Refer to the exhibits.

Based on the current HA status, an administrator updates theoverrideandpriorityparameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.
What would be the expected outcome in the HA cluster?

1. A. HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.
2. B. HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
3. C. HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
4. D. The HA cluster will become out of sync because the override setting must match on all HA members.

Correct Answer: B
With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.

Refer to the exhibits.

An administrator wants to add HQ-ISFW-2 in the Security Fabric. HQ-ISFW-2 is in the same subnet as HQ- ISFW. After configuring the Security Fabric settings on HQ-ISFW-2, the status staysPending.
What can be the two possible reasons? (Choose two.)

1. A. Upstream FortiGate IP must be set to 10.0.11.254.
2. B. SAML Single Sign-On must be set to Manual.
3. C. HQ-ISFW-2 must be authorized on HQ-ISFW.
4. D. Management IP must be set to 10.0.13.254.

Correct Answer: AC
The Upstream FortiGate IP should match the IP address of the Fabric Root interface, which is 10.0.11.254, not 10.0.13.254.
The new device (HQ-ISFW-2) must be authorized on the Fabric Root (HQ-ISFW) before it can join the Security Fabric, otherwise the status remains pending.

An administrator wants to analyze and manage digital certificates to prevent browser warnings when users connect to the SSL VPN portal.
Which two statements describe how to correctly do this? (Choose two.)

1. A. The administrator can rely on the default FortiGate self-signed certificate to prevent all security warnings in the browser.
2. B. The administrator must disable HTTPS administrative access entirely to avoid certificate warnings.
3. C. The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.
4. D. The administrator can import the FortiGate self-signed certificate into each user??s browser as a trusted certificate.

Correct Answer: CD
Using a publicly trusted certificate from a known CA prevents browser warnings without additional user action.
Importing the FortiGate self-signed certificate into users?? browsers as trusted eliminates warnings caused by untrusted certificates.

Refer to the exhibit.

What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?

1. A. FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields.
2. B. FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields.
3. C. FortiGate will close the connection if the SNI does not match the CN or SAN fields.
4. D. FortiGate will close the connection if the SNI does not match the CN and SAN fields

Correct Answer: D
With the Server certificate SNI check set to Strict, FortiGate enforces that the SNI must match either the Common Name (CN) or Subject Alternative Name (SAN) in the server certificate; otherwise, it closes the connection.

Refer to the exhibit.

The exhibit shows theFortiGuard Category Based Filtersection of a corporate web filter profile.
An administrator must block access todownload.com, which belongs to theFreeware and Software Downloadscategory. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)

1. A. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
2. B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
3. C. Configure a separate firewall policy with action Deny and an FQDN address object for*.download.com as destination address.
4. D. Set the Freeware and Software Downloads category Action to Warning.

Correct Answer: AC
Creating a static URL filter to block download.com specifically allows blocking that site without affecting the entire category.
Using a separate firewall policy with a Deny action for an FQDN address object matching download.com can also block the site while allowing others in the same category.