New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Questions 4

2

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Options:

A.

By default, all interfaces are part of the same broadcast domain.

B.

The existing network IP schema must be changed when installing a transparent mode.

C.

Static routes are required to allow traffic to the next hop.

D.

FortiGate forwards frames without changing the MAC address.

Buy Now
Questions 5

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

Options:

A.

The debug flow is for ICMP traffic.

B.

The default route is required to receive a reply.

C.

Anew traffic session was created.

D.

A firewall policy allowed the connection.

Buy Now
Questions 6

87

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

Options:

A.

Warning

B.

Exempt

C.

Allow

D.

Learn

Buy Now
Questions 7

68

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

Options:

A.

The Services field prevents SNAT and DNAT from being combined in the same policy.

B.

The Services field is used when you need to bundle several VIPs into VIP groups.

C.

The Services field removes the requirement to create multiple VIPs for different services.

D.

The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Buy Now
Questions 8

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, which statement about VLAN IDs is true?

Options:

A.

The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

B.

The two VLAN subinterfaces must have different VLAN IDs.

C.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

D.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Buy Now
Questions 9

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

Options:

A.

System event logs

B.

Forward traffic logs

C.

Local traffic logs

D.

Security logs

Buy Now
Questions 10

30

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Options:

A.

Implement a web filter category override for the specified website

B.

Implement a DNS filter for the specified website.

C.

Implement web filter quotas for the specified website

D.

Implement web filter authentication for the specified website.

Buy Now
Questions 11

Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

Options:

A.

On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking

B.

On the Static URL Filter configuration, set Type to Simple

C.

On the Static URL Filter configuration, set Action to Exempt.

D.

On the Static URL Filter configuration, set Action to Monitor.

Buy Now
Questions 12

Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

Options:

A.

Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.

B.

Configure a web override rating for download.com and select Malicious Websites as the subcategory.

C.

Set the Freeware and Software Downloads category Action to Warning.

D.

Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

Buy Now
Questions 13

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

Buy Now
Questions 14

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

Options:

A.

The keyUsage extension must be set to keyCertSign.

B.

The common name on the subject field must use a wildcard name.

C.

The issuer must be a public CA.

D.

The CA extension must be set to TRUE.

Buy Now
Questions 15

104

Which three statements are true regarding session-based authentication? (Choose three.)

Options:

A.

HTTP sessions are treated as a single user.

B.

IP sessions from the same source IP address are treated as a single user.

C.

It can differentiate among multiple clients behind the same source IP address.

D.

It requires more resources.

E.

It is not recommended if multiple users are behind the source NAT

Buy Now
Questions 16

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

Options:

A.

Device detection on all interfaces is enforced for 30 minutes.

B.

Denied users are blocked for 30 minutes.

C.

A session for denied traffic is created.

D.

The number of logs generated by denied traffic is reduced.

Buy Now
Questions 17

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

Options:

A.

It uses UDP 8888.

B.

It uses UDP 53.

C.

It uses DNS over HTTPS.

D.

It uses DNS overTLS.

Buy Now
Questions 18

Which statement about video filtering on FortiGate is true?

Options:

A.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

B.

It does not require a separate FortiGuard license.

C.

Full SSL inspection is not required.

D.

its available only on a proxy-based firewall policy.

Buy Now
Questions 19

Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

Options:

A.

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

B.

Apple FaceTime will be allowed, based on the Apple filter configuration.

C.

Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn

D.

Apple FaceTime will be allowed, based on the Categories configuration.

Buy Now
Questions 20

93

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Options:

A.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.

Virtual IP addresses are used to distinguish between cluster members.

D.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Buy Now
Questions 21

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

Options:

A.

On Remote-FortiGate, set Seconds to 43200.

B.

On HQ-FortiGate, set Encryption to AES256.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, enable Auto-negotiate.

Buy Now
Questions 22

Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Options:

A.

port2

B.

port4

C.

port3

D.

port1

Buy Now
Questions 23

20

Which two statements are true about the RPF check? (Choose two.)

Options:

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Buy Now
Questions 24

40

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Buy Now
Questions 25

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Options:

A.

On HQ-FortiGate, enable Auto-negotiate.

B.

On Remote-FortiGate, set Seconds to 43200.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, set Encryption to AES256.

Buy Now
Questions 26

Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.

What will happen to endpoint active ZTNA sessions?

Options:

A.

They will be re-evaluated to match the endpoint policy.

B.

They will be re-evaluated to match the firewall policy.

C.

They will be re-evaluated to match the ZTNA policy.

D.

They will be re-evaluated to match the security policy.

Buy Now
Questions 27

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Options:

A.

The collector agent uses a Windows API to query DCs for user logins.

B.

NetAPI polling can increase bandwidth usage in large networks.

C.

The collector agent must search security event logs.

D.

The NetSession Enum function is used to track user logouts.

Buy Now
Questions 28

Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Options:

A.

There are five devices that are part of the security fabric.

B.

Device detection is disabled on all FortiGate devices.

C.

This security fabric topology is a logical topology view.

D.

There are 19 security recommendations for the security fabric.

Questions 29

What are two features of collector agent advanced mode? (Choose two.)

Options:

A.

In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

B.

In advanced mode, security profiles can be applied only to user groups, not individual users.

C.

Advanced mode uses the Windows convention—NetBios: Domain\Username.

D.

Advanced mode supports nested or inherited groups.

Buy Now
Questions 30

58

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

Options:

A.

Interface name

B.

Ethernet header

C.

IP header

D.

Application header

E.

Packet payload

Buy Now
Questions 31

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.

Make SSL inspection needs to be a deep content inspection.

B.

Force access to Facebook using the HTTP service.

C.

Get the additional application signatures are required to add to the security policy.

D.

Add Facebook in the URL category in the security policy.

Buy Now
Questions 32

Which two statements ate true about the Security Fabric rating? (Choose two.)

Options:

A.

It provides executive summaries of the four largest areas of security focus.

B.

Many of the security issues can be fixed immediately by clicking Apply where available.

C.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

D.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Buy Now
Questions 33

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.

The firewall policy performs the full content inspection on the file.

B.

The flow-based inspection is used, which resets the last packet to the user.

C.

The volume of traffic being inspected is too high for this model of FortiGate.

D.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Buy Now
Questions 34

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.

Which FortiGate configuration can achieve this goal?

Options:

A.

SSL VPN bookmark

B.

SSL VPN tunnel

C.

Zero trust network access

D.

SSL VPN quick connection

Buy Now
Questions 35

45

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

Options:

A.

diagnose sys top

B.

execute ping

C.

execute traceroute

D.

diagnose sniffer packet any

E.

get system arp

Buy Now
Questions 36

13

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Options:

A.

Proxy-based inspection

B.

Certificate inspection

C.

Flow-based inspection

D.

Full Content inspection

Buy Now
Questions 37

Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

Options:

A.

Change password

B.

Enable restrict access to trusted hosts

C.

Change Administrator profile

D.

Enable two-factor authentication

Buy Now
Questions 38

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

Options:

A.

10.200. 1. 1

B.

10.200.3. 1

C.

10.200. 1. 100

D.

10.200. 1. 10

Buy Now
Questions 39

32

When configuring a firewall virtual wire pair policy, which following statement is true?

Options:

A.

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

B.

Only a single virtual wire pair can be included in each policy.

C.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

D.

Exactly two virtual wire pairs need to be included in each policy.

Buy Now
Questions 40

Which two statements explain antivirus scanning modes? (Choose two.)

Options:

A.

In proxy-based inspection mode, files bigger than the buffer size are scanned.

B.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

C.

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

D.

In flow-based inspection mode, files bigger than the buffer size are scanned.

Buy Now
Questions 41

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Options:

A.

SSL VPN idle-timeout

B.

SSL VPN http-request-body-timeout

C.

SSL VPN login-timeout

D.

SSL VPN dtls-hello-timeout

Buy Now
Questions 42

Which two statements describe how the RPF check is used? (Choose two.)

Options:

A.

The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

B.

The RPF check is run on the first sent and reply packet of any new session.

C.

The RPF check is run on the first sent packet of any new session.

D.

The RPF check is run on the first reply packet of any new session.

Buy Now
Questions 43

An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?

Options:

A.

auth-on-demand

B.

soft-timeout

C.

idle-timeout

D.

new-session

E.

hard-timeout

Buy Now
Questions 44

18

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

Options:

A.

A CRL

B.

A person

C.

A subordinate CA

D.

A root CA

Buy Now
Questions 45

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

Options:

A.

Disabled

B.

On Demand

C.

Enabled

D.

On Idle

Buy Now
Questions 46

43

Which two statements are correct about SLA targets? (Choose two.)

Options:

A.

You can configure only two SLA targets per one Performance SLA.

B.

SLA targets are optional.

C.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

D.

SLA targets are used only when referenced by an SD-WAN rule.

Buy Now
Questions 47

An administrator configures outgoing interface any in a firewall policy.

What is the result of the policy list view?

Options:

A.

Search option is disabled.

B.

Policy lookup is disabled.

C.

By Sequence view is disabled.

D.

Interface Pair view is disabled.

Buy Now
Questions 48

View the exhibit.

Which of the following statements are correct? (Choose two.)

Options:

A.

This setup requires at least two firewall policies with the action set to IPsec.

B.

Dead peer detection must be disabled to support this type of IPsec setup.

C.

The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

D.

This is a redundant IPsec setup.

Questions 49

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Buy Now
Exam Code: NSE4_FGT-7.2
Exam Name: Fortinet NSE 4 - FortiOS 7.2
Last Update: Dec 22, 2024
Questions: 170

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99