Summer Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Fortinet > NSE4 > NSE4_FGT-7.2

NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Question and Answers

Question # 4

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A.

The collector agent uses a Windows API to query DCs for user logins.

B.

NetAPI polling can increase bandwidth usage in large networks.

C.

The collector agent must search security event logs.

D.

The NetSession Enum function is used to track user logouts.

Full Access
Question # 5

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

A.

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.

The cluster can load balance ICMP connections to the secondary.

D.

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Full Access
Question # 6

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

A.

Log ID

B.

Universally Unique Identifier

C.

Policy ID

D.

Sequence ID

Full Access
Question # 7

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick mode selector is 192. 168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

A.

192. 168. 1.0/24

B.

192. 168.0.0/24

C.

192. 168.2.0/24

D.

192. 168.3.0/24

Full Access
Question # 8

17

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

A.

The IP version of the sources and destinations in a firewall policy must be different.

B.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

C.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

D.

The IP version of the sources and destinations in a policy must match.

E.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Full Access
Question # 9

Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

A.

Traffic between port2 and port2-vlan1 is allowed by default.

B.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

C.

port1 is a native VLAN.

D.

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Full Access
Question # 10

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

A.

10.200. 1. 1

B.

10.200.3. 1

C.

10.200. 1. 100

D.

10.200. 1. 10

Full Access
Question # 11

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A.

It limits the scope of application control to the browser-based technology category only.

B.

It limits the scope of application control to scan application traffic based on application category only.

C.

It limits the scope of application control to scan application traffic using parent signatures only

D.

It limits the scope of application control to scan application traffic on DNS protocol only.

Full Access
Question # 12

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Full Access
Question # 13

Which two statements are true about the FGCP protocol? (Choose two.)

A.

FGCP elects the primary FortiGate device.

B.

FGCP is not used when FortiGate is in transparent mode.

C.

FGCP runs only over the heartbeat links.

D.

FGCP is used to discover FortiGate devices in different HA groups.

Full Access
Question # 14

18

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

A.

A CRL

B.

A person

C.

A subordinate CA

D.

A root CA

Full Access
Question # 15

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

A.

VDOMs without ports with connected devices are not displayed in the topology.

B.

Downstream devices can connect to the upstream device from any of their VDOMs.

C.

Security rating reports can be run individually for each configured VDOM.

D.

Each VDOM in the environment can be part of a different Security Fabric.

Full Access
Question # 16

7

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

A.

System time

B.

FortiGuaid update servers

C.

Operating mode

D.

NGFW mode

Full Access
Question # 17

27

Which feature in the Security Fabric takes one or more actions based on event triggers?

A.

Fabric Connectors

B.

Automation Stitches

C.

Security Rating

D.

Logical Topology

Full Access
Question # 18

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

A.

The session is a UDP unidirectional state.

B.

The session is in TCP ESTABLISHED state.

C.

The session is a bidirectional UDP connection.

D.

The session is a bidirectional TCP connection.

Full Access
Question # 19

93

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.

Virtual IP addresses are used to distinguish between cluster members.

D.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Full Access
Question # 20

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

A.

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

B.

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C.

The two VLAN subinterfaces must have different VLAN IDs.

D.

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Full Access
Question # 21

Which statement about video filtering on FortiGate is true?

A.

Full SSL Inspection is not required.

B.

It is available only on a proxy-based firewall policy.

C.

It inspects video files hosted on file sharing services.

D.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Full Access
Question # 22

20

Which two statements are true about the RPF check? (Choose two.)

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Full Access
Question # 23

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

A.

Configure a loopback interface with address 203.0.113.2/32.

B.

In the VIP configuration, enable arp-reply.

C.

Enable port forwarding on the server to map the external service port to the internal service port.

D.

In the firewall policy configuration, enable match-vip.

Full Access
Question # 24

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A.

FortiGate automatically negotiates different local and remote addresses with the remote peer.

B.

FortiGate automatically negotiates a new security association after the existing security association expires.

C.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

D.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Full Access
Question # 25

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

A.

Traffic is blocked because Action is set to DENY in the firewall policy.

B.

Traffic belongs to the root VDOM.

C.

This is a security log.

D.

Log severity is set to error on FortiGate.

Full Access
Question # 26

Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

A.

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

B.

Apple FaceTime will be allowed, based on the Apple filter configuration.

C.

Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn

D.

Apple FaceTime will be allowed, based on the Categories configuration.

Full Access
Question # 27

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A.

The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

B.

The sensor will block all attacks aimed at Windows servers.

C.

The sensor will reset all connections that match these signatures.

D.

The sensor will gather a packet log for all matched traffic.

Full Access
Question # 28

46

Which two types of traffic are managed only by the management VDOM? (Choose two.)

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Full Access
Question # 29

2

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

A.

By default, all interfaces are part of the same broadcast domain.

B.

The existing network IP schema must be changed when installing a transparent mode.

C.

Static routes are required to allow traffic to the next hop.

D.

FortiGate forwards frames without changing the MAC address.

Full Access
Question # 30

106

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

A.

Shut down/reboot a downstream FortiGate device.

B.

Disable FortiAnalyzer logging for a downstream FortiGate device.

C.

Log in to a downstream FortiSwitch device.

D.

Ban or unban compromised hosts.

Full Access
Question # 31

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

A.

The website is exempted from SSL inspection.

B.

The EICAR test file exceeds the protocol options oversize limit.

C.

The selected SSL inspection profile has certificate inspection enabled.

D.

The browser does not trust the FortiGate self-signed CA certificate.

Full Access
Question # 32

Refer to the exhibit.

Which contains a network diagram and routing table output.

The Student is unable to access Webserver.

What is the cause of the problem and what is the solution for the problem?

A.

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

B.

The first reply packet for Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

C.

The first reply packet for Student failed the RPF check .

This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

D.

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

Full Access
Question # 33

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

A.

Virtual IP addresses are used to distinguish between cluster members.

B.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

C.

The primary device in the cluster is always assigned IP address 169.254.0.1.

D.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Full Access
Question # 34

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

B.

The client FortiGate requires a manually added route to remote subnets.

C.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D.

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Full Access
Question # 35

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A.

The port3 default route has the lowest metric.

B.

The port1 and port2 default routes are active in the routing table.

C.

The ports default route has the highest distance.

D.

There will be eight routes active in the routing table.

Full Access
Question # 36

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Full Access
Question # 37

113

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

A.

Full Content inspection

B.

Proxy-based inspection

C.

Certificate inspection

D.

Flow-based inspection

Full Access
Question # 38

68

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

A.

The Services field prevents SNAT and DNAT from being combined in the same policy.

B.

The Services field is used when you need to bundle several VIPs into VIP groups.

C.

The Services field removes the requirement to create multiple VIPs for different services.

D.

The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Full Access
Question # 39

16

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

A.

Antivirus scanning

B.

File filter

C.

DNS filter

D.

Intrusion prevention

Full Access
Question # 40

87

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

A.

Warning

B.

Exempt

C.

Allow

D.

Learn

Full Access
Question # 41

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A.

Web filter in flow-based inspection

B.

Antivirus in flow-based inspection

C.

DNS filter

D.

Web application firewall

E.

Application control

Full Access
Question # 42

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?

A.

192. 168.3.0/24

B.

192. 168.2.0/24

C.

192. 168. 1.0/24

D.

192. 168.0.0/8

Full Access
Question # 43

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

A.

FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.

B.

FortiGate allocates port blocks on a first-come, first-served basis.

C.

FortiGate generates a system event log for every port block allocation made per user.

D.

FortiGate allocates 128 port blocks per user.

Full Access
Question # 44

Which three statements explain a flow-based antivirus profile? (Choose three.)

A.

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B.

If a virus is detected, the last packet is delivered to the client.

C.

The IPS engine handles the process as a standalone.

D.

FortiGate buffers the whole file but transmits to the client at the same time.

E.

Flow-based inspection optimizes performance compared to proxy-based inspection.

Full Access
Question # 45

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.

Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

A.

set fortiguard-anycast disable

B.

set webfilter-force-off disable

C.

set webfilter-cache disable

D.

set protocol tcp

Full Access
Question # 46

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A.

It limits the scanning of application traffic to the DNS protocol only.

B.

It limits the scanning of application traffic to use parent signatures only.

C.

It limits the scanning of application traffic to the browser-based technology category only.

D.

It limits the scanning of application traffic to the application category only.

Full Access
Question # 47

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A.

idle-timeout

B.

login-timeout

C.

udp-idle-timer

D.

session-ttl

Full Access
Question # 48

32

When configuring a firewall virtual wire pair policy, which following statement is true?

A.

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B.

Only a single virtual wire pair can be included in each policy.

C.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

D.

Exactly two virtual wire pairs need to be included in each policy.

Full Access
Question # 49

95

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

A.

The next-hop IP address is unreachable.

B.

It failed the RPF check .

C.

It matched an explicitly configured firewall policy with the action DENY.

D.

It matched the default implicit firewall policy.

Full Access
Question # 50

Refer to the exhibit.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

A.

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

B.

This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.

C.

This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.

D.

This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Full Access