Fortinet EMEA-Advanced-Support Fortinet EMEA Advanced Support Exam Exam Practice Test

FortiGate’s SSL Inspection feature decrypts and inspects SSL/TLS traffic to detect threats or enforce policies, using techniques like full SSL inspection or certificate inspection. Deep Packet Inspection (A) is a broader term, Application Control (C) identifies apps, and Web Filtering (D) blocks URLs, not specific to SSL. Exact extract: "SSL Inspection allows FortiGate to decrypt and inspect SSL/TLS traffic to detect hidden threats or enforce security policies, supporting full or certificate-based inspection."

The standard term in OSPF for a router connecting the backbone area (Area 0) to a non-backbone area is "area border router" (ABR). It maintains separate LSDBs for each area and performs summarization. "Area boundary router" is similar but not the standard term; ASBR connects to external AS; backbone router is in Area 0. Exact extract: Go to Network > OSPF. · Set Router ID to 10.11.101.1. · In the Areas table, click Create New and set the following: Area ID. 0.0. · Click OK. · In the Networks ... A router connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is located between an OSPF autonomous ... This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas. OSPF areas are groupings of OSPF routers or logical parts of a network. An area's routing information can be sent as a summary to other areas. This article describes that routes learned from the other OSPF areas will be removed on the ABR router when it has multiple areas and has no backbone ...

In Active FTP, the client sends the PORT command to the server, specifying an ephemeral port for the server to initiate the data connection back to the client. This distinguishes Active FTP from Passive FTP, where the server provides the port. The server does not send PORT, and the command is a key part of Active FTP. Exact extract: "In Active FTP, the client sends a PORT command to the server, specifying the IP address and port number for the data connection... The server then initiates the data connection to the client’s specified port."

IPsec operates at Layer 4 (Transport Layer) in the OSI model, providing secure communication via protocols like ESP and AH, which work with TCP or UDP. BGP and OSPF are Layer 3 (Network Layer) routing protocols, and ARP operates at Layer 2 (Data Link Layer). Fortinet’s FortiGate uses IPsec for VPNs at Layer 4. Exact extract: "IPsec operates at the Transport Layer (Layer 4) to secure communications, encapsulating TCP or UDP packets... BGP and OSPF function at the Network Layer, while ARP resolves IP to MAC addresses at the Data Link Layer."

Link aggregation, also known as IEEE 802.3ad or 802.1ax, enables the binding of multiple physical interfaces to form a single logical interface, which increases the overall bandwidth and provides redundancy. This is achieved by combining the bandwidth of the individual links into one aggregated link. For example, if two 1Gbps interfaces are aggregated, the logical link can provide up to 2Gbps bandwidth. This configuration is commonly used in FortiGate devices to enhance network performance without replacing hardware. The option B correctly describes this by stating "Increase bandwidth by binding physical interfaces into a single channel," which aligns with the official description. Incorrect options include A, which is vague and does not specify the method of binding multiple interfaces; C, which is the opposite of the purpose; and D, which is invalid. Exact extract: Link aggregation (IEEE 802.3ad/802.1ax) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link ... Link aggregation combines multiple physical interfaces into a single logical interface, increasing bandwidth and link redundancy. Traffic is distributed evenly.

Typical Layer 2 switches support STP (Spanning Tree Protocol) to prevent loops in redundant networks and VLANs (Virtual Local Area Networks) to segment traffic logically. OSPF is a Layer 3 routing protocol typically on routers, and SIP is for VoIP session initiation, not core switch functions. FortiSwitch supports STP variants like MSTP and VLAN tagging. Exact extract: MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). These protocols include the Spanning Tree Protocol (STP), Multiple Spanning Tree Protocol (MSTP), and Per-VLAN Rapid Spanning Tree Protocol ( ... FortiSwitch supports Spanning Tree Protocol (STP), Multiple Spanning Tree Protocol (MSTP), and Per-VLAN Rapid Spanning Tree Protocol (RSTP). Spanning Tree Protocol (STP) is a link-management protocol to enable a layer 2 loop-free topology. STP enables a network to have redundant paths for fault ... Go to WiFi & Switch Controller > FortiSwitch Ports. Click a port row. Click the Native VLAN column in one of the selected entries to change the native VLAN.

A Virtual IP (VIP) in FortiGate maps an external IP address to an internal IP for Destination NAT (DNAT), commonly used for accessing internal servers from external networks. It is not for VLANs (B), secondary IPs (C), or VPN load balancing (D). Exact extract: "Virtual IPs (VIPs) are used for Destination NAT, mapping an external IP address to an internal IP to allow external access to internal resources, such as servers."

Classful addressing follows the original IP address classes: Class A (/8), Class B (/16), and Class C (/24). Option A (10.225.30.0/8) is a Class A address, and C (172.16.0.0/16) is a Class B address. Option B (10.225.30.0/16) and D (172.16.0.0/24) use non-standard masks for their respective ranges, making them classless (CIDR). The original document incorrectly lists only A. Fortinet routing supports both classful and classless addressing. Exact extract: "Classful addressing uses fixed subnet masks: Class A (/8), Class B (/16), and Class C (/24)... Addresses like 10.0.0.0/8 and 172.16.0.0/16 are classful, while non-standard masks indicate classless addressing."

The ‘set nat enable’ command in a FortiGate firewall policy enables Source NAT (SNAT) for outgoing traffic, typically rewriting the source IP to the FortiGate’s interface IP or an IP pool. It does not disable NAT (B), force a specific pool (C), or limit to incoming traffic (D). Exact extract: "The ‘set nat enable’ command in a firewall policy enables Source NAT, rewriting the source IP address of outgoing traffic to the egress interface IP or a configured NAT pool."

The TCP MSS (Maximum Segment Size) defines the maximum TCP payload size, excluding headers. When the firewall sets MSS to 1450 bytes, the TCP segment size is limited to this value. For IP packets, the total size includes the TCP header (20 bytes) and IP header (20 bytes), so 1450 (MSS) + 20 (TCP) + 20 (IP) = 1490 bytes, which fits within both link MTUs (1500 and 1496 bytes). Thus, the maximum IP packet size is not limited by the link MTUs but by the MSS, adjusted for headers. Options C and F (bits) are incorrect units; A and B exceed the MSS limit. Exact extract: "The TCP MSS is adjusted to prevent fragmentation... FortiGate can rewrite the MSS in TCP SYN packets to ensure the total IP packet size (including IP and TCP headers) does not exceed the configured value."

When FortiGate detects a SYN flood attack, it applies rate limiting to SYN packets via a DoS policy, dropping excessive packets to mitigate the attack. It does not drop all packets (A), enable proxy inspection (B), or redirect traffic (D). Exact extract: "FortiGate mitigates SYN flood attacks using DoS policies, which apply rate limiting to SYN packets to prevent overwhelming the system."

An ARP (Address Resolution Protocol) request is broadcast to resolve an IP address to a MAC address. The source MAC is the sender’s MAC address, and the destination MAC is the broadcast address (FF:FF:FF:FF:FF:FF) to reach all devices on the local network. Fortinet devices handle ARP for Layer 2 communication. Options B, C, and D are incorrect as switches don’t originate ARP requests, the target’s MAC is unknown, and ARP uses broadcast, not multicast. Exact extract: "In an ARP request, the source MAC address is that of the sending device, and the destination MAC address is the broadcast address (FF:FF:FF:FF:FF:FF), sent to all devices in the local network segment."

The ‘diagnose vpn tunnel list’ command on FortiGate displays detailed status information about IPsec VPN tunnels, including phase 1 and phase 2 states, uptime, and traffic statistics. Options B, C, and D are not valid FortiGate commands for this purpose. Exact extract: "Use diagnose vpn tunnel list to view the status of IPsec VPN tunnels, including phase 1 and phase 2 details, such as SA status, uptime, and traffic counters."

FortiGate uses SSH (Secure Shell) by default for secure management access, providing encrypted command-line access. Telnet (A) and HTTP (C) are insecure, and SNMP (D) is for monitoring, not management. Exact extract: "FortiGate enables SSH by default for secure management access, providing encrypted CLI access to administrators."

VMotion in VMware vSphere enables live migration of running virtual machines from one physical server to another with zero downtime, ensuring continuous operation. Fortinet’s FortiGate-VM supports such environments. Options A, C, and D are incorrect as they do not describe VMotion; C refers to a different migration scenario, and D is unrelated to virtualization. Exact extract: "VMotion allows the live migration of a running virtual machine from one physical server to another with no downtime... This ensures workloads continue running during server maintenance or load balancing."