Refer to the exhibit.

The NOC team connects to the FortiGate GUI with theNOC_Accessadmin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?

1. A. Move NOC_Access to the top of the list to ensure all profile settings take effect.
2. B. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
3. C. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access
4. D. Increase the admintimeout value under config system accprofile NOC_Access.

Correct Answer: D
The admintimeout setting in the admin access profile controls the inactivity timeout for GUI sessions. Increasing this value will extend the session duration before automatic disconnection.

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
The policy should work such thatRemote-User1must be able to access the Webserver while preventing
Remote-User2from accessing theWebserver.
Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to blockRemote-User2from accessing theWebserver?

1. A. Disable match-vip in the Allow_access policy
2. B. Configure a One-to-One IP Pool object in a new policy.
3. C. Set the Destination address as Webserver in the Deny policy.
4. D. Set the Destination address as Deny_IP in the Allow_access policy.

Correct Answer: C
To block Remote-User2's access to the Webserver, the deny policy must explicitly specify the Webserver as the destination address; otherwise, it denies traffic to all destinations, which is not the desired behavior.

A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website.
Which protocol must FortiGate allow even though the user cannot authenticate?

1. A. LDAP
2. B. TACASC+
3. C. Kerberos
4. D. DNS

Correct Answer: D
DNS traffic must be allowed so the user can resolve domain names and reach the authentication server or web resources, even if authentication initially fails.

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
TheWAN (port2)interface has the IP address100.65.0.101/24.
TheLAN (port4)interface has the IP address10.0.11.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on HQ-PC-1 (10.0.11.50) pings the IP address of BR-FGT (100.65.1.111)

1. A. 100.65.0.101
2. B. 100.65.0.49
3. C. 100.65.0.99
4. D. 100.65.0.149

Correct Answer: C
The ping traffic policy uses the IP pool named SNAT-Remote1, which has the external IP range 100.65.0.99. Therefore, traffic matching this policy (ping from HQ-PC-1 to BR1-FGT) will use 100.65.0.99 for source NAT.

You have configured the below commands on a FortiGate.

What would be the impact of this configuration on FortiGate?

1. A. FortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing.
2. B. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.
3. C. Port1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF
4. D. The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.

Correct Answer: B
The global setting enables strict source checking (RPF) on all interfaces by default. The per-interface setting disables the source check on port1, exempting it from strict RPF enforcement.