EMEA-Advanced-Support Fortinet EMEA Advanced Support Exam Questions and Answers

Out-of-order packets after FIN/ACK indicate a packet arriving in the TIME_WAIT state, where the session is closing. The TCP time-wait timer controls how long the firewall keeps the session in the TIME_WAIT state to handle late packets. Increasing this timer allows the firewall to accept such packets instead of dropping them. Close-wait timer relates to a different state, TCPMSS affects packet size, and "Enable TCP option" is not a standard parameter. Exact extract: "The TCP time-wait timer determines how long a session remains in the TIME_WAIT state to handle out-of-order or retransmitted packets after FIN/ACK... Adjusting this timer can prevent drops of late-arriving packets."

An Intrusion Prevention System (IPS) actively blocks malicious traffic, such as code execution or injection attacks, by matching against known signatures or anomalies, protecting the webserver until patches are applied. Intrusion Detection System (IDS) only detects and alerts, not blocks. Anti-virus and anti-rootkit are less effective for web-based attacks. The original document’s answer B is incorrect, as IDS does not prevent attacks. Exact extract: "IPS provides active protection by blocking malicious traffic based on signatures or anomaly detection... Unlike IDS, which only detects and alerts, IPS can drop packets to prevent attacks like code execution or SQL injection."

In Active FTP, the client sends the PORT command to the server, specifying an ephemeral port for the server to initiate the data connection back to the client. This distinguishes Active FTP from Passive FTP, where the server provides the port. The server does not send PORT, and the command is a key part of Active FTP. Exact extract: "In Active FTP, the client sends a PORT command to the server, specifying the IP address and port number for the data connection... The server then initiates the data connection to the client’s specified port."

A route with a directly connected interface (no gateway) indicates the destination network is locally attached to that interface on the FortiGate. This is common for networks directly connected to the device’s interfaces. Option A is vague, B is incorrect as it’s not a dummy route, and D suggests an unknown route, which isn’t the case. Exact extract: "A directly connected route indicates that the destination network is locally attached to the interface specified in the routing table... No gateway is required for such routes as the FortiGate is directly connected to the network."

Link aggregation, also known as IEEE 802.3ad or 802.1ax, enables the binding of multiple physical interfaces to form a single logical interface, which increases the overall bandwidth and provides redundancy. This is achieved by combining the bandwidth of the individual links into one aggregated link. For example, if two 1Gbps interfaces are aggregated, the logical link can provide up to 2Gbps bandwidth. This configuration is commonly used in FortiGate devices to enhance network performance without replacing hardware. The option B correctly describes this by stating "Increase bandwidth by binding physical interfaces into a single channel," which aligns with the official description. Incorrect options include A, which is vague and does not specify the method of binding multiple interfaces; C, which is the opposite of the purpose; and D, which is invalid. Exact extract: Link aggregation (IEEE 802.3ad/802.1ax) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link ... Link aggregation combines multiple physical interfaces into a single logical interface, increasing bandwidth and link redundancy. Traffic is distributed evenly.

FortiGate operates on a default-deny principle; if a packet does not match any firewall policy, it is dropped to ensure security. No forwarding (A), IPS processing (C), or automatic allowing (D) occurs without a matching policy. Exact extract: "FortiGate uses a default-deny approach; packets that do not match any configured firewall policy are dropped to prevent unauthorized traffic."

When FortiGate detects a SYN flood attack, it applies rate limiting to SYN packets via a DoS policy, dropping excessive packets to mitigate the attack. It does not drop all packets (A), enable proxy inspection (B), or redirect traffic (D). Exact extract: "FortiGate mitigates SYN flood attacks using DoS policies, which apply rate limiting to SYN packets to prevent overwhelming the system."

The ‘get router info routing-table all’ command displays the FortiGate’s current routing table, including all active routes and their details. Options B, C, and D are not valid or specific for this purpose. Exact extract: "Use ‘get router info routing-table all’ to display the complete routing table, showing destination, gateway, interface, and metric for all routes."

IPS efficiency is improved by: A) Compiling signatures into a decision tree to reduce comparison overhead; B) Using IPS sensors/filters to selectively apply signatures to relevant traffic, reducing unnecessary processing; D) Using a regular database instead of an extended one to lower memory usage. Option C’s “Turbo” and round-robin load balancing is not a standard Fortinet IPS feature. Option E is incorrect as C is not valid. Exact extract: "IPS efficiency is improved by compiling signatures into decision trees to minimize CPU usage... IPS sensors and filters allow selective signature application to reduce processing... Using the regular signature database instead of extended reduces memory footprint."

In OSPF, the Area Border Router (ABR) generates Type-4 Summary LSAs to advertise the location of an Autonomous System Boundary Router (ASBR) to other areas. This LSA informs routers in different areas how to reach the ASBR for external routes. ASBR generates Type-5 LSAs for external routes, but ABR summarizes them with Type-4. Not all routers or stub routers do this. Exact extract: This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas. Router3 is the Autonomous System Border Router (ASBR). It routes all traffic to the ISP BGP router for internet access. It redistributes routes from BGP and ... Type 4 LSAs exist to let the area know the router-id of the ASBR, so the routers can look at the type 5 route, find advertising-router, and map ... An ASBR summary LSA is generated by an ABR and describes the location of an ASBR (Autonomous System Boundary Router) that connects to an external network. The FortiGate in the middle shall be a ABR between the two areas. But I don't want R2 in area 0.0.0.0 to have every /32 route for every VPN client. So I tried ...

FortiGate’s SD-WAN feature enables load balancing and intelligent traffic steering across multiple WAN links based on criteria like bandwidth, latency, or application. Link Aggregation (B) bonds interfaces, Virtual Routing (C) is VRF, and Multi-Path Routing (D) is not a standard term. Exact extract: "SD-WAN enables load balancing and traffic steering across multiple WAN links, optimizing performance and reliability based on configured rules and metrics."

Both SSL VPN and IPsec VPN are standard protocols supported by FortiGate devices for secure remote access. SSL VPN typically uses HTTPS (TCP port 443) for encrypted communication, while IPsec uses protocols like IKE and ESP. Both can be configured between an end-user workstation (e.g., via FortiClient) and a FortiGate device, supporting various authentication methods. All options are correct, making D the correct answer. Exact extract: "SSL VPN technology uses the standard SSL/TLS protocol to provide a secure connection to the FortiGate unit. The FortiGate SSL VPN can be configured to use HTTPS..." and "IPsec VPNs use standardized protocols like IKE and ESP to create secure tunnels... FortiClient supports both IPsec and SSL VPN connections to FortiGate devices for remote access."