New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Questions 4

55

In which two ways can RPF checking be disabled? (Choose two )

Options:

A.

Enable anti-replay in firewall policy.

B.

Disable the RPF check at the FortiGate interface level for the source check

C.

Enable asymmetric routing.

D.

Disable strict-arc-check under system settings.

Buy Now
Questions 5

73

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

Options:

A.

IP address

B.

Once Internet Service is selected, no other object can be added

C.

User or User Group

D.

FQDN address

Buy Now
Questions 6

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

Options:

A.

10.200. 1. 10

B.

Any available IP address in the WAN (port1) subnet 10.200. 1.0/24

66 of 108

C.

10.200. 1. 1

D.

10.0. 1.254

Buy Now
Questions 7

113

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Options:

A.

Full Content inspection

B.

Proxy-based inspection

C.

Certificate inspection

D.

Flow-based inspection

Buy Now
Questions 8

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

Options:

A.

The debug flow is for ICMP traffic.

B.

The default route is required to receive a reply.

C.

Anew traffic session was created.

D.

A firewall policy allowed the connection.

Buy Now
Questions 9

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Options:

A.

Change the SSL VPN port on the client.

B.

Change the Server IP address.

C.

Change the idle-timeout.

D.

Change the SSL VPN portal to the tunnel.

Buy Now
Questions 10

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

Options:

A.

On Remote-FortiGate, set Seconds to 43200.

B.

On HQ-FortiGate, set Encryption to AES256.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, enable Auto-negotiate.

Buy Now
Questions 11

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B.

If a virus is detected, the last packet is delivered to the client.

C.

The IPS engine handles the process as a standalone.

D.

FortiGate buffers the whole file but transmits to the client at the same time.

E.

Flow-based inspection optimizes performance compared to proxy-based inspection.

Buy Now
Questions 12

32

When configuring a firewall virtual wire pair policy, which following statement is true?

Options:

A.

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B.

Only a single virtual wire pair can be included in each policy.

C.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

D.

Exactly two virtual wire pairs need to be included in each policy.

Buy Now
Questions 13

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

Options:

A.

The session is in SYN_SENT state.

B.

The session is in FIN_ACK state.

C.

The session is in FTN_WAIT state.

D.

The session is in ESTABLISHED state.

Buy Now
Questions 14

Refer to the exhibit.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

Options:

A.

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

B.

This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.

C.

This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.

D.

This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Buy Now
Questions 15

What are two features of collector agent advanced mode? (Choose two.)

Options:

A.

In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

B.

In advanced mode, security profiles can be applied only to user groups, not individual users.

C.

Advanced mode uses the Windows convention—NetBios: Domain\Username.

D.

Advanced mode supports nested or inherited groups.

Buy Now
Questions 16

40

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Buy Now
Questions 17

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

Options:

A.

To allow for out-of-order packets that could arrive after the FIN/ACK packets

B.

To finish any inspection operations

C.

To remove the NAT operation

D.

To generate logs

Buy Now
Questions 18

Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

Options:

A.

Social networking web filter category is configured with the action set to authenticate.

B.

The action on firewall policy ID 1 is set to warning.

C.

Access to the social networking web filter category was explicitly blocked to all users.

D.

The name of the firewall policy is all_users_web.

Buy Now
Questions 19

31

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

Options:

A.

get system status

B.

get system performance status

C.

diagnose sys top

D.

get system arp

Buy Now
Questions 20

An administrator configures outgoing interface any in a firewall policy.

What is the result of the policy list view?

Options:

A.

Search option is disabled.

B.

Policy lookup is disabled.

C.

By Sequence view is disabled.

D.

Interface Pair view is disabled.

Buy Now
Questions 21

34

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Options:

A.

DNS-based web filter and proxy-based web filter

B.

Static URL filter, FortiGuard category filter, and advanced filters

C.

Static domain filter, SSL inspection filter, and external connectors filters

D.

FortiGuard category filter and rating filter

Buy Now
Questions 22

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

Options:

A.

Change the csf setting on ISFW (downstream) to set configuration-sync local.

B.

Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

C.

Change the csf setting on both devices to set downstream-access enable.

D.

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Buy Now
Questions 23

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

Options:

A.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

B.

The client FortiGate requires a manually added route to remote subnets.

C.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D.

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Buy Now
Questions 24

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

Options:

A.

System event logs

B.

Forward traffic logs

C.

Local traffic logs

D.

Security logs

Buy Now
Questions 25

29

Which two statements are correct about a software switch on FortiGate? (Choose two.)

Options:

A.

It can be configured only when FortiGate is operating in NAT mode

B.

Can act as a Layer 2 switch as well as a Layer 3 router

C.

All interfaces in the software switch share the same IP address

D.

It can group only physical interfaces

Buy Now
Questions 26

Which two statements explain antivirus scanning modes? (Choose two.)

Options:

A.

In proxy-based inspection mode, files bigger than the buffer size are scanned.

B.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

C.

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

D.

In flow-based inspection mode, files bigger than the buffer size are scanned.

Buy Now
Questions 27

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

Options:

A.

Policy with ID 4.

B.

Policy with ID 5.

C.

Policies with ID 2 and 3.

D.

Policy with ID 4.

Buy Now
Questions 28

109

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides

(client and server) have terminated the session?

Options:

A.

To remove the NAT operation.

B.

To generate logs

C.

To finish any inspection operations.

D.

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Buy Now
Questions 29

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.

Make SSL inspection needs to be a deep content inspection.

B.

Force access to Facebook using the HTTP service.

C.

Get the additional application signatures are required to add to the security policy.

D.

Add Facebook in the URL category in the security policy.

Buy Now
Questions 30

Which statement is correct regarding the security fabric?

Options:

A.

FortiManager is one of the required member devices.

B.

FortiGate devices must be operating in NAT mode.

C.

A minimum of two Fortinet devices is required.

D.

FortiGate Cloud cannot be used for logging purposes.

Buy Now
Questions 31

Which statement about video filtering on FortiGate is true?

Options:

A.

Full SSL Inspection is not required.

B.

It is available only on a proxy-based firewall policy.

C.

It inspects video files hosted on file sharing services.

D.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Buy Now
Questions 32

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, which statement about VLAN IDs is true?

Options:

A.

The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

B.

The two VLAN subinterfaces must have different VLAN IDs.

C.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

D.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Buy Now
Questions 33

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

Options:

A.

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.

The cluster can load balance ICMP connections to the secondary.

D.

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Buy Now
Questions 34

43

Which two statements are correct about SLA targets? (Choose two.)

Options:

A.

You can configure only two SLA targets per one Performance SLA.

B.

SLA targets are optional.

C.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

D.

SLA targets are used only when referenced by an SD-WAN rule.

Buy Now
Questions 35

An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?

Options:

A.

auth-on-demand

B.

soft-timeout

C.

idle-timeout

D.

new-session

E.

hard-timeout

Buy Now
Questions 36

Which two statements describe how the RPF check is used? (Choose two.)

Options:

A.

The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

B.

The RPF check is run on the first sent and reply packet of any new session.

C.

The RPF check is run on the first sent packet of any new session.

D.

The RPF check is run on the first reply packet of any new session.

Buy Now
Questions 37

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Options:

A.

The collector agent uses a Windows API to query DCs for user logins.

B.

NetAPI polling can increase bandwidth usage in large networks.

C.

The collector agent must search security event logs.

D.

The NetSession Enum function is used to track user logouts.

Buy Now
Questions 38

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.

The firewall policy performs the full content inspection on the file.

B.

The flow-based inspection is used, which resets the last packet to the user.

C.

The volume of traffic being inspected is too high for this model of FortiGate.

D.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Buy Now
Questions 39

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

Options:

A.

VLAN interface

B.

Software Switch interface

C.

Aggregate interface

D.

Redundant interface

Buy Now
Questions 40

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up

* The secondary tunnel must be used only if the primary tunnel goes down

* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

Options:

A.

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

B.

Enable Dead Peer Detection.

C.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

D.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Buy Now
Questions 41

30

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Options:

A.

Implement a web filter category override for the specified website

B.

Implement a DNS filter for the specified website.

C.

Implement web filter quotas for the specified website

D.

Implement web filter authentication for the specified website.

Buy Now
Questions 42

Options:

A.

Log downloads from the GUI are limited to the current filter view B. Log backups from the CLI cannot be restored to another FortiGate. C. Log backups from the CLI can be configured to upload to FTP as a scheduled time D. Log downloads from the GUI are stored as LZ4 compressed files.

Buy Now
Questions 43

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

Options:

A.

The website is exempted from SSL inspection.

B.

The EICAR test file exceeds the protocol options oversize limit.

C.

The selected SSL inspection profile has certificate inspection enabled.

D.

The browser does not trust the FortiGate self-signed CA certificate.

Buy Now
Questions 44

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

Options:

A.

NGFW policy-based mode does not require the use of central source NAT policy

B.

NGFW policy-based mode can only be applied globally and not on individual VDOMs

C.

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

D.

NGFW policy-based mode policies support only flow inspection

Buy Now
Questions 45

Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.

What will happen to endpoint active ZTNA sessions?

Options:

A.

They will be re-evaluated to match the endpoint policy.

B.

They will be re-evaluated to match the firewall policy.

C.

They will be re-evaluated to match the ZTNA policy.

D.

They will be re-evaluated to match the security policy.

Buy Now
Questions 46

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

Options:

A.

www.example.com:443

B.

www.example.com

C.

example.com

D.

www.example.com/index.html

Buy Now
Questions 47

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Options:

A.

idle-timeout

B.

login-timeout

C.

udp-idle-timer

D.

session-ttl

Buy Now
Questions 48

The IPS engine is used by which three security features? (Choose three.)

Options:

A.

Antivirus in flow-based inspection

B.

Web filter in flow-based inspection

C.

Application control

D.

DNS filter

E.

Web application firewall

Buy Now
Questions 49

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

The port3 default route has the lowest metric.

B.

The port1 and port2 default routes are active in the routing table.

C.

The ports default route has the highest distance.

D.

There will be eight routes active in the routing table.

Buy Now
Questions 50

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

Options:

A.

VDOMs without ports with connected devices are not displayed in the topology.

B.

Downstream devices can connect to the upstream device from any of their VDOMs.

C.

Security rating reports can be run individually for each configured VDOM.

D.

Each VDOM in the environment can be part of a different Security Fabric.

Buy Now
Questions 51

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

Options:

A.

FortiGuard web filter cache

B.

FortiGate hostname

C.

NTP

D.

DNS

Buy Now

NSE4 |

Exam Code: NSE4_FGT-7.2
Exam Name: Fortinet NSE 4 - FortiOS 7.2
Last Update: Dec 27, 2024
Questions: 170
NSE4_FGT-7.2 pdf

NSE4_FGT-7.2 PDF

$25.5  $84.99
NSE4_FGT-7.2 Engine

NSE4_FGT-7.2 Testing Engine

$30  $99.99
NSE4_FGT-7.2 PDF + Engine

NSE4_FGT-7.2 PDF + Testing Engine

$40.5  $134.99