.168.1.0/24 subnetwill be advertised dynamically to the corporate network without additional configuration.

Refer to the exhibits.


The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown.
When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials.
What is the next status for the user?

Correct Answer:C
From theRoot FortiGate - System Administrator Configurationexhibit: TheAdminSSOaccount has thesuper_admin_readonlyrole.
From theDownstream FortiGate - Security Fabric Settingsexhibit:
TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.
SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set to
super_admin_readonly.
When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO has super_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be granted super_admin_readonlyaccess.

Refer to the exhibit, which shows a partial troubleshooting command output.

An administrator is extensively using IPsec on FortiGate. Many tunnels show information similar to the output shown in the exhibit.
What can the administrator conclude?

Correct Answer:B
The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU). npu_flag=20:
This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.
npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:
These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.
npu_selid=1:
This value means the session selector for the NPU offloaded SA is active.
Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

Refer to the exhibit, which shows a partial enterprise network.

An administrator would like the area 0.0.0.0 to detect the external network. What must the administrator configure?

Correct Answer:A
The diagram shows amulti-area OSPF networkwhere: FortiGate Ais inOSPF Area 0 (Backbone area).
FortiGate Bis inOSPF Area 0.0.0.1and is connected to anRIP network.
To ensure thatOSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B mustredistribute RIP routes into OSPF.
Steps to achieve this:
* 1. Enable route redistribution on FortiGate Bto inject RIP-learned routes into OSPF.
* 2. This allows OSPFArea 0.0.0.1to forward RIP routes toOSPF Area 0 (0.0.0.0), making the external network visible.