New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Fortinet NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Exam Practice Test

Demo: 49 questions
Total 170 questions

Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Question 1

11

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

Options:

A.

To detect intermediary NAT devices in the tunnel path.

B.

To dynamically change phase 1 negotiation mode aggressive mode.

C.

To encapsulation ESP packets in UDP packets using port 4500.

D.

To force a new DH exchange with each phase 2 rekey.

Question 2

Refer to the exhibit.

The exhibit shows the output of a diagnose command.

What does the output reveal about the policy route?

Options:

A.

It is an ISDB route in policy route.

B.

It is a regular policy route.

C.

It is an ISDB policy route with an SDWAN rule.

D.

It is an SDWAN rule in policy route.

Question 3

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.

The firewall policy performs the full content inspection on the file.

B.

The flow-based inspection is used, which resets the last packet to the user.

C.

The volume of traffic being inspected is too high for this model of FortiGate.

D.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Question 4

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Options:

A.

The firmware image must be manually uploaded to each FortiGate.

B.

Only secondary FortiGate devices are rebooted.

C.

Uninterruptable upgrade is enabled by default.

D.

Traffic load balancing is temporally disabled while upgrading the firmware.

Question 5

55

In which two ways can RPF checking be disabled? (Choose two )

Options:

A.

Enable anti-replay in firewall policy.

B.

Disable the RPF check at the FortiGate interface level for the source check

C.

Enable asymmetric routing.

D.

Disable strict-arc-check under system settings.

Question 6

87

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

Options:

A.

Warning

B.

Exempt

C.

Allow

D.

Learn

Question 7

Which statement correctly describes the use of reliable logging on FortiGate?

Options:

A.

Reliable logging is enabled by default in all configuration scenarios.

B.

Reliable logging is required to encrypt the transmission of logs.

C.

Reliable logging can be configured only using the CLI.

D.

Reliable logging prevents the loss of logs when the local disk is full.

Question 8

73

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

Options:

A.

IP address

B.

Once Internet Service is selected, no other object can be added

C.

User or User Group

D.

FQDN address

Question 9

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Options:

A.

It limits the scanning of application traffic to the DNS protocol only.

B.

It limits the scanning of application traffic to use parent signatures only.

C.

It limits the scanning of application traffic to the browser-based technology category only.

D.

It limits the scanning of application traffic to the application category only.

Question 10

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Options:

A.

On HQ-FortiGate, enable Auto-negotiate.

B.

On Remote-FortiGate, set Seconds to 43200.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, set Encryption to AES256.

Question 11

Which statement about video filtering on FortiGate is true?

Options:

A.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

B.

It does not require a separate FortiGuard license.

C.

Full SSL inspection is not required.

D.

its available only on a proxy-based firewall policy.

Question 12

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

Options:

A.

FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.

B.

FortiGate allocates port blocks on a first-come, first-served basis.

C.

FortiGate generates a system event log for every port block allocation made per user.

D.

FortiGate allocates 128 port blocks per user.

Question 13

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

Options:

A.

It uses UDP 8888.

B.

It uses UDP 53.

C.

It uses DNS over HTTPS.

D.

It uses DNS overTLS.

Question 14

32

When configuring a firewall virtual wire pair policy, which following statement is true?

Options:

A.

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B.

Only a single virtual wire pair can be included in each policy.

C.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

D.

Exactly two virtual wire pairs need to be included in each policy.

Question 15

99

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

Options:

A.

The administrator can register the same FortiToken on more than one FortiGate.

B.

The administrator must use a FortiAuthenticator device

C.

The administrator can use a third-party radius OTP server.

D.

The administrator must use the user self-registration server.

Question 16

View the exhibit.

Which of the following statements are correct? (Choose two.)

Options:

A.

This setup requires at least two firewall policies with the action set to IPsec.

B.

Dead peer detection must be disabled to support this type of IPsec setup.

C.

The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

D.

This is a redundant IPsec setup.

Question 17

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

Options:

A.

The strict RPF check is run on the first sent and reply packet of any new session.

B.

Strict RPF checks the best route back to the source using the incoming interface.

C.

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

D.

Strict RPF allows packets back to sources with all active routes.

Question 18

An administrator configures outgoing interface any in a firewall policy.

What is the result of the policy list view?

Options:

A.

Search option is disabled.

B.

Policy lookup is disabled.

C.

By Sequence view is disabled.

D.

Interface Pair view is disabled.

Question 19

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

The port3 default route has the lowest metric.

B.

The port1 and port2 default routes are active in the routing table.

C.

The ports default route has the highest distance.

D.

There will be eight routes active in the routing table.

Question 20

51

Which of the following statements about central NAT are true? (Choose two.)

Options:

A.

IP tool references must be removed from existing firewall policies before enabling central NAT .

B.

Central NAT can be enabled or disabled from the CLI only.

C.

Source NAT, using central NAT, requires at least one central SNAT policy.

D.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Question 21

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Options:

A.

Antivirus engine

B.

Intrusion prevention system engine

C.

Flow engine

D.

Detection engine

Question 22

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

Options:

A.

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

B.

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C.

The two VLAN subinterfaces must have different VLAN IDs.

D.

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Question 23

106

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Options:

A.

Shut down/reboot a downstream FortiGate device.

B.

Disable FortiAnalyzer logging for a downstream FortiGate device.

C.

Log in to a downstream FortiSwitch device.

D.

Ban or unban compromised hosts.

Question 24

7

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Options:

A.

System time

B.

FortiGuaid update servers

C.

Operating mode

D.

NGFW mode

Question 25

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

Options:

A.

Virtual IP addresses are used to distinguish between cluster members.

B.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

C.

The primary device in the cluster is always assigned IP address 169.254.0.1.

D.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Question 26

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Options:

A.

The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

B.

The sensor will block all attacks aimed at Windows servers.

C.

The sensor will reset all connections that match these signatures.

D.

The sensor will gather a packet log for all matched traffic.

Question 27

Options:

A.

Log downloads from the GUI are limited to the current filter view B. Log backups from the CLI cannot be restored to another FortiGate. C. Log backups from the CLI can be configured to upload to FTP as a scheduled time D. Log downloads from the GUI are stored as LZ4 compressed files.

Question 28

94

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

Options:

A.

The interface has been configured for one-arm sniffer.

B.

The interface is a member of a virtual wire pair.

C.

The operation mode is transparent.

D.

The interface is a member of a zone.

E.

Captive portal is enabled in the interface.

Question 29

Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

A local FortiManager is one of the servers FortiGate communicates with.

B.

One server was contacted to retrieve the contract information.

C.

There is at least one server that lost packets consecutively.

D.

FortiGate is using default FortiGuard communication settings.

Question 30

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

Options:

A.

Device detection on all interfaces is enforced for 30 minutes.

B.

Denied users are blocked for 30 minutes.

C.

A session for denied traffic is created.

D.

The number of logs generated by denied traffic is reduced.

Question 31

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

Options:

A.

Web filter in flow-based inspection

B.

Antivirus in flow-based inspection

C.

DNS filter

D.

Web application firewall

E.

Application control

Question 32

Which scanning technique on FortiGate can be enabled only on the CLI?

Options:

A.

Heuristics scan

B.

Trojan scan

C.

Antivirus scan

D.

Ransomware scan

Question 33

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

Options:

A.

FortiGate uses the AD server as the collector agent.

B.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.

FortiGate does not support workstation check .

D.

FortiGate directs the collector agent to use a remote LDAP server.

Question 34

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

Options:

A.

Traffic is blocked because Action is set to DENY in the firewall policy.

B.

Traffic belongs to the root VDOM.

C.

This is a security log.

D.

Log severity is set to error on FortiGate.

Question 35

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

Options:

A.

10.200. 1. 1

B.

10.200.3. 1

C.

10.200. 1. 100

D.

10.200. 1. 10

Question 36

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

Options:

A.

System event logs

B.

Forward traffic logs

C.

Local traffic logs

D.

Security logs

Question 37

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

Options:

A.

It always authorizes the traffic without requiring authentication.

B.

It drops the traffic.

C.

It authenticates the traffic using the authentication scheme SCHEME2.

D.

It authenticates the traffic using the authentication scheme SCHEME1.

Question 38

Which two statements ate true about the Security Fabric rating? (Choose two.)

Options:

A.

It provides executive summaries of the four largest areas of security focus.

B.

Many of the security issues can be fixed immediately by clicking Apply where available.

C.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

D.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Question 39

82

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Options:

A.

Set the maximum session TTL value for the TELNET service object.

B.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.

Create a new service object for TELNET and set the maximum session TTL.

D.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Question 40

7

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Options:

A.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

B.

Create a new service object for HTTP service and set the session TTL to never

C.

Set the TTL value to never under config system-ttl

D.

Set the session TTL on the HTTP policy to maximum

Question 41

109

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides

(client and server) have terminated the session?

Options:

A.

To remove the NAT operation.

B.

To generate logs

C.

To finish any inspection operations.

D.

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Question 42

Which statement describes a characteristic of automation stitches?

Options:

A.

They can have one or more triggers.

B.

They can be run only on devices in the Security Fabric.

C.

They can run multiple actions simultaneously.

D.

They can be created on any device in the fabric.

Question 43

You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

Options:

A.

No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.

B.

No new log is recorded until you manually clear logs from the local disk.

C.

Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.

D.

Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.

Question 44

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.

Which FortiGate configuration can achieve this goal?

Options:

A.

SSL VPN bookmark

B.

SSL VPN tunnel

C.

Zero trust network access

D.

SSL VPN quick connection

Question 45

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Options:

A.

idle-timeout

B.

login-timeout

C.

udp-idle-timer

D.

session-ttl

Question 46

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

Options:

A.

FortiGate automatically negotiates different local and remote addresses with the remote peer.

B.

FortiGate automatically negotiates a new security association after the existing security association expires.

C.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

D.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Question 47

84

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Question 48

20

Which two statements are true about the RPF check? (Choose two.)

Options:

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Question 49

53

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Options:

A.

The public key of the web server certificate must be installed on the browser.

B.

The web-server certificate must be installed on the browser.

C.

The CA certificate that signed the web-server certificate must be installed on the browser.

D.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Demo: 49 questions
Total 170 questions