New Year Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Fortinet NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Exam Practice Test

Page: 1 / 17
Total 170 questions

Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Question 1

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

Options:

A.

The keyUsage extension must be set to keyCertSign.

B.

The common name on the subject field must use a wildcard name.

C.

The issuer must be a public CA.

D.

The CA extension must be set to TRUE.

Question 2

16

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

Options:

A.

Antivirus scanning

B.

File filter

C.

DNS filter

D.

Intrusion prevention

Question 3

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

Options:

A.

Policy lookup will be disabled.

B.

By Sequence view will be disabled.

C.

Search option will be disabled

D.

Interface Pair view will be disabled.

Question 4

Refer to the exhibits.

Question # 4

Question # 4

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.

Make SSL inspection needs to be a deep content inspection.

B.

Force access to Facebook using the HTTP service.

C.

Get the additional application signatures are required to add to the security policy.

D.

Add Facebook in the URL category in the security policy.

Question 5

Which two statements are true about the FGCP protocol? (Choose two.)

Options:

A.

FGCP elects the primary FortiGate device.

B.

FGCP is not used when FortiGate is in transparent mode.

C.

FGCP runs only over the heartbeat links.

D.

FGCP is used to discover FortiGate devices in different HA groups.

Question 6

73

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

Options:

A.

IP address

B.

Once Internet Service is selected, no other object can be added

C.

User or User Group

D.

FQDN address

Question 7

7

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Options:

A.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

B.

Create a new service object for HTTP service and set the session TTL to never

C.

Set the TTL value to never under config system-ttl

D.

Set the session TTL on the HTTP policy to maximum

Question 8

17

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

Options:

A.

The IP version of the sources and destinations in a firewall policy must be different.

B.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

C.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

D.

The IP version of the sources and destinations in a policy must match.

E.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Question 9

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 10

113

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Options:

A.

Full Content inspection

B.

Proxy-based inspection

C.

Certificate inspection

D.

Flow-based inspection

Question 11

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick mode selector is 192. 168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

Options:

A.

192. 168. 1.0/24

B.

192. 168.0.0/24

C.

192. 168.2.0/24

D.

192. 168.3.0/24

Question 12

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

Options:

A.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

B.

The client FortiGate requires a manually added route to remote subnets.

C.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D.

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Question 13

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

Options:

A.

FortiGate uses the AD server as the collector agent.

B.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.

FortiGate does not support workstation check .

D.

FortiGate directs the collector agent to use a remote LDAP server.

Question 14

Refer to the exhibits.

Question # 14

Question # 14

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Options:

A.

Change the SSL VPN port on the client.

B.

Change the Server IP address.

C.

Change the idle-timeout.

D.

Change the SSL VPN portal to the tunnel.

Question 15

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Question # 15

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

Options:

A.

Configure a loopback interface with address 203.0.113.2/32.

B.

In the VIP configuration, enable arp-reply.

C.

Enable port forwarding on the server to map the external service port to the internal service port.

D.

In the firewall policy configuration, enable match-vip.

Question 16

Which statement describes a characteristic of automation stitches?

Options:

A.

They can have one or more triggers.

B.

They can be run only on devices in the Security Fabric.

C.

They can run multiple actions simultaneously.

D.

They can be created on any device in the fabric.

Question 17

Refer to the exhibits.

Question # 17

Question # 17

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

Options:

A.

Change the csf setting on ISFW (downstream) to set configuration-sync local.

B.

Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

C.

Change the csf setting on both devices to set downstream-access enable.

D.

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Question 18

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

Options:

A.

VDOMs without ports with connected devices are not displayed in the topology.

B.

Downstream devices can connect to the upstream device from any of their VDOMs.

C.

Security rating reports can be run individually for each configured VDOM.

D.

Each VDOM in the environment can be part of a different Security Fabric.

Question 19

Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)

Options:

A.

Source IP

B.

Spillover

C.

Volume

D.

Session

Question 20

Refer to the exhibit.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

Question # 20

What is the impact of using the Include in every user group option in a RADIUS configuration?

Options:

A.

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

B.

This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.

C.

This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.

D.

This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Question 21

Refer to the exhibit.

Question # 21

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

Options:

A.

Traffic between port2 and port2-vlan1 is allowed by default.

B.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

C.

port1 is a native VLAN.

D.

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Question 22

46

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Question 23

43

Which two statements are correct about SLA targets? (Choose two.)

Options:

A.

You can configure only two SLA targets per one Performance SLA.

B.

SLA targets are optional.

C.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

D.

SLA targets are used only when referenced by an SD-WAN rule.

Question 24

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.

Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

Options:

A.

set fortiguard-anycast disable

B.

set webfilter-force-off disable

C.

set webfilter-cache disable

D.

set protocol tcp

Question 25

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

Options:

A.

By default, FortiGate uses WINS servers to resolve names.

B.

By default, the SSL VPN portal requires the installation of a client's certificate.

C.

By default, split tunneling is enabled.

D.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Question 26

Refer to the exhibit.

Question # 26

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

Options:

A.

The session is in SYN_SENT state.

B.

The session is in FIN_ACK state.

C.

The session is in FTN_WAIT state.

D.

The session is in ESTABLISHED state.

Question 27

51

Which of the following statements about central NAT are true? (Choose two.)

Options:

A.

IP tool references must be removed from existing firewall policies before enabling central NAT .

B.

Central NAT can be enabled or disabled from the CLI only.

C.

Source NAT, using central NAT, requires at least one central SNAT policy.

D.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Question 28

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

Options:

A.

FortiGate uses fewer resources.

B.

FortiGate performs a more exhaustive inspection on traffic.

C.

FortiGate adds less latency to traffic.

D.

FortiGate allocates two sessions per connection.

Question 29

94

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

Options:

A.

The interface has been configured for one-arm sniffer.

B.

The interface is a member of a virtual wire pair.

C.

The operation mode is transparent.

D.

The interface is a member of a zone.

E.

Captive portal is enabled in the interface.

Question 30

45

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

Options:

A.

diagnose sys top

B.

execute ping

C.

execute traceroute

D.

diagnose sniffer packet any

E.

get system arp

Question 31

Refer to the exhibit.

Question # 31

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

Options:

A.

Custom permission for Network

B.

Read/Write permission for Log & Report

C.

CLI diagnostics commands permission

D.

Read/Write permission for Firewall

Question 32

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

Question # 32

Question # 32

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

Options:

A.

10.200. 1. 10

B.

Any available IP address in the WAN (port1) subnet 10.200. 1.0/24

66 of 108

C.

10.200. 1. 1

D.

10.0. 1.254

Question 33

68

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

Options:

A.

The Services field prevents SNAT and DNAT from being combined in the same policy.

B.

The Services field is used when you need to bundle several VIPs into VIP groups.

C.

The Services field removes the requirement to create multiple VIPs for different services.

D.

The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Question 34

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B.

If a virus is detected, the last packet is delivered to the client.

C.

The IPS engine handles the process as a standalone.

D.

FortiGate buffers the whole file but transmits to the client at the same time.

E.

Flow-based inspection optimizes performance compared to proxy-based inspection.

Question 35

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Options:

A.

Log ID

B.

Universally Unique Identifier

C.

Policy ID

D.

Sequence ID

Question 36

Refer to the exhibit.

Question # 36

Question # 36

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Options:

A.

port2

B.

port4

C.

port3

D.

port1

Question 37

Refer to the exhibit.

Question # 37

Based on the raw log, which two statements are correct? (Choose two.)

Options:

A.

Traffic is blocked because Action is set to DENY in the firewall policy.

B.

Traffic belongs to the root VDOM.

C.

This is a security log.

D.

Log severity is set to error on FortiGate.

Question 38

The IPS engine is used by which three security features? (Choose three.)

Options:

A.

Antivirus in flow-based inspection

B.

Web filter in flow-based inspection

C.

Application control

D.

DNS filter

E.

Web application firewall

Question 39

Refer to the exhibit.

Question # 39

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Options:

A.

There are five devices that are part of the security fabric.

B.

Device detection is disabled on all FortiGate devices.

C.

This security fabric topology is a logical topology view.

D.

There are 19 security recommendations for the security fabric.

Question 40

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

Options:

A.

It uses UDP 8888.

B.

It uses UDP 53.

C.

It uses DNS over HTTPS.

D.

It uses DNS overTLS.

Question 41

Which statement is correct regarding the use of application control for inspecting web applications?

Options:

A.

Application control can identity child and parent applications, and perform different actions on them.

B.

Application control signatures are organized in a nonhierarchical structure.

C.

Application control does not require SSL inspection to identity web applications.

D.

Application control does not display a replacement message for a blocked web application.

Question 42

In an explicit proxy setup, where is the authentication method and database configured?

Options:

A.

Proxy Policy

B.

Authentication Rule

C.

Firewall Policy

D.

Authentication scheme

Question 43

49

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Options:

A.

Static IP Address

B.

Dialup User

C.

Dynamic DNS

D.

Pre-shared Key

Question 44

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, which statement about VLAN IDs is true?

Options:

A.

The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

B.

The two VLAN subinterfaces must have different VLAN IDs.

C.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

D.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Question 45

6

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

Options:

A.

FortiCache

B.

FortiSIEM

C.

FortiAnalyzer

D.

FortiSandbox

E.

FortiCloud

Question 46

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Question # 46

Question # 46

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

Options:

A.

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.

The cluster can load balance ICMP connections to the secondary.

D.

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Question 47

18

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

Options:

A.

A CRL

B.

A person

C.

A subordinate CA

D.

A root CA

Question 48

24

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on

which device?

Options:

A.

FortiManager

B.

Root FortiGate

C.

FortiAnalyzer

D.

Downstream FortiGate

Question 49

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Options:

A.

Antivirus engine

B.

Intrusion prevention system engine

C.

Flow engine

D.

Detection engine

Question 50

40

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Question 51

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

Options:

A.

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

B.

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C.

The two VLAN subinterfaces must have different VLAN IDs.

D.

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Page: 1 / 17
Total 170 questions