CertsTopics Logo

Labour Day Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Fortinet NSE4_FGT-7.2 Dumps

Page: 1 / 12
Total 170 questions
Get NSE4_FGT-7.2 Full Access Download NSE4_FGT-7.2 PDF

Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Question 1

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B.

If a virus is detected, the last packet is delivered to the client.

C.

The IPS engine handles the process as a standalone.

D.

FortiGate buffers the whole file but transmits to the client at the same time.

E.

Flow-based inspection optimizes performance compared to proxy-based inspection.

Question 2

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

The port3 default route has the lowest metric.

B.

The port1 and port2 default routes are active in the routing table.

C.

The ports default route has the highest distance.

D.

There will be eight routes active in the routing table.

Question 3

113

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Options:

A.

Full Content inspection

B.

Proxy-based inspection

C.

Certificate inspection

D.

Flow-based inspection

Question 4

An administrator wants to simplify remote access without asking users to provide user credentials.

Which access control method provides this solution?

Options:

A.

ZTNA IP/MAC filtering mode

B.

ZTNA access proxy

C.

SSL VPN

D.

L2TP

Question 5

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Options:

A.

Interface name

B.

Packet payload

C.

Ethernet header

D.

IP header

E.

Application header

Question 6

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Options:

A.

Source defined as Internet Services in the firewall policy.

B.

Destination defined as Internet Services in the firewall policy.

C.

Highest to lowest priority defined in the firewall policy.

D.

Services defined in the firewall policy.

E.

Lowest to highest policy ID number.

Question 7

51

Which of the following statements about central NAT are true? (Choose two.)

Options:

A.

IP tool references must be removed from existing firewall policies before enabling central NAT .

B.

Central NAT can be enabled or disabled from the CLI only.

C.

Source NAT, using central NAT, requires at least one central SNAT policy.

D.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Question 8

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 9

40

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Question 10

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

Options:

A.

SSH

B.

HTTPS

C.

FTM

D.

FortiTelemetry

Question 11

24

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on

which device?

Options:

A.

FortiManager

B.

Root FortiGate

C.

FortiAnalyzer

D.

Downstream FortiGate

Question 12

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

Options:

A.

On Remote-FortiGate, set Seconds to 43200.

B.

On HQ-FortiGate, set Encryption to AES256.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, enable Auto-negotiate.

Question 13

55

In which two ways can RPF checking be disabled? (Choose two )

Options:

A.

Enable anti-replay in firewall policy.

B.

Disable the RPF check at the FortiGate interface level for the source check

C.

Enable asymmetric routing.

D.

Disable strict-arc-check under system settings.

Question 14

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 15

Refer to the exhibit.

The exhibit shows the output of a diagnose command.

What does the output reveal about the policy route?

Options:

A.

It is an ISDB route in policy route.

B.

It is a regular policy route.

C.

It is an ISDB policy route with an SDWAN rule.

D.

It is an SDWAN rule in policy route.

Question 16

68

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

Options:

A.

The Services field prevents SNAT and DNAT from being combined in the same policy.

B.

The Services field is used when you need to bundle several VIPs into VIP groups.

C.

The Services field removes the requirement to create multiple VIPs for different services.

D.

The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Question 17

Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

Options:

A.

On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking

B.

On the Static URL Filter configuration, set Type to Simple

C.

On the Static URL Filter configuration, set Action to Exempt.

D.

On the Static URL Filter configuration, set Action to Monitor.

Question 18

56

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

Options:

A.

DNS

B.

ping

C.

udp-echo

D.

TWAMP

Question 19

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Options:

A.

The firmware image must be manually uploaded to each FortiGate.

B.

Only secondary FortiGate devices are rebooted.

C.

Uninterruptable upgrade is enabled by default.

D.

Traffic load balancing is temporally disabled while upgrading the firmware.

Question 20

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

Options:

A.

Policy with ID 4.

B.

Policy with ID 5.

C.

Policies with ID 2 and 3.

D.

Policy with ID 4.

Question 21

46

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Question 22

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

Options:

A.

Change the csf setting on ISFW (downstream) to set configuration-sync local.

B.

Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

C.

Change the csf setting on both devices to set downstream-access enable.

D.

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Question 23

58

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

Options:

A.

Interface name

B.

Ethernet header

C.

IP header

D.

Application header

E.

Packet payload

Question 24

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

Options:

A.

Configure a loopback interface with address 203.0.113.2/32.

B.

In the VIP configuration, enable arp-reply.

C.

Enable port forwarding on the server to map the external service port to the internal service port.

D.

In the firewall policy configuration, enable match-vip.

Question 25

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

Options:

A.

FortiGate uses fewer resources.

B.

FortiGate performs a more exhaustive inspection on traffic.

C.

FortiGate adds less latency to traffic.

D.

FortiGate allocates two sessions per connection.

Question 26

Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Options:

A.

Destination NAT is disabled in the firewall policy.

B.

One-to-one NAT IP pool is used in the firewall policy.

C.

Overload NAT IP pool is used in the firewall policy.

D.

Port block allocation IP pool is used in the firewall policy.

Question 27

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

Options:

A.

The session is a UDP unidirectional state.

B.

The session is in TCP ESTABLISHED state.

C.

The session is a bidirectional UDP connection.

D.

The session is a bidirectional TCP connection.

Question 28

Which two statements explain antivirus scanning modes? (Choose two.)

Options:

A.

In proxy-based inspection mode, files bigger than the buffer size are scanned.

B.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

C.

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

D.

In flow-based inspection mode, files bigger than the buffer size are scanned.

Question 29

109

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides

(client and server) have terminated the session?

Options:

A.

To remove the NAT operation.

B.

To generate logs

C.

To finish any inspection operations.

D.

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Question 30

20

Which two statements are true about the RPF check? (Choose two.)

Options:

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Question 31

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.

Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

Options:

A.

The IPS engine was inspecting high volume of traffic.

B.

The IPS engine was unable to prevent an intrusion attack .

C.

The IPS engine was blocking all traffic.

D.

The IPS engine will continue to run in a normal state.

Question 32

Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

Options:

A.

Administrators can access FortiGate only through the console port.

B.

FortiGate has entered conserve mode.

C.

FortiGate will start sending all files to FortiSandbox for inspection.

D.

Administrators cannot change the configuration.

Question 33

Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Options:

A.

port2

B.

port4

C.

port3

D.

port1

Question 34

82

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Options:

A.

Set the maximum session TTL value for the TELNET service object.

B.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.

Create a new service object for TELNET and set the maximum session TTL.

D.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Question 35

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

Options:

A.

FortiGate points the collector agent to use a remote LDAP server.

B.

FortiGate uses the AD server as the collector agent.

C.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

D.

FortiGate queries AD by using the LDAP to retrieve user group information.

Question 36

View the exhibit.

Which of the following statements are correct? (Choose two.)

Options:

A.

This setup requires at least two firewall policies with the action set to IPsec.

B.

Dead peer detection must be disabled to support this type of IPsec setup.

C.

The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

D.

This is a redundant IPsec setup.

Question 37

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Options:

A.

On HQ-FortiGate, enable Auto-negotiate.

B.

On Remote-FortiGate, set Seconds to 43200.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, set Encryption to AES256.

Question 38

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.

Make SSL inspection needs to be a deep content inspection.

B.

Force access to Facebook using the HTTP service.

C.

Get the additional application signatures are required to add to the security policy.

D.

Add Facebook in the URL category in the security policy.

Question 39

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

Options:

A.

FortiGuard web filter cache

B.

FortiGate hostname

C.

NTP

D.

DNS

Question 40

Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.

What will happen to endpoint active ZTNA sessions?

Options:

A.

They will be re-evaluated to match the endpoint policy.

B.

They will be re-evaluated to match the firewall policy.

C.

They will be re-evaluated to match the ZTNA policy.

D.

They will be re-evaluated to match the security policy.

Question 41

34

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Options:

A.

DNS-based web filter and proxy-based web filter

B.

Static URL filter, FortiGuard category filter, and advanced filters

C.

Static domain filter, SSL inspection filter, and external connectors filters

D.

FortiGuard category filter and rating filter

Question 42

Which statement describes a characteristic of automation stitches?

Options:

A.

They can have one or more triggers.

B.

They can be run only on devices in the Security Fabric.

C.

They can run multiple actions simultaneously.

D.

They can be created on any device in the fabric.

Question 43

43

Which two statements are correct about SLA targets? (Choose two.)

Options:

A.

You can configure only two SLA targets per one Performance SLA.

B.

SLA targets are optional.

C.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

D.

SLA targets are used only when referenced by an SD-WAN rule.

Question 44

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

Options:

A.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

B.

The client FortiGate requires a manually added route to remote subnets.

C.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D.

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Question 45

Refer to the exhibits.

The exhibits show a network diagram and firewall configurations.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.

In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Options:

A.

Disable match-vip in the Deny policy.

B.

Set the Destination address as Deny_IP in the Allow-access policy.

C.

Enable match vip in the Deny policy.

D.

Set the Destination address as Web_server in the Deny policy.

Question 46

84

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Question 47

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

Options:

A.

FortiGate uses the AD server as the collector agent.

B.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.

FortiGate does not support workstation check .

D.

FortiGate directs the collector agent to use a remote LDAP server.

Question 48

17

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

Options:

A.

The IP version of the sources and destinations in a firewall policy must be different.

B.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

C.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

D.

The IP version of the sources and destinations in a policy must match.

E.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Question 49

Which scanning technique on FortiGate can be enabled only on the CLI?

Options:

A.

Heuristics scan

B.

Trojan scan

C.

Antivirus scan

D.

Ransomware scan

Page: 1 / 12
Total 170 questions
Get NSE4_FGT-7.2 Full Access Download NSE4_FGT-7.2 PDF