Updated SAP C-HRHFC-2311 Dumps – Check Free C-HRHFC-2311 Exam Dumps (2024)
Updated C-HRHFC-2311 exam with SAP Real Exam Questions
SAP C-HRHFC-2311 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
NEW QUESTION # 10
Refer to the exhibit.
Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?
- A. Traffic matching the signature will be allowed and logged.
- B. The signature setting includes a group of other signatures.
- C. Traffic matching the signature will be silently dropped and logged.
- D. The signature setting uses a custom rating threshold.
Answer: C
Explanation:
Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.
FortiGate Security 7.2 Study Guide (p.394): "Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of the signatures." "If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature." Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.
NEW QUESTION # 11
Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)
- A. soft-timeout
- B. new-session
- C. Idle-timeout
- D. auth-on-demand
- E. hard-timeout
Answer: B,C,E
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221
NEW QUESTION # 12
Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
- A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
- B. The cluster can load balance ICMP connections to the secondary.
- C. The traffic sourced from the client and destined to the server is sent to FGT-1.
- D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Answer: A,D
Explanation:
FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320): "To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses." "The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic."
NEW QUESTION # 13
Refer to the exhibit.
The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
Which two statements are true? (Choose two.)
- A. FortiGate SN FGVM010000064692 has the higher HA priority.
- B. FortiGate devices are not in sync because one device is down.
- C. FortiGate SN FGVM010000065036 HA uptime has been reset.
- D. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
Answer: A,C
Explanation:
1. Override is disable by default - OK
2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab
NEW QUESTION # 14
Which three statements explain a flow-based antivirus profile? (Choose three.)
- A. FortiGate buffers the whole file but transmits to the client at the same time.
- B. If a virus is detected, the last packet is delivered to the client.
- C. Flow-based inspection optimizes performance compared to proxy-based inspection.
- D. The IPS engine handles the process as a standalone.
- E. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
Answer: A,C,E
NEW QUESTION # 15
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?
- A. Disabled
- B. On Demand
- C. On Idle
- D. Enabled
Answer: C
NEW QUESTION # 16
Refer to the exhibit.
The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?
- A. Change password
- B. Enable restrict access to trusted hosts
- C. Change Administrator profile
- D. Enable two-factor authentication
Answer: C
NEW QUESTION # 17
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
- A. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
- B. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
- C. Enable Dead Peer Detection.
- D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Answer: A,C
Explanation:
Study Guide - IPsec VPN - IPsec configuration - Phase 1 Network.
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.
There are three DPD modes. On demand is the default mode.
Study Guide - IPsec VPN - Redundant VPNs.
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.
Add at least one phase 2 definition for each phase 1.
Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.
Configure FW policies for each IPsec interface.
NEW QUESTION # 18
Refer to the exhibit showing a debug flow output.
What two conclusions can you make from the debug flow output? (Choose two.)
- A. The default route is required to receive a reply.
- B. The debug flow is for ICMP traffic.
- C. Anew traffic session was created.
- D. A firewall policy allowed the connection.
Answer: B,C
Explanation:
The debug flow output shows the result of a diagnose command that captures the traffic flow between the source and destination IP addresses1. The debug flow output reveals the following information about the traffic flow1:
The protocol is 1, which means that the traffic uses ICMP protocol2. ICMP is a protocol that is used to send error messages and test connectivity between devices2.
The session state is 0, which means that a new traffic session was created3. A session is a data structure that stores information about a connection between two devices3.
The policy ID is 1, which means that the traffic matched the firewall policy with ID 14. A firewall policy is a rule that defines how FortiGate processes traffic based on the source, destination, service, and action parameters4.
The action is 0, which means that the traffic was allowed by the firewall policy. An action is a parameter that specifies what FortiGate does with the traffic that matches a firewall policy.
Therefore, two conclusions that can be made from the debug flow output are:
The debug flow is for ICMP traffic.
A new traffic session was created.
NEW QUESTION # 19
Which statement describes a characteristic of automation stitches?
- A. They can run multiple actions simultaneously.
- B. They can be run only on devices in the Security Fabric.
- C. They can be created on any device in the fabric.
- D. They can have one or more triggers.
Answer: A
Explanation:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creating-automation-stitches
NEW QUESTION # 20
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
- A. FortiGate hostname
- B. NTP
- C. FortiGuard web filter cache
- D. DNS
Answer: B,D
Explanation:
In the 7.2 Infrastructure Guide (page 306) the list of configuration settings that are NOT synchronized includes both 'FortiGate host name' and 'Cache'
NEW QUESTION # 21
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
- A. The browser does not trust the certificate used by FortiGate for SSL inspection.
- B. The matching firewall policy is set to proxy inspection mode.
- C. The full SSL inspection feature does not have a valid license.
- D. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
Answer: A
Explanation:
FortiGate Security 7.2 Study Guide (p.235): "If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."
NEW QUESTION # 22
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
- A. NGFW policy-based mode policies support only flow inspection
- B. NGFW policy-based mode does not require the use of central source NAT policy
- C. NGFW policy-based mode can only be applied globally and not on individual VDOMs
- D. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
Answer: A,D
NEW QUESTION # 23
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)
- A. The common name on the subject field must use a wildcard name.
- B. The keyUsage extension must be set to keyCertSign.
- C. The issuer must be a public CA.
- D. The CA extension must be set to TRUE.
Answer: B,D
Explanation:
"In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."
NEW QUESTION # 24
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?
- A. Strict RPF checks the best route back to the source using the incoming interface.
- B. The strict RPF check is run on the first sent and reply packet of any new session.
- C. Strict RPF allows packets back to sources with all active routes.
- D. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
Answer: A
Explanation:
Strict Reverse Path Forwarding (RPF) is a security feature that is used to detect and prevent IP spoofing attacks on a network. It works by checking the routing information for incoming packets to ensure that they are coming from the source address that is indicated in the packet's header. In strict RPF mode, the firewall will check the best route back to the source of the incoming packet using the incoming interface. If the packet's source address does not match the route back to the source, the packet is dropped. This helps to prevent attackers from spoofing their IP address and attempting to access the network.
NEW QUESTION # 25
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A. The IPS engine will continue to run in a normal state.
- B. The IPS engine was blocking all traffic.
- C. The IPS engine was inspecting high volume of traffic.
- D. The IPS engine was unable to prevent an intrusion attack .
Answer: C
Explanation:
fortinet-fortigate-security-study-guide-for-fortios-72 page 417 If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
Reference:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage
NEW QUESTION # 26
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?
- A. Security logs
- B. System event logs
- C. Local traffic logs
- D. Forward traffic logs
Answer: C
Explanation:
Reference:
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
FortiGate Security 7.2 Study Guide (p.176): "Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries."
NEW QUESTION # 27
What is a reason for triggering IPS fail open?
- A. The IPS socket buffer is full and the IPS engine cannot process additional packets.
- B. The IPS engine is upgraded.
- C. The IPS engine cannot decode a packet.
- D. The administrator enabled NTurbo acceleration.
Answer: A
NEW QUESTION # 28
FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)
- A. example.com
- B. www.example.com:443
- C. www.example.com/index.html
- D. www.example.com
Answer: A,D
Explanation:
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names - no URLs or wildcard characters are allowed.
OK: google.com or www.google.com
NO OK: www.google.com/index.html or google.*
FortiGate_Security_6.4 page 384
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names-- "no URLs or wildcard characters are allowed".
NEW QUESTION # 29
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?
- A. On HQ-FortiGate, enable Auto-negotiate.
- B. On HQ-FortiGate, set Encryption to AES256.
- C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
- D. On Remote-FortiGate, set Seconds to 43200.
Answer: B
NEW QUESTION # 30
......
Actual C-HRHFC-2311 Exam Recently Updated Questions with Free Demo: https://www.dumpexams.com/C-HRHFC-2311-real-answers.html
Free SAP C-HRHFC-2311 Exam Questions: https://drive.google.com/open?id=1pKMFaKd3oHvXB7wWX3vyrBUru5h1XTh3