Exam Code: NSE5 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Fortinet Network Security Expert 5 Written Exam (500)
Certification Provider: Fortinet
Free Today! Guaranteed Training- Pass NSE5 Exam.

Q61. - (Topic 3) 

A network administrator connects his PC to the INTERNAL interface on a FortiGate unit. The administrator attempts to make an HTTPS connection to the FortiGate unit on the VLAN1 interface at the IP address of 10.0.1.1, but gets no connectivity. 

The following troubleshooting commands are executed from the DOS prompt on the PC and from the CLI. 

C:\>ping 10.0.1.1 

Pinging 10.0.1.1 with 32 bytes of data: 

Reply from 10.0.1.1: bytes=32 time=1ms TTL=255 

Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 

Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 

Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 

user1 # get system interface 

== [ internal ] 

namE. internal modE. static ip: 10.0.1.254 255.255.255.128 status: up 

netbios-forwarD. disable typE. physical mtu-overridE. disable 

== [ vlan1 ] 

namE. vlan1 modE. static ip: 10.0.1.1 255.255.255.128 status: up netb 

ios-forwarD. disable typE. vlan mtu-overridE. disable 

user1 # diagnose debug flow trace start 100 

user1 # diagnose debug ena 

user1 # diagnose debug flow filter daddr 10.0.1.1 10.0.1.1 

id=20085 trace_id=274 msg="vd-root received a packet(proto=6, 10.0.1.130:47927->10.0.1.1:443) from internal." 

id=20085 trace_id=274 msg="allocate a new session-00000b1b" 

id=20085 trace_id=274 msg="find SNAT: IP-10.0.1.1, port-43798" 

id=20085 trace_id=274 msg="iprope_in_check() check failed, drop" 

Based on the output from these commands, which of the following explanations is a possible cause of the problem? 

A. The Fortigate unit has no route back to the PC. 

B. The PC has an IP address in the wrong subnet. 

C. The PC is using an incorrect default gateway IP address. 

D. The FortiGate unit does not have the HTTPS service configured on the VLAN1 interface. 

E. There is no firewall policy allowing traffic from INTERNAL-> VLAN1. 

Answer:


Q62. - (Topic 1) 

Which of the following is true regarding Switch Port Mode? 

A. Allows all internal ports to share the same subnet. 

B. Provides separate routable interfaces for each internal port. 

C. An administrator can select ports to be used as a switch. 

D. Configures ports to be part of the same broadcast domain. 

Answer:


Q63. - (Topic 1) 

An end user logs into the full-access SSL VPN portal and selects the Tunnel Mode option by clicking on the “Connect” button. The administrator has enabled split tunneling. 

Given that the user authenticates against the SSL VPN policy shown in the image below, which statement below identifies the route that is added to the client’s routing table. 

A. A route to destination matching the ‘WIN2K3’ address object. 

B. A route to the destination matching the ‘all’ address object. 

C. A default route. 

D. No route is added. 

Answer:


Q64. - (Topic 3) 

Which of the following statements is not correct regarding virtual domains (VDOMs)? 

A. VDOMs divide a single FortiGate unit into two or more virtual units that function as multiple, independent units. 

B. A management VDOM handles SNMP, logging, alert email, and FDN-based updates. 

C. A backup management VDOM will synchronize the configuration from an active management VDOM. 

D. VDOMs share firmware versions, as well as antivirus and IPS databases. 

E. Only administrative users with a super_admin profile will be able to enter all VDOMs to make configuration changes. 

Answer:


Q65. - (Topic 1) 

Which of the following items represent the minimum configuration steps an administrator must perform to enable Data Leak Prevention for traffic flowing through the FortiGate unit? (Select all that apply.) 

A. Assign a DLP sensor in a firewall policy. 

B. Apply one or more DLP rules to a firewall policy. 

C. Enable DLP globally using the config sys dlp command in the CLI. 

D. Define one or more DLP rules. 

E. Define a DLP sensor. 

F. Apply a DLP sensor to a DoS sensor policy. 

Answer: A,D,E 


Q66. - (Topic 1) 

Which of the following statements is correct regarding a FortiGate unit operating in NAT/Route mode? 

A. The FortiGate unit requires only a single IP address for receiving updates and configuring from a management computer. 

B. The FortiGate unit must use public IP addresses on both the internal and external networks. 

C. The FortiGate unit commonly uses private IP addresses on the internal network but hides them using network address translation. 

D. The FortiGate unit uses only DHCP-assigned IP addresses on the internal network. 

Answer:


Q67. - (Topic 1) 

DLP archiving gives the ability to store session transaction data on a FortiAnalyzer unit for which of the following types of network traffic? (Select all that apply.) 

A. SNMP 

B. IPSec 

C. SMTP 

D. POP3 

E. HTTP 

Answer: C,D,E 


Q68. - (Topic 3) 

In which of the following report templates would you configure the charts to be included in the report? 

A. Layout Template 

B. Data Filter Template 

C. Output Template 

D. Schedule Template 

Answer: A


Q69. - (Topic 1) 

Which of the following statements is correct regarding URL Filtering on the FortiGate unit? 

A. The available actions for URL Filtering are Allow and Block. 

B. Multiple URL Filter lists can be added to a single Web filter profile. 

C. A FortiGuard Web Filtering Override match will override a block action in the URL filter list. 

D. The available actions for URL Filtering are Allow, Block and Exempt. 

Answer:


Q70. - (Topic 3) 

Which of the following must be configured on a FortiGate unit to redirect content requests to remote web cache servers? 

A. WCCP must be enabled on the interface facing the Web cache. 

B. You must enabled explicit Web-proxy on the incoming interface. 

C. WCCP must be enabled as a global setting on the FortiGate unit. 

D. WCCP must be enabled on all interfaces on the FortiGate unit through which HTTP traffic is passing. 

Answer:


Q71. - (Topic 1) 

Which of the following authentication types are supported by FortiGate units? (Select all that apply.) 

A. Kerberos 

B. LDAP 

C. RADIUS 

D. Local Users 

Answer: B,C,D 


Q72. - (Topic 1) 

The FortiGate Web Config provides a link to update the firmware in the System > Status window. Clicking this link will perform which of the following actions? 

A. It will connect to the Fortinet support site where the appropriate firmware version can be selected. 

B. It will send a request to the FortiGuard Distribution Network so that the appropriate firmware version can be pushed down to the FortiGate unit. 

C. It will present a prompt to allow browsing to the location of the firmware file. 

D. It will automatically connect to the Fortinet support site to download the most recent firmware version for the FortiGate unit. 

Answer:


Q73. - (Topic 1) 

Which email filter is NOT available on a FortiGate device? 

A. Sender IP reputation database. 

B. URLs included in the body of known SPAM messages. 

C. Email addresses included in the body of known SPAM messages. 

D. Spam object checksums. 

E. Spam grey listing. 

Answer:


Q74. - (Topic 3) 

Which of the following statements are correct regarding the configuration of a FortiGate unit 

as an SSL VPN gateway? (Select all that apply.) 

A. Tunnel mode can only be used if the SSL VPN user groups have at least one Host Check option enabled. 

B. The specific routes needed to access internal resources through an SSL VPN connection in tunnel mode from the client computer are defined in the routing widget associated with the SSL VPN portal. 

C. In order to apply a portal to a user, that user must belong to an SSL VPN user group. 

D. The portal settings specify whether the connection will operate in web-only or tunnel mode. 

Answer: C,D 


Q75. - (Topic 2) 

Review the IPsec diagnostics output of the command diag vpn tunnel list shown in the Exhibit below. 

Which of the following statements are correct regarding this output? (Select all that apply.) 

A. The connecting client has been allocated address 172.20.1.1. 

B. In the Phase 1 settings, dead peer detection is enabled. 

C. The tunnel is idle. 

D. The connecting client has been allocated address 10.200.3.1. 

Answer: A,B