When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are required to be configured? (Choose two.) 〖在配置根FortiGate与下游FortiGate时,需要配置哪些设置? (选择两个)〗
A. Device detection enabled. 〖启用设备检测。〗
B. Administrative Access: FortiTelemetry. 〖管理权限:FortiTelemetry。〗
C. IP/Network Mask. 〖IP/子网掩码。〗
D. Role: Security Fabric. 〖角色:Security Fabric。〗
首先,在根FortiGate上,必须在面对任何下游ForiGate的接口中启用FortiTelemetry。然后,你需要为Security Fabric配置组名和密码。你还需要配置FortiAnalyzer的IP地址。这个FortiAnalyzer配置将被推到所有下游的FortiGate设备。
其次,在下游的FortiGate设备中,必须启用面向下游FortiGate设备的接口的FortiTelemetry和Device Detection 。然后,需要在Security Fabric > Settings部分配置上游FortiGate的相同组名、密码和IP地址。
A. remote user’s public IP address. 〖远程用户的公网IP地址。〗
B. The public IP address of the FortiGate device. 〖FortiGate设备的公网IP地址。〗
C. The remote user’s virtual IP address. 〖远程用户的虚拟IP地址。〗
D. The internal IP address of the FotiGate device. 〖FortiGate设备的内网IP地址。〗
不同的用户可以有不同的门户,具有不同的资源和访问权限。还要注意,远程资源所看到的源IP是FortiGate的 内部IP地址,而不是用户的IP地址。
Why did the FortiGate drop the packet? 〖什么FortiGate会丢弃这个包?〗
A. The next-hop IP address is unreachable. 〖下一跳IP地址不可访问。〗
B. It failed the RPF check. 〖RPF检查失败。〗
C. It matched an explicitly configured firewall policy with the action DENY. 〖它匹配了一个显式配置的防火墙策略动作为DENY。〗
D. It matched the default implicit firewall policy. 〖它与默认的隐式防火墙策略相匹配。〗
FortiGate从上到下查找匹配的防火墙策略,如果找到匹配,则根据防火墙策略处理流量。如果未找到匹配项,则默认隐式拒绝策略将拒绝流量。
Why is the site www.bing.com being blocked? 〖为什么网站www.bing.com被阻断了?〗
A. The web site www.bing.com is categorized by FortiGuard as Malicious Websites. 〖网站www.bing.com被FortiGuard归类为恶意网站。〗
B. The user has not authenticated with the FortiGate yet. 〖用户还没有通过FortiGate认证。〗
C. The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites. 〖web服务器的IP地址204.79.197.200被FortiGuard归类为恶意网站。〗
D. The rating for the web site www.bing.com has been locally overridden to a category that is being blocked.〖网站www.bing.com的评级在本地被覆盖到一个被阻断的类别〗
当使用FortiGuard分类过滤来允许或阻止访问网站时,一个选项是web分级覆盖,并在不同的分类中定义网站。 Web分级仅用于主机名,不允许URL或通配符。
Which statement about the exhibit is true? (Choose two.) 〖关于上图的哪个陈述是正确的? (选择两个)〗
A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10. 〖在port1-VLAN10中接收到的广播流量不会被转发到port2-VLAN10。〗
B. port-VLAN1 is the native VLAN for the port1 physical interface.〖port-VLAN1是port1物理接口的本机VLAN。〗
C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs. 〖可以将port1-VLAN10和port2-VLAN10分配给不同的vdom。〗
D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.〖默认情况下允许port1-VLAN1和port2-VLAN1之间的通信。〗
You can add multiple VLANs to the same physical interface on a FortiGate. However, VLAN subinterfaces added to the same physical interface can't have the same VLAN ID or have IP addresses on the same subnet. You can add VLAN subinterfaces with the same VLAN ID to different physical interfaces. 【你可以将多个VLAN添加到FortiGate上的同一个物理接口。但是,添加到同一物理接口的VLAN子接口不能具有相同的VLAN ID或在同一子网上具有相同的IP地址。你可以将具有相同VLAN ID的VLAN子接口添加到不同的物理接口。】
Creating VLAN subinterfaces with the same VLAN ID doesn't create an internal connection between them. For example, a VLAN ID of 300 on port1 and VLAN ID of 300 on port2 are allowed, but they aren't connected. Their relationship is the same as between any two FortiGate network interfaces.【使用相同的VLAN ID创建VLAN子接口不会在它们之间创建内部连接。例如,允许port1上的VLAN ID为300,port2上的VLAN ID为300,但它们没有连接。它们之间的关系与任何两个FortiGate网络接口之间的关系相同。】
FortiGate interfaces can't have overlapping IP addresses, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to virtual interfaces, such as VLAN subinterfaces. Each VLAN subinterface must be configured with its own IP address and netmask. This rule helps prevent a broadcast storm or other similar network problems.【FortiGate接口不能有重叠的IP地址,所有接口的IP地址必须在不同的子网上。该规则既适用于物理接口,也适用于虚拟接口,如VLAN子接口。每个VLAN子接口必须配置自己的IP地址和网络掩码。此规则有助于防止广播风暴或其他类似的网络问题。】
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also applies for physical interfaces.【如果启用了VDOM,每个VLAN子接口必须属于一个VDOM。这条规则也适用于物理接口。】
VLAN subinterfaces on separate VDOMs can't communicate directly with each other. In this situation, the VLAN traffic must exit the FortiGate and re-enter the unit, passing through firewalls in both directions. This situation is the same for physical interfaces.【单独的VDOM上的VLAN子接口不能相互直接通信。在这种情况下,VLAN流量必须退出FortiGate并重新进入单位,通过两个方向的防火墙。这种情况与物理接口相同。】
A VLAN subinterface can belong to a different VDOM than the physical interface it is part of. This is because the traffic on the VLAN is handled separately from the other traffic on that interface. This is one of the main strengths of VLANs.【一个VLAN子接口可以属于与其所属的物理接口不同的VDOM。这是因为VLAN上的流量与该接口上的其他流量是分开处理的。这是VLANs的主要优点之一。】
A. Log downloads from the GUI are limited to the current log filter view. 〖从GUI下载的日志仅限于当前日志筛选器视图。〗
B. Log backups from the CLI cannot be restored to another FortiGate. 〖无法将来自CLI的日志备份还原到其它FortiGate。〗
C. Log backups from the CLI can be configured to upload to FTP at a scheduled time. 〖可以将来自CLI的日志备份配置为在预定时间上载到FTP。〗
D. Log downloads from the GUI are stored as LZ4 compressed files. 〖从GUI下载的日志被存储为LZ4压缩文件。〗
还可以通过执行日志备份来保护日志数据,即将日志文件从数据库复制到指定位置。
execute backup disk alllogs命令将所有日志备份到FTP、TFTP或USB,而execute backup disk log <log type>将特定日志类型(如web过滤器或IPS)备份到FTP、TFTP或USB。这些日志以LZ4格式存储【这里是指CLI下载,不是GUI下载】 ,不能恢复到另一个FortiGate。
还可以使用GUI备份日志到USB。当你将USB驱动器插入到FortiGate的USB端口时,GUI菜单项就会出现【GUI无法一次下载所有日志】。
Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server? 〖对于FGT1来说,下列哪一条路由是将流量从工作站路由到Web服务器的最佳候选路由?〗
A) 172.16.0.0/16 [50/0] via 10.4.200.2, port 2 [5/0]
B) 0.0.0.0/0 [20/0] via 10.4.200.2, port 2
C) 10.4.200.0/30 is directly connected, port2
D) 172.16.32.0/24 is directly connected, port1
A. Option A
B. Option B
C. Option C
D. Option D
Which configuration option is the most effective option to support this request? 〖哪个配置选项是支持此请求的最有效选项?〗
A. Implement a web filter category override for the specified website. 〖为指定的网站实现web过滤器分级覆盖。〗
B. Implement web filter authentication for the specified website.〖实现指定网站的网络过滤器认证。〗
C. Implement web filter quotas for the specified website. 〖实现指定网站的web过滤器配额。〗
D. Implement DNS filter for the specified website. 〖实现指定网站的DNS过滤。〗
当使用FortiGuard分类过滤来允许或阻止访问网站时,一个选项是web分级覆盖,并在不同的分类中定义网站。 Web分级仅用于主机名,不允许URL或通配符。
Which statements about the output are correct? (Choose two.) 〖哪些关于输出的陈述是正确的?(选择两个)〗
A. FortiGate received a TCP SYN/ACK packet. 〖FortiGate收到一个TCP SYN/ACK包。〗
B. The source IP address of the packet was translated to 10.0.1.10. 〖数据包的源IP地址被转换为10.0.1.10。〗
C. FortiGate routed the packet through port 3. 〖FortiGate通过port3路由数据包。〗
D. The packet was allowed by the firewall policy with the ID 00007fc0.〖该包被防火墙策略所允许,ID为00007fc0。〗
How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization? 〖FortiGate如何处理来自需要授权的IP地址10.2.1.200的web代理流量?〗
A. It always authorizes the traffic without requiring authentication. 〖它总是在不需要身份验证的情况下对流量进行授权。〗
B. It drops the traffic. 〖它阻断了流量。〗
C. It authenticates the traffic using the authentication scheme SCHEME2. 〖它使用身份验证方案SCHEME2对流量进行身份验证。〗
D. It authenticates the traffic using the authentication scheme SCHEME1.〖它使用身份验证方案SCHEME1对流量进行身份验证。〗
“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”
【对于需要授权但与任何身份验证规则不匹配的流量会发生什么情况?在config authentication setting下定义了用于这些情况的主动和被动SSO方案。】
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
