




















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Designed for GIS developers using Python with ArcGIS. Covers scripting workflows, spatial data manipulation, feature services, geoprocessing tasks, automation, mapping visualization, Jupyter Notebook integration, and enterprise GIS administration. Provides step-by-step coding scenario questions, API usage tests, and solution-design challenges.
Typology: Exams
1 / 92
This page cannot be seen from the preview
Don't miss anything!





















































































Question 1. Which command provides a quick view of the CPU and memory usage on a FortiGate unit? A) get system performance B) diagnose sys top C) show system resources D) diagnose hardware monitor Answer: B Explanation: diagnose sys top displays real‑time CPU and memory utilization, similar to the Linux top command. Question 2. When initially accessing a new FortiGate, which of the following methods is NOT a supported way to reach the setup wizard? A) Console cable via CLI B) HTTPS on port 443 of the internal interface C) SSH on port 22 of the WAN interface D) Direct GUI access on port 80 of the internal interface Answer: C Explanation: The setup wizard is only reachable via the internal management interface (port 1) using HTTPS or HTTP; SSH on the WAN interface does not launch the wizard. Question 3. To enforce strong password policies for local administrator accounts, which setting should be configured? A) admin‑password‑policy B) strong‑password‑enforcement C) password‑policy‑admin D) set password‑policy Answer: D
Explanation: The set password-policy command under the admin configuration allows you to define minimum length, complexity, and expiration for local admin passwords. Question 4. Which FortiGuard service must be activated to enable web filtering with up‑to‑date category feeds? A) FortiGuard Antivirus B) FortiGuard Web Filtering C) FortiGuard Intrusion Prevention D) FortiGuard Application Control Answer: B Explanation: FortiGuard Web Filtering provides continuously updated URL and category databases used by web filter profiles. Question 5. A VLAN interface is required on port 3 with ID 100 and IP 192.168.100.1/24. Which CLI sequence correctly creates it? A) config system interface; edit VLAN100; set vdom root; set type vlan; set vlanid 100; set interface port3; set ip 192.168.100.1 255.255.255.0; next; end B) config system interface; edit port3.100; set type vlan; set vlanid 100; set ip 192.168.100.1/24; next; end C) config system interface; edit VLAN100; set type physical; set interface port3; set vlanid 100; set ip 192.168.100.1 255.255.255.0; next; end D) config system interface; edit vlan100; set type vlan; set interface port3; set vlanid 100; set ip 192.168.100.1/24; next; end Answer: B Explanation: The VLAN interface name follows the pattern <physical_interface>.<vlan_id>; set type vlan and set vlanid 100 configure the VLAN ID, and IP is entered with CIDR notation.
Explanation: The Fabric root aggregates logs, policies, and threat intelligence, providing unified visibility and coordinated response across all connected devices. Question 9. An automation stitch is configured to trigger when a FortiGuard IPS event with severity “high” occurs. Which action type would automatically block the source IP? A) Email notification B) Run script on FortiAnalyzer C) Create dynamic address group with block policy D) Log to local disk only Answer: C Explanation: Automation stitches can create or modify address objects/groups and then apply a firewall policy to block traffic from the offending source. Question 10. Which logging option must be enabled to capture traffic logs for a specific firewall policy? A) Log traffic to memory only B) Enable “Log Allowed Traffic” on the policy C) Set global log severity to “information” D) Enable “Log All Sessions” in system settings Answer: B Explanation: Each firewall policy has a “Log Allowed Traffic” toggle; enabling it records permitted sessions for that policy. Question 11. When interpreting a FortiGate traffic log entry, which field indicates the NAT translation that was applied? A) srcintf B) dstintf
C) nat‑srcip D) service Answer: C Explanation: nat‑srcip (or nat‑dstip) shows the IP address after NAT translation, allowing you to see the original and translated addresses. Question 12. Which diagnostic command helps trace the packet flow through policy, NAT, and routing phases for a specific source and destination? A) diagnose debug flow filter src 10.0.0.1 dst 8.8.8. B) diagnose packet-trace start C) diagnose firewall ip‑policy‑lookup 10.0.0.1 8.8.8. D) diagnose debug flow trace start Answer: A Explanation: diagnose debug flow filter src <IP> dst <IP> followed by diagnose debug flow trace start shows the step‑by‑step processing of the packet. Question 13. Which VDOM mode allows a single physical FortiGate to act as multiple independent firewalls with separate policies and routing tables? A) Virtual Router Mode B) Virtual Domain (VDOM) mode C) Multi‑Tenant Mode D) Partitioned Mode Answer: B Explanation: VDOM mode splits the device into isolated virtual domains, each with its own configuration, policies, and routing.
Explanation: The log specifically notes the virtual MAC address migration, confirming that the secondary unit is now the active gateway. Question 17. Which command displays the current system status, including firmware version, serial number, and uptime? A) get system status B) diagnose system info C) show version D) get hardware status Answer: A Explanation: get system status provides a concise summary of firmware, serial, and uptime. Question 18. To verify Layer‑2 connectivity between a FortiGate port and a switch, which command is most appropriate? A) ping <switch‑IP> B) traceroute <switch‑IP> C) get system arp D) diagnose netlink interface list Answer: C Explanation: The ARP table shows MAC address mappings, confirming that the FortiGate has learned the switch’s MAC on the same VLAN. Question 19. Which of the following best describes the order in which firewall policies are evaluated? A) Alphabetical order by policy name B) By policy ID from lowest to highest C) By source interface, then destination interface, then policy ID
D) Random order for load balancing Answer: B Explanation: FortiGate processes policies sequentially based on the numeric policy ID, from the lowest to the highest. Question 20. In an Interface‑based policy mode, which field determines the traffic that matches a policy? A) Source and destination IP addresses only B) Source and destination interfaces only C) Source/destination zones, addresses, services, and interfaces D) Application signatures only Answer: C Explanation: Interface‑based policies consider source/destination zones, IP/addresses, services, and the interfaces they traverse. Question 21. Which NAT type is used to map multiple internal hosts to a single public IP using different source ports? A) One‑to‑One NAT B) Overload (Hide NAT) C) Destination NAT D) Fixed Port NAT Answer: B Explanation: Overload (Hide NAT) translates many internal addresses to one external IP, differentiating them by source port numbers. Question 22. A Virtual IP (VIP) is required to publish an internal web server at 10.0.10.5 on port 80 to the Internet using public IP 203.0.113.10. Which setting must be configured?
Question 25. To enforce user‑based firewall policies, which feature must be enabled in the policy? A) Enable “Log All Sessions” B) Enable “User Identity” and select a user group C) Set “Schedule” to always on D) Enable “NAT” on the policy Answer: B Explanation: Selecting a user group under the “User Identity” section ties the policy to authenticated users rather than just IP addresses. Question 26. Which component of FortiSSO collects user login information from Windows Domain Controllers? A) FortiGate DC Agent B) FortiAnalyzer Collector C) FortiToken Server D) FortiClient SSO Agent Answer: A Explanation: The FortiGate DC Agent runs on a domain controller and reports user login events to FortiGate for SSO enforcement. Question 27. When configuring SSL deep inspection, which certificate must be installed on client browsers to avoid certificate warnings? A) FortiGate self‑signed CA certificate imported into the browser trust store B) Wildcard certificate from a public CA C) Server certificate of the internal web server D) Intermediate certificate from FortiGuard Answer: A
Explanation: The FortiGate acts as a man‑in‑the‑middle; its CA certificate must be trusted by client browsers to prevent warnings. Question 28. Which web filtering inspection mode provides the highest performance but cannot inspect encrypted traffic? A) Deep Inspection B) Certificate Inspection C) Flow‑based inspection D) Proxy‑based inspection Answer: C Explanation: Flow‑based inspection processes traffic at line speed without decrypting SSL, offering high performance but no visibility into encrypted content. Question 29. To exempt a banking website from SSL inspection, which configuration should be used? A) Create a web filter bypass rule for the domain B) Add the domain to the SSL/SSH Inspection Exempt List C) Disable deep inspection globally D) Set the site’s category to “Trusted” in FortiGuard Answer: B Explanation: The SSL/SSH Inspection Exempt List allows specific URLs or domains to bypass deep inspection while keeping it enabled for other traffic. Question 30. Which DNS filter action blocks a query and returns an NXDOMAIN response? A) Override with custom IP B) Block C) Allow
B) Proxy‑based scanning C) On‑access scanning D) FortiSandbox integration Answer: D Explanation: FortiSandbox can detonate and analyze files in a sandbox environment, providing deeper inspection for encrypted payloads that may bypass traditional AV scanning. Question 34. A file filter profile is set to block all files with the .exe extension. Which traffic will still be scanned for malware? A) All .exe files are blocked before scanning, so none are scanned B) Only .exe files from trusted sources are scanned C) All files, regardless of extension, are scanned for malware before the file filter applies D) Only files larger than 1 MB are scanned Answer: C Explanation: The AV engine scans every file first; the file filter then enforces the block based on extension, ensuring both detection and policy enforcement. Question 35. Which IPS sensor setting allows you to ignore low‑severity alerts while still logging them? A) Action = Block B) Action = Alert C) Severity = Medium‑to‑High only D) Log = Enable, Action = Pass Answer: D Explanation: Setting the sensor to “Log = Enable” with “Action = Pass” records low‑severity events without dropping traffic.
Question 36. To protect against a SYN‑flood DoS attack, which IPS feature should be enabled? A) Protocol anomaly detection for TCP SYN B) Application signature for HTTP flood C) Botnet C&C detection D) Anti‑virus scanning of SYN packets Answer: A Explanation: IPS can detect abnormal TCP SYN patterns and trigger mitigation actions for SYN‑flood attacks. Question 37. When configuring a static route with a distance of 10 and another with distance 20, which route will be preferred? A) The route with distance 10 B) The route with distance 20 C) Both will be used equally (load‑balanced) D) The route with the lower metric regardless of distance Answer: A Explanation: Lower administrative distance takes precedence in route selection. Question 38. Which routing protocol is best suited for a small, single‑area network with minimal configuration? A) BGP B) OSPF C) RIP D) IS‑IS Answer: C
C) FortiWeb D) FortiProxy** Answer: B Explanation: FortiPortal (the SSL VPN web portal) allows users to access internal web apps via a browser without installing a client. Question 42. Which SSL VPN mode establishes a virtual IP address for the user and routes all traffic through the tunnel? A) Web Mode B) Tunnel Mode C) Clientless Mode D) Split‑Tunnel Mode Answer: B Explanation: Tunnel Mode creates a full‑tunnel IPsec‑like connection, assigning a virtual IP to the user and routing all traffic through the FortiGate. Question 43. To restrict SSL VPN users to a specific subnet, which configuration must be applied? A) Assign the subnet in the SSL VPN portal’s “IP Pool” B) Enable split‑tunneling for that subnet only C) Set a firewall policy with source = VPN user group and destination = subnet D) Apply a web filter profile to the portal Answer: C Explanation: A firewall policy that matches the VPN user group and the allowed subnet enforces access control; the IP pool only provides addressing.
Question 44. During IPsec Phase 1, which parameter defines the Diffie‑Hellman group used for key exchange? A) Encryption algorithm B) Authentication method C) DH group D) Lifetime Answer: C Explanation: The DH group determines the strength of the key exchange during IKE Phase 1. Question 45. Which of the following is a valid reason for an IPsec tunnel to remain in “Phase 1 negotiation failed” state? A) Mismatched NAT traversal settings on peers B) Incorrect DNS server configuration on the FortiGate C) Missing default route on the internal network D) Disabled DHCP on the WAN interface Answer: A Explanation: NAT‑Traversal mismatches prevent successful IKE negotiation, leading to Phase 1 failures. Question 46. In a route‑based IPsec VPN, what object represents the tunnel interface? A) IPsec Phase 2 selector B) Virtual IP (VIP) C) VTI (Virtual Tunnel Interface) D) Tunnel‑IP pool Answer: C Explanation: VTIs are logical interfaces that carry IPsec traffic for route‑based VPNs.
Question 50. When configuring a firewall policy to log only denied traffic, which setting must be toggled? A) Log Allowed Traffic = disable B) Log Denied Traffic = enable C) Log All Sessions = disable D) Log Traffic = deny only Answer: B Explanation: Enabling “Log Denied Traffic” records only sessions that are blocked by the policy. Question 51. Which of the following best describes the purpose of a “Central NAT” rule in a multi‑VDOM environment? A) Apply NAT to traffic exiting the root VDOM regardless of source VDOM B) Perform NAT only for inter‑VDOM traffic C) Disable NAT on all VDOMs simultaneously D) Provide NAT for VPN tunnels only Answer: A Explanation: Central NAT allows the root VDOM to apply a common NAT rule to traffic from any VDOM before it leaves the device. Question 52. In FortiOS, which command clears the session table for a specific source IP? A) diagnose sys session clear src 10.0.0. B) diagnose firewall session delete src 10.0.0. C) diagnose debug flow reset src 10.0.0. D) execute clear session src 10.0.0. Answer: A
Explanation: diagnose sys session clear src <IP> removes all sessions matching the source address. Question 53. Which log severity level records only critical system failures? A) Information B) Warning C) Error D) Critical Answer: D Explanation: “Critical” logs capture the most severe events, such as system crashes or hardware failures. Question 54. To verify that a FortiAnalyzer is receiving logs from the FortiGate, which status should be checked on the FortiGate? A) Log Forwarding > Remote Syslog status = OK B) Log & Report > Log Settings > FortiAnalyzer = Connected C) System > Dashboard > Log Reception = Active D) Network > Interfaces > FortiAnalyzer = Up Answer: B Explanation: The “Log Settings” page shows the connection status to FortiAnalyzer. Question 55. Which of the following is NOT a valid reason to use a software switch on a FortiGate? A) To aggregate multiple physical ports into a single broadcast domain B) To provide Layer‑3 routing between VLANs C) To simplify internal network segmentation without extra hardware