FCNSP無料問題集「Fortinet Certified Network Security Professional (FCNSP v4.2)」

質問 1

A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity.
The following troubleshooting commands are executed from the DOS prompt on the PC and from
the CLI.
C:\>ping 10.0.1.1
Pinging 10.0.1.1 with 32 bytes of data:
Reply from 10.0.1.1: bytes=32 time=1ms TTL=255
Reply from 10.0.1.1: bytes=32 time<1ms TTL=255
Reply from 10.0.1.1: bytes=32 time<1ms TTL=255
Reply from 10.0.1.1: bytes=32 time<1ms TTL=255
user1 # get system interface
== [ internal ]
namE. internal modE. static ip: 10.0.1.254 255.255.255.128 status: up
netbios-forwarD. disable typE. physical mtu-overridE. disable
== [ vlan1 ]
namE. vlan1 modE. static ip: 10.0.1.1 255.255.255.128 status: up netb
ios-forwarD. disable typE. vlan mtu-overridE. disable
user1 # diagnose debug flow trace start 100
user1 # diagnose debug ena
user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1
id=20085 trace_id=274 msg="vd-root received a packet(proto=6, 10.0.1.130:47927->10.0.1.1:443)
from internal."
id=20085 trace_id=274 msg="allocate a new session-00000b1b"
id=20085 trace_id=274 msg="find SNAT: IP-10.0.1.1, port-43798"
id=20085 trace_id=274 msg="iprope_in_check() check failed, drop"
Based on the output from these commands, which of the following explanations is a possible cause of the problem?

（A）The PC is using an incorrect default gateway IP address.

（B）There is no firewall policy allowing traffic from INTERNAL-> VLAN1.

（C）The Fortigate unit has no route back to the PC.

（D）The PC has an IP address in the wrong subnet.

（E）The FortiGate unit does not have the HTTPS service configured on the VLAN1 interface.

正解：E 解答を投票する

質問 2

The transfer of encrypted files or the use of encrypted protocols between users and servers on the internet can frustrate the efforts of administrators attempting to monitor traffic passing through the FortiGate unit and ensuring user compliance to corporate rules.
Which of the following items will allow the administrator to control the transfer of encrypted data through the FortiGate unit? (Select all that apply.)

（A）Encrypted protocols can be scanned through the use of the SSL proxy.

（B）Firewall authentication can be enabled in the firewall policy, preventing the use of encrypted communications channels.

（C）DLP rules can be used to block the transmission of encrypted files.

（D）Application control can be used to monitor the use of encrypted protocols; alerts can be sent to the administrator through email when the use of encrypted protocols is attempted.

正解：A、C、D 解答を投票する

質問 3

The FortiGate Server Authentication Extensions (FSAE) provide a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows Active Directory.
Which of the following statements are correct regarding FSAE in a Windows domain environment when NTLM is not used? (Select all that apply.)

（A）The FSAE Collector Agent will retrieve user information from the Domain Controller Agent and will send the user logon information to the FortiGate unit.

（B）The FSAE Domain Controller Agent will regularly update user logon information on the FortiGate unit.

（C）An FSAE Collector Agent must be installed on every domain controller.

（D）For non-domain computers, an FSAE client must be installed on the computer to allow FSAE authentication.

（E）An FSAE Domain Controller Agent must be installed on every domain controller.

正解：A、E 解答を投票する

質問 4

What advantages are there in using a hub-and-spoke IPSec VPN configuration instead of a fully-meshed set of IPSec tunnels? (Select all that apply.)

（A）Using a hub and spoke topology simplifies configuration because fewer tunnelsare required.

（B）Using a hub and spoke topology is required to achieve full redundancy.

（C）Using a hub and spoke topology provides stronger encryption.

（D）The routing at a spoke is simpler, compared to a meshed node.

正解：A、D 解答を投票する

質問 5

In a High Availability cluster operating in Active-Active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a subordinate unit?

（A）Request: Internal Host; Master FortiGate; Slave FortiGate; Internet; Web Server

（B）Request: Internal Host; Slave FortiGate; Master FortiGate; Internet; Web Server

（C）Request: Internal Host; Slave FortiGate; Internet; Web Server

（D）Request: Internal Host; Master FortiGate; Slave FortiGate; Master FortiGate; Internet; Web Server

正解：A 解答を投票する

質問 6

Which of the following cannot be used in conjunction with the endpoint compliance check?

（A）Any form of firewall policy authentication.

（B）WAN optimization.

（C）Traffic shaping.

（D）HTTP Challenge Redirect to a Secure Channel (HTTPS) in the Authentication Settings.

正解：D 解答を投票する

質問 7

A FortiGate unit is configured with multiple VDOMs. An administrative account on the device has been assigned a Scope value of VDOM:root.
Which of the following items would an administrator logging in using this account NOT be able to configure?

（A）Firewall addresses

（B）DHCP servers

（C）PPTP VPN configuration

（D）FortiGuard Distribution Network configuration

正解：D 解答を投票する

質問 8

Identify the correct properties of a partial mesh VPN deployment:

（A）Some locations are reached via a hub location.

（B）VPN tunnels interconnect between every single location.

（C）There are no hub locations in a partial mesh.

（D）VPN tunnels are not configured between every single location.

正解：A、D 解答を投票する

質問 9

Which of the following DLP actions will override any other action?

（A）None

（B）Exempt

（C）Block

（D）Quarantine Interface

正解：B 解答を投票する

質問 10

Examine the Exhibit shown below; then answer the question following it.

The Vancouver FortiGate unit initially had the following information in its routing table:
S 172.20.0.0/16 [10/0] via 172.21.1.2, port2 C 172.21.0.0/16 is directly connected, port2 C 172.11.11.0/24 is directly connected, port1
Afterwards, the following static route was added:
config router static edit 6 set dst 172.20.1.0 255.255.255.0 set pririoty 0 set device port1 set gateway 172.11.12.1
next end
Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?

（A）The priority is 0, which means that the route will remain inactive.

（B）The static route configuration is missing the distance setting.

（C）The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.

（D）The 'gateway' IP address is NOT in the same subnet as the IP address of port1.

正解：D 解答を投票する

FCNSP 無料問題集「Fortinet Certified Network Security Professional (FCNSP v4.2)」

弊社を連絡する

関連リンク

トップ試験