Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate.
Based on the system performance output, what can be the two possible outcomes? (Choose two.)
Correct Answer:
BC
Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:
B. FortiGate has entered conserve mode: When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash. D. Administrators can access FortiGate only through the console port: During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.
The other options are not correct: A. FortiGate will start sending all files to FortiSandbox for inspection: This is unrelated to memory usage and conserve mode. C. Administrators cannot change the configuration: While access may be limited, configuration changes can still be made via the console port.
References FortiOS 7.4.1 Administration Guide - Monitoring System Resources and Performance, page 325. FortiOS 7.4.1 Administration Guide - Conserve Mode, page 330.
What is the primary FortiGate election process when the HA override setting is disabled?
Correct Answer:
A
When the HA override setting is disabled, FortiGate uses the primary election process based on the following criteria:
Connected monitored ports: The unit with the most monitored ports up is preferred.
Priority: The unit with the highest priority is preferred. System uptime: The unit with the longest uptime is preferred. FortiGate serial number: Used as the final criterion to break any remaining ties.
References: FortiOS 7.4.1 Administration Guide: HA election process
What are two features of collector agent advanced mode? (Choose two.)
Correct Answer:
AD
Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.
Refer to the exhibit.
FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.
What is the most likely reason for this situation?
Correct Answer:
A
Firewall authentication generally requires the DNS service to be enabled in the firewall policy to correctly resolve hostnames during the authentication process. If DNS is not allowed in the firewall policy, the FortiGate cannot resolve external domains, and as a result, the user may not be presented with the login prompt when attempting to access an external website.
References: FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration
Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254?
Correct Answer:
A
The correct route selected when trying to reach 10.20.30.254 is 10.20.30.0/24 [10/0] via 172.20.167.254,
port3, [1/0].
Prefix Length: The routing process prioritizes routes with the most specific (longest) prefix. In this case, 10.20.30.0/24 has a shorter prefix than 10.20.30.0/26 (option C), but it still matches the target address 10.20.30.254. The /24 subnet includes all addresses from 10.20.30.0 to 10.20.30.255, so 10.20.30.254 falls within this range.
• Administrative Distance and Metric: In the exhibit, all routes have the same administrative distance (AD) and metric, meaning they are considered equal in terms of preference. Hence, the prefix length becomes the primary factor for route selection.
Why the other options are less appropriate:
B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
• This route is for a different subnet, 10.30.20.0/24, which does not include the target address 10.20.30.254. Therefore, it is not a valid match.
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
• Although this has a more specific prefix (/26), which means it should cover a smaller range of
addresses, the /26 subnet only includes addresses from 10.20.30.0 to 10.20.30.63. The target
address 10.20.30.254 does not fall within this range, so this route will not be selected.D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
• This is a default route (0.0.0.0/0) used for any address that doesn??t match a more specific route.
Since 10.20.30.254 matches the 10.20.30.0/24 route (option A), the default route will not be selected.
