FortiDDoS: FortiDDoS 4.0 Specialist - Free download from Exam Files

Which is true regarding packets that match a do-not-track policy with the action Track and Allow?

Packets are never dropped.
Source IP addresses are added to the legitimate IP (LIP) table.
Packets are not included in the statistics for threshold estimation.
Packets are assigned to SPP 0.

Correct answer: A

Explanation:

Reference: http://help.fortinet.com/fddos/4-3-0/FortiDDoS/Configuring_a_Do_Not_Track_policy.htm

Regarding the switching SPP feature, what is used to determine when FortiDDoS switches the traffic to an alternate SPP?

Traffic volume
Destination IP addresses
Mitigated attacks
Blocked packets

Correct answer: A

Explanation:

Reference: http://help.fortinet.com/fddos/4-3-0/FortiDDoS/Configuring_SPP_policy_settings.htm

A FortiDDoS device is connected between a protected server and an Internet router. For the aggressive aging feature, the administrator must manually add the router internal interface MAC address to the FortiDDoS configuration. Why does the FortiDDoS need this information?

To send RST packets to the protected server spoofing the router internal interface MAC address.
To allow incoming traffic only from that specific MAC address.
To determine which traffic direction is incoming and which traffic direction is outgoing.
To allow outgoing traffic only to that specific MAC address.

Correct answer: A

Explanation:

Reference: https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/44f876f1-2436-11e9-b20a-f8bc1258b856/fortiddos-5-0-0-handbook.pdf page 80

As the exhibit shows, a FortiDDoS port2 is connected to the protected server. Its port1 is connected to the Internet. The FortiDDoS has 8 interfaces for user traffic. The exhibit also shows a screenshot of the unit dashboard.

The administrator noticed that the statistics are showing all the traffic coming from the Internet to the protected server as outbound, instead of inbound. Based on the exhibit, what is the cause of this mislabeling?

The protected server is connected to a wrong FortiDDoS interface. It must be connected to an interface from port 5 to port 8.
SPP 0 is operating in detection mode.
The SPP 0 link is down.
FortiDDoS interfaces are wrongly connected. The interface port1 must be connected to the protected server and port2 must be connected to the Internet.

Correct answer: D

A FortiDDoS administrator wants the configured minimum threshold to act as a hard, fixed threshold. So, FortiDDoS will start dropping packets and mitigating the traffic as soon as the traffic volume goes above the configured minimum threshold, regardless of the values of the other thresholds. What configuration change can be done to achieve this requirement?

Setting the SPP to detection mode.
Changing the adaptive mode to fixed.
Setting the adaptive limit percentage to 100%.
Disabling the adaptive limit threshold.

Correct answer: C

Explanation:

Reference: https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/44f876f1-2436-11e9-b20a-f8bc1258b856/fortiddos-5-0-0-handbook.pdf page 63

The exhibit shows the configuration for the blocking periods.

FortiDDoS has detected an incoming fragmented flood attack in SPP 0

According with the exhibit, which action does the unit take with the SPP-0 traffic as soon as the attack is detected?

Incoming fragmented packets from all sources are blocked for at least 60 seconds.
Incoming fragmented packets from all identified malicious sources are blocked for at least 120 seconds.
Incoming fragmented packets from all sources are blocked for at least 15 seconds.
All incoming packets from all sources are blocked for at least 15 seconds.

Correct answer: C

Explanation:

Reference: https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/44f876f1-2436-11e9-b20a-f8bc1258b856/fortiddos-5-0-0-handbook.pdf page 264

A FortiDDoS device must be deployed as soon as possible in a customer network that is currently under a DDoS attack. Which values are recommended to use for the configured minimum thresholds?

The factory default values.
The factory default values increased by a percentage that depends on the customer traffic volume.
The easy setup values.
The system recommended values after a one-hour learning period.

Correct answer: D

Explanation:

Reference: https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/44f876f1-2436-11e9-b20a-f8bc1258b856/fortiddos-5-0-0-handbook.pdf page 126

Which of the following DoS attacks are categorized as bulk volumetric attacks? (Choose two.)

Slowloris
HTTP slow read
SYN flood
ICMP flood

Correct answer: CD

What is the maximum number of service protection profiles (SPPs) supported in a FortiDDoS device?

2
4
8
16

Correct answer: C

Explanation:

Reference: https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/44f876f1-2436-11e9-b20a-f8bc1258b856/fortiddos-5-0-0-handbook.pdf page 17

A FortiDDoS device is configured to mitigate SYN flood attacks using the SYN cookie mode. What action does it take when it is mitigating an SYN flood attack and a SYN packet from a new source IP address arrives?

It replies with a SYN/ACK packet containing a cookie value in the TCP sequence field.
It replies with a SYN/ACK packets. One containing the right acknowledge value, the other one with a wrong acknowledge value.
It replies with a RST packet if the SYN packet does not contain the right cookie in the sequence field.
It replies with a SYN/ACK packet containing a cookie value in the TCP acknowledge field.

Correct answer: A

Explanation:

Reference: https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/44f876f1-2436-11e9-b20a-f8bc1258b856/fortiddos-5-0-0-handbook.pdf page 78