We provide real NSE5 exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Fortinet NSE5 Exam quickly & easily. The NSE5 PDF type is available for reading and printing. You can print more and practice many times. With the help of our Fortinet NSE5 dumps pdf and vce product and material, you can easily pass the NSE5 exam.

Q121. - (Topic 3) 

When the SSL proxy inspects the server certificate for Web Filtering only in SSL Handshake mode, which certificate field is being used to determine the site rating? 

A. Common Name 

B. Organization 

C. Organizational Unit 

D. Serial Number 

E. Validity 

Answer:


Q122. - (Topic 2) 

In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate unit when searching for a suitable gateway? 

A. A look-up is done only when the first packet coming from the client (SYN) arrives. 

B. A look-up is done when the first packet coming from the client (SYN) arrives, and a second is performed when the first packet coming from the server (SYNC/ACK) arrives. 

C. A look-up is done only during the TCP 3-way handshake (SYNC, SYNC/ACK, ACK). 

D. A look-up is always done each time a packet arrives, from either the server or the client side. 

Answer:


Q123. - (Topic 1) 

Which statement is correct regarding virus scanning on a FortiGate unit? 

A. Virus scanning is enabled by default. 

B. Fortinet Customer Support enables virus scanning remotely for you. 

C. Virus scanning must be enabled in a protection profile and the protection profile must be assigned to a firewall policy. 

D. Enabling virus scanning in a protection profile enables virus scanning for all traffic flowing through the FortiGate. 

Answer:


Q124. - (Topic 2) 

Review the static route configuration for IPsec shown in the Exhibit below; then answer the question following it. 

Which of the following statements are correct regarding this configuration? (Select all that apply). 

A. Remote_1 is a Phase 1 object with interface mode enabled 

B. The gateway address is not required because the interface is a point-to-point connection 

C. The gateway address is not required because the default route is used 

D. Remote_1 is a firewall zone 

Answer: A,B 


Q125. - (Topic 2) 

FSSO provides a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows Active Directory. 

Which of the following statements are correct regarding FSSO in a Windows domain environment when NTLM and Polling Mode are not used? (Select all that apply.) 

A. An FSSO Collector Agent must be installed on every domain controller. 

B. An FSSO Domain Controller Agent must be installed on every domain controller. 

C. The FSSO Domain Controller Agent will regularly update user logon information on the FortiGate unit. 

D. The FSSO Collector Agent will retrieve user information from the Domain Controller Agent and will send the user logon information to the FortiGate unit. 

E. For non-domain computers, the only way to allow FSSO authentication is to install an FSSO client. 

Answer: B,D 


Q126. - (Topic 1) 

Which of the following statements regarding Banned Words are correct? (Select all that apply.) 

A. The FortiGate unit can scan web pages and email messages for instances of banned words. 

B. When creating a banned word list, an administrator can indicate either specific words or patterns. 

C. Banned words can be expressed as wildcards or regular expressions. 

D. Content is automatically blocked if a single instance of a banned word appears. 

E. The FortiGate unit includes a pre-defined library of common banned words. 

Answer: A,B,C 


Q127. - (Topic 1) 

A firewall policy has been configured for the internal email server to receive email from external parties through SMTP. Exhibits A and B show the antivirus and email filter profiles applied to this policy. 

Exhibit A: 

Exhibit B: 

What is the correct behavior when the email attachment is detected as a virus by the FortiGate antivirus engine? 

A. The FortiGate unit will remove the infected file and deliver the email with a replacement message to alert the recipient that the original attachment was infected. 

B. The FortiGate unit will reject the infected email and the sender will receive a failed delivery message. 

C. The FortiGate unit will remove the infected file and add a replacement message. Both sender and recipient are notified that the infected file has been removed. 

D. The FortiGate unit will reject the infected email and notify the sender. 

Answer:


Q128. - (Topic 2) 

Select the answer that describes what the CLI command diag debug authd fsso list is used for. 

A. Monitors communications between the FSSO Collector Agent and FortiGate unit. 

B. Displays which users are currently logged on using FSSO. 

C. Displays a listing of all connected FSSO Collector Agents. 

D. Lists all DC Agents installed on all Domain Controllers. 

Answer:


Q129. - (Topic 3) 

What advantages are there in using a fully Meshed IPSec VPN configuration instead of a hub and spoke set of IPSec tunnels? 

A. Using a hub and spoke topology is required to achieve full redundancy. 

B. Using a full mesh topology simplifies configuration. 

C. Using a full mesh topology provides stronger encryption. 

D. Full mesh topology is the most fault-tolerant configuration. 

Answer:


Q130. - (Topic 3) 

The transfer of encrypted files or the use of encrypted protocols between users and servers on the internet can frustrate the efforts of administrators attempting to monitor traffic passing through the FortiGate unit and ensuring user compliance to corporate rules. 

Which of the following items will allow the administrator to control the transfer of encrypted data through the FortiGate unit? (Select all that apply.) 

A. Encrypted protocols can be scanned through the use of the SSL proxy. 

B. DLP rules can be used to block the transmission of encrypted files. 

C. Firewall authentication can be enabled in the firewall policy, preventing the use of encrypted communications channels. 

D. Application control can be used to monitor the use of encrypted protocols; alerts can be sent to the administrator through email when the use of encrypted protocols is attempted. 

Answer: A,B,D 


Q131. - (Topic 1) 

Which of the following items is NOT a packet characteristic matched by a firewall service object? 

A. ICMP type and code 

B. TCP/UDP source and destination ports 

C. IP protocol number 

D. TCP sequence number 

Answer:


Q132. - (Topic 3) 

Which of the following DLP actions will always be performed if it is selected? 

A. Archive 

B. Quarantine Interface 

C. Ban Sender 

D. Block 

E. None 

F. Ban 

G. Quarantine IP Address 

Answer:


Q133. - (Topic 1) 

An end user logs into the SSL VPN portal and selects the Tunnel Mode option by clicking on the "Connect" button. The administrator has not enabled split tunneling and so the end user must access the Internet through the SSL VPN Tunnel. 

Which firewall policies are needed to allow the end user to not only access the internal network but also reach the Internet? 

A) 

B) 

C) 

D) 

A. Exhibit A 

B. Exhibit B 

C. Exhibit C 

D. Exhibit D 

Answer:


Q134. - (Topic 2) 

In a High Availability cluster operating in Active-Active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a subordinate unit? 

A. Request: Internal Host; Master FortiGate; Slave FortiGate; Internet; Web Server 

B. Request: Internal Host; Master FortiGate; Slave FortiGate; Master FortiGate; Internet; Web Server 

C. Request: Internal Host; Slave FortiGate; Internet; Web Server 

D. Request: Internal Host; Slave FortiGate; Master FortiGate; Internet; Web Server 

Answer:


Q135. - (Topic 3) 

If Open Shortest Path First (OSPF) has already been configured on a FortiGate unit, which of the following statements is correct if the routes learned through OSPF need to be announced by Border Gateway Protocol (BGP)? 

A. The FortiGate unit will automatically announce all routes learned through OSPF to its BGP peers if the FortiGate unit is configured as an OSPF Autonomous System Boundary Router (ASBR). 

B. The FortiGate unit will automatically announce all routes learned through OSPF to its BGP peers if the FortiGate unit is configured as an OSPF Area Border Router (ABR). 

C. At a minimum, the network administrator needs to enable Redistribute OSPF in the BGP settings. 

D. The BGP local AS number must be the same as the OSPF area number of the routes learned that need to be redistributed into BGP. 

E. By design, BGP cannot redistribute routes learned through OSPF. 

Answer: