Summer Special Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 28285818

Home > Fortinet > NSE4 > NSE4_FGT-7.0

NSE4_FGT-7.0 Fortinet NSE 4 - FortiOS 7.0 Question and Answers

Question # 4

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.

Virtual IP addresses are used to distinguish between cluster members.

D.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Full Access
Question # 5

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

A.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

B.

Create a new service object for HTTP service and set the session TTL to never

C.

Set the TTL value to never under config system-ttl

D.

Set the session TTL on the HTTP policy to maximum

Full Access
Question # 6

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

A.

The next-hop IP address is unreachable.

B.

It failed the RPF check.

C.

It matched an explicitly configured firewall policy with the action DENY.

D.

It matched the default implicit firewall policy.

Full Access
Question # 7

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A.

It limits the scope of application control to the browser-based technology category only.

B.

It limits the scope of application control to scan application traffic based on application category only.

C.

It limits the scope of application control to scan application traffic using parent signatures only

D.

It limits the scope of application control to scan application traffic on DNS protocol only.

Full Access
Question # 8

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

A.

Traffic to botnetservers

B.

Traffic to inappropriate web sites

C.

Server information disclosure attacks

D.

Credit card data leaks

E.

SQL injection attacks

Full Access
Question # 9

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

A.

By default, FortiGate uses WINS servers to resolve names.

B.

By default, the SSL VPN portal requires the installation of a client’s certificate.

C.

By default, split tunneling is enabled.

D.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Full Access
Question # 10

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.

What must an administrator do to achieve this objective?

A.

The administrator can register the same FortiToken on more than one FortiGate.

B.

The administrator must use a FortiAuthenticator device.

C.

The administrator can use a third-party radius OTP server.

D.

The administrator must use the user self-registration server.

Full Access
Question # 11

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

A.

Traffic is blocked because Action is set to DENY in the firewall policy.

B.

Traffic belongs to the root VDOM.

C.

This is a security log.

D.

Log severity is set to error on FortiGate.

Full Access
Question # 12

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

A.

The IP version of the sources and destinations in a firewall policy must be different.

B.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

C.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

D.

The IP version of the sources and destinations in a policy must match.

E.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Full Access
Question # 13

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.

What should the administrator do next to troubleshoot the problem?

A.

Run a sniffer on the web server.

B.

Capture the traffic using an external sniffer connected to port1.

C.

Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

D.

Execute a debug flow.

Full Access
Question # 14

Which statement about video filtering on FortiGate is true?

A.

Full SSL Inspection is not required.

B.

It is available only on a proxy-based firewall policy.

C.

It inspects video files hosted on file sharing services.

D.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Full Access
Question # 15

How does FortiGate act when using SSL VPN in web mode?

A.

FortiGate acts as an FDS server.

B.

FortiGate acts as an HTTP reverse proxy.

C.

FortiGate acts as DNS server.

D.

FortiGate acts as router.

Full Access
Question # 16

Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check.

Which interface will be selected as an outgoing interface?

A.

port2

B.

port4

C.

port3

D.

port1

Full Access
Question # 17

When configuring a firewall virtual wire pair policy, which following statement is true?

A.

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B.

Only a single virtual wire pair can be included in each policy.

C.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

D.

Exactly two virtual wire pairs need to be included in each policy.

Full Access
Question # 18

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A.

Antivirus engine

B.

Intrusion prevention system engine

C.

Flow engine

D.

Detection engine

Full Access
Question # 19

Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

A.

Social networking web filter category is configured with the action set to authenticate.

B.

The action on firewall policy ID 1 is set to warning.

C.

Access to the social networking web filter category was explicitly blocked to all users.

D.

The name of the firewall policy is all_users_web.

Full Access
Question # 20

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

A.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

B.

The client FortiGate requires a manually added route to remote subnets.

C.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Full Access
Question # 21

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

A.

The signature setting uses a custom rating threshold.

B.

The signature setting includes a group of other signatures.

C.

Traffic matching the signature will be allowed and logged.

D.

Traffic matching the signature will be silently dropped and logged.

Full Access
Question # 22

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

A.

Policy lookup will be disabled.

B.

By Sequence view will be disabled.

C.

Search option will be disabled

D.

Interface Pair view will be disabled.

Full Access
Question # 23

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

A.

Add the support of NTLM authentication.

B.

Add user accounts to Active Directory (AD).

C.

Add user accounts to the FortiGate group fitter.

D.

Add user accounts to the Ignore User List.

Full Access
Question # 24

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.

With this configuration, which statement is true?

A.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

B.

A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

C.

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

D.

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Full Access
Question # 25

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

A.

Change the SSL VPN port on the client.

B.

Change the Server IP address.

C.

Change the idle-timeout.

D.

Change the SSL VPN portal to the tunnel.

Full Access