考题篇(6.2) 03 ❀ 企业防火墙 ❀ Fortinet 网络安全架构师 NSE７

 Refer to the exhibit, which contains the output of a BGP debug command.  〖查看下列图片，其中包含BGP调试命令的输出信息。〗

　　Which statement about the exhibit is true?  〖关于上图哪个说法是正确的?〗

　　A. The local router has received a total of three BGP prefixes from all peers.  〖日志含义本路由器从所有对等体接收到三个BGP前缀。〗

　　B. The local router has not established a TCP session with 100.64.3.1.  〖本地路由器没有与100.64.3.1建立TCP会话。〗

　　C. Since the counters were last reset, the 10.200.3.1peer has never been down.  〖日志含义10.200.3.1peer自上次重置以来从未down过。〗

　　D. The local router BGP state is OpenConfirmwith the 10.127.0.75 peer.  〖本路由器BGP与10.127.0.75对等体的状态为openconfirm。〗

　　【分析】

　　naver表示没有连接。 

　　【答案】B

 

 Refer to the exhibit, which contains the output of a web filtering diagnose command.  〖查看下列图片，其中包含web过滤诊断命令的输出。〗

　　Which statement explains why the cache statistics are all zeros?  〖哪条语句解释了为什么缓存统计信息都是零?〗

　　A. The FortiGate web filter cache is disabled in the FortiGate configuration.  〖在FortiGate配置中禁用了FortiGate web过滤器缓存。〗

　　B. FortiGate is using flow-based inspection which does not use the cache.  〖FortiGate使用的是不使用缓存的基于流的检查。〗

　　C. The administrator has reallocated the cache memory to a separate process.  〖管理员将缓存内存重新分配给单独的进程。〗

　　D. There are no users making web requests.  〖没有用户进行web请求。〗

　　【分析】

　　【答案】A

 

 An administrator wants to capture ESP traffic between two FortiGate devices using the built-in sniffer. 〖管理员希望使用内置嗅探器捕获两个FortiGate设备之间的ESP流量。〗

　　If the administrator knows that there is no NAT device located between both FortiGate devices, which command should the administrator execute?  〖管理员知道两台FortiGate设备之间没有NAT设备时，应该执行哪条命令?〗

　　A. diagnose sniffer packet any ‘esp’  

　　B. diagnose sniffer packet any ‘udp port 4500’  

　　C. diagnose sniffer packet any ‘udp port 500’  

　　D. diagnose sniffer packet any ‘tcp port 500 or tcp port 4500’  

　　【分析】

　　如果中间没有配置NAT的FortiGate，则IKE流量使用UDP端口500，ESP流量使用IP协议50。 

　　【答案】A

 

 Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)  〖一个统计路由在路由表中激活必须满足哪两个条件?(选择两个)〗

　　A. The link health monitor (if configured) is up.   〖链路运行状况监视器(如果已配置)已启动。〗

　　B. There is no other route, to the same destination, with a higher distance.   〖没有别的路线，能到达同样的目的地，却有更高的距离。〗

　　C. The outgoing interface is up.   〖出接口up。〗

　　D. The next-hop IP address is up.   〖下一跳IP地址up。〗

　　【分析】

 　　只有满足以下所有要求时，FortiGate才会在路由表中添加一个静态路由：

　　●  出接口在线

　　●  没有其它更小距离的匹配路由

　　●  链路健康监控(如果已配置)成功

　　【答案】A C

 

 When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web requests when the client browser does not provide the server name indication (SNI) extension? 〖使用SSL证书检查方法检查HTTPS流量时，当客户端浏览器没有提供服务器名称指示(SNI)扩展时，FortiGate如何过滤web请求?〗

　　A. FortiGate uses the requested URL from the user’s web browser.  〖FortiGate使用来自用户web浏览器的请求URL。〗

　　B. FortiGate uses the CNinformation from the Subjectfield in the server certificate.  〖FortiGate使用服务器证书中的subject字段中的cn信息。〗

　　C. FortiGate blocks the request without any further inspection.  〖FortiGate会在没有任何进一步检查的情况下阻止请求。〗

　　D. FortiGate switches to the full SSL inspection method to decrypt the data. 〖FortiGate切换到完整的SSL检查方法来解密数据。〗

　　【分析】

　　当使用SSL证书检查时，FortiGate不会解密或检查任何加密的流量。使用这种方法，FortiGate只检查初始的未加密SSL握手。如果SNI字段存在，FortiGate使用它获得FQDN来对站点进行评分。如果SNI不存在，FortiGate将从服务器证书的CN字段检索FQDN。

　　【答案】B

 

 Refer to the exhibit, which contains the output of a real-time debug. 〖查看下列图片，其中包含实时调试的输出。〗

　　Which statement regarding this output is true?  〖关于这个输出，哪个陈述是正确的?〗

　　A. FortiGate found the requested URL in its local cache.  〖FortiGate在其本地缓存中找到请求的URL。〗

　　B. The requested URL belongs to category ID 52.  〖请求的URL属于类别ID 52。〗

　　C. The client hostname is training.fortinet.com.  〖客户端主机名是training.fortinet.com。〗

　　D. This web request was inspected using the root web filter profile.  〖使用根web过滤器配置文件检查此web请求。〗

　　【分析】

　　上图展示了当要分类的URL不在FortiGuard缓存中时实时调试的输出示例。输出信息显示了URL、类别、源地址、目的IP地址和服务。 

　　【答案】A B

 

 Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.) 〖使用FortiManager上的安装向导自动执行哪两个任务?(选择两个)〗

　　A. Import policy packages from managed devices.  〖从被管设备导入策略包。〗

　　B. Preview pending configuration changes for managed devices.  〖预览被管理设备挂起的配置更改。〗

　　C. Add devices to FortiManager.  〖添加设备到FortiManager。〗

　　D. Import interface mappings from managed devices.  〖从被管理设备导入接口映射。〗

　　E. Install configuration changes to managed devices. 〖安装被管理设备的配置更改。〗

　　【分析】

 　　安装向导用于将设备管理器窗格或策略&对象窗格中的配置更改安装到被管理设备。它允许你预览更改，如果管理员不同意更改，可以取消并修改更改。

　　【答案】B E

 

 Refer to the exhibit, which contains a partial routing table. 〖查看下列图片，其中包含一个部分路由表。〗

　　Assuming all the appropriate firewall policies are configured, which two pings will FortiGate route? (Choose two.)  〖假设配置了所有适当的防火墙策略，那么FortiGate将路由哪两个ping ?(选择两个)〗

　　A. Source IP address: 10.72.3.52, Destination IP address: 10.1.0.254  

　　B. Source IP address: 10.73.9.10, Destination IP address: 10.72.3.15  

　　C. Source IP address: 10.10.4.24, Destination IP address: 10.72.3.20  

　　D. Source IP address: 10.1.0.10, Destination IP address: 10.64.1.52

　　【分析】

　　 FortiGate基于VRF ID对路由进行分组。

　　【答案】A D

 

 Refer to the exhibit, which contains a TCL script configuration on FortiManager.  〖查看下列图片，其中包含FortiManager上的TCL脚本配置。〗

　　An administrator has configured the TCL script on FortiManager, but failed to apply any changes to the managed device after being executed.  〖管理员在FortiManager上配置了TCL脚本，但是在被管设备上执行后，没有对被管设备应用任何更改。〗

　　Why did the TCL script fail to make any changes to the managed device?  〖为什么TCL脚本无法对托管设备进行任何更改?〗

　　A. Changes in an interface configuration can only be done by CLI script.  〖接口配置的更改只能通过CLI脚本完成。〗

　　B. The TCL script must start with #include <>.  〖TCL脚本必须以#include <>开头。〗

　　C. Incomplete commands are ignored in TCL scripts. 〖不完整的命令在TCL脚本中被忽略。〗

　　D. The TCL command run_cmd has not been created. 〖没有创建TCL命令run_cmd。〗

　　【分析】

　　进程名称为do_cmd，调用进程却是run_cmd。 

　　【答案】D

 

 Refer to the exhibit, which contains the partial output of an IKE real-time debug. 〖查看下列图片，其中包含IKE实时调试的部分输出。〗

　　Which two statements about this debug output are correct? (Choose two.)  〖关于这个调试输出的哪两条语句是正确的?(选择两个)〗

　　A. The initiator has provided remoteas its IPsec peer ID.  〖发起方已经提供了其IPsec对端ID。〗

　　B. The negotiation is using AES128 encryption with CBC hash. 〖协商使用的是带有CBC散列的AES128加密。〗

　　C. The remote gateway IP address is 10.0.0.1.  〖远端网关IP地址为10.0.0.1。〗

　　D. It shows a phase 1 negotiation. 〖它显示了第1阶段的协商。〗

　　【分析】

　　【答案】A D