New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Certensure Logo
  1. Home
  2. Fortinet
  3. NSE4
  4. NSE4_FGT-6.4 - Fortinet NSE 4 - FortiOS 6.4

Fortinet NSE4_FGT-6.4 Fortinet NSE 4 - FortiOS 6.4 Exam Practice Test

Demo: 24 questions
Total 165 questions
Get NSE4_FGT-6.4 Full Access Download NSE4_FGT-6.4 PDF

Fortinet NSE 4 - FortiOS 6.4 Questions and Answers

Question 1

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on

which device?

Options:

A.

FortiManager

B.

Root FortiGate

C.

FortiAnalyzer

D.

Downstream FortiGate

Question 2

Exhibit:

Refer to the exhibit to view the authentication rule configuration In this scenario, which statement is true?

Options:

A.

IP-based authentication is enabled

B.

Route-based authentication is enabled

C.

Session-based authentication is enabled.

D.

Policy-based authentication is enabled

Question 3

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

Options:

A.

10.200.1.10

B.

Any available IP address in the WAN (port1) subnet 10.200.1.0/24

C.

10.200.1.1

D.

10.0.1.254

Question 4

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Question 5

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

Options:

A.

diagnose sys top

B.

execute ping

C.

execute traceroute

D.

diagnose sniffer packet any

E.

get system arp

Question 6

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

Options:

A.

A phase 2 configuration is not required.

B.

This VPN cannot be used as part of a hub-and-spoke topology.

C.

A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

D.

The IPsec firewall policies must be placed at the top of the list.

Question 7

Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

Options:

A.

Custom permission for Network

B.

Read/Write permission for Log & Report

C.

CLI diagnostics commands permission

D.

Read/Write permission for Firewall

Question 8

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.

The firewall policy performs the full content inspection on the file.

B.

The flow-based inspection is used, which resets the last packet to the user.

C.

The volume of traffic being inspected is too high for this model of FortiGate.

D.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Question 9

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

Options:

A.

Application control is not enabled

B.

SSL/SSH Inspection profile is incorrect

C.

Antivirus profile configuration is incorrect

D.

Antivirus definitions are not up to date

Question 10

Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.

How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Options:

A.

If there is a full-through policy in place, users will not be prompted for authentication.

B.

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

C.

Authentication is enforced at a policy level; all users will be prompted for authentication.

D.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Question 11

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Options:

A.

Change the SSL VPN port on the client.

B.

Change the Server IP address.

C.

Change the idle-timeout.

D.

Change the SSL VPN portal to the tunnel.

Question 12

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

Options:

A.

The strict RPF check is run on the first sent and reply packet of any new session.

B.

Strict RPF checks the best route back to the source using the incoming interface.

C.

Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

D.

Strict RPF allows packets back to sources with all active routes.

Question 13

Which statement regarding the firewall policy authentication timeout is true?

Options:

A.

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.

B.

It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.

C.

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.

D.

It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

Question 14

Which two statements are true about the RPF check? (Choose two.)

Options:

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Question 15

Which of the following statements about central NAT are true? (Choose two.)

Options:

A.

IP tool references must be removed from existing firewall policies before enabling central NAT.

B.

Central NAT can be enabled or disabled from the CLI only.

C.

Source NAT, using central NAT, requires at least one central SNAT policy.

D.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Question 16

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Options:

A.

Log ID

B.

Universally Unique Identifier

C.

Policy ID

D.

Sequence ID

Question 17

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

Options:

A.

The keyUsage extension must be set to keyCertSign.

B.

The common name on the subject field must use a wildcard name.

C.

The issuer must be a public CA.

D.

The CA extension must be set to TRUE.

Question 18

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

Options:

A.

hard-timeout

B.

auth-on-demand

C.

soft-timeout

D.

new-session

E.

Idle-timeout

Question 19

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

Options:

A.

Interface name

B.

Ethernet header

C.

IP header

D.

Application header

E.

Packet payload

Question 20

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Options:

A.

By default, all interfaces are part of the same broadcast domain.

B.

The existing network IP schema must be changed when installing a transparent mode.

C.

Static routes are required to allow traffic to the next hop.

D.

FortiGate forwards frames without changing the MAC address.

Question 21

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

Options:

A.

The session is in SYN_SENT state.

B.

The session is in FIN_ACK state.

C.

The session is in FTN_WAIT state.

D.

The session is in ESTABLISHED state.

Question 22

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Options:

A.

The public key of the web server certificate must be installed on the browser.

B.

The web-server certificate must be installed on the browser.

C.

The CA certificate that signed the web-server certificate must be installed on the browser.

D.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Question 23

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

Options:

A.

192.168.3.0/24

B.

192.168.2.0/24

C.

192.168.1.0/24

D.

192.168.0.0/8

Question 24

Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Options:

A.

Destination NAT is disabled in the firewall policy.

B.

One-to-one NAT IP pool is used in the firewall policy.

C.

Overload NAT IP pool is used in the firewall policy.

D.

Port block allocation IP pool is used in the firewall policy.

Load More NSE4_FGT-6.4 Questions
Demo: 24 questions
Total 165 questions
Get NSE4_FGT-6.4 Full Access Download NSE4_FGT-6.4 PDF