Fortinet Network Security Expert 4 Written Exam - FortiOS 5.4 v8.0 (NSE4-5.4)

Page:    1 / 4   
Total 60 questions

An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

  • A. The interface has been configured for one-arm sniffer.
  • B. The interface is a member of a virtual wire pair.
  • C. The operation mode is transparent.
  • D. The interface is a member of a zone.
  • E. Captive portal is enabled in the interface.


Answer : B,C,D

Which statement is true regarding the policy ID numbers of firewall policies?

  • A. Change when firewall policies are re-ordered.
  • B. Defined the order in which rules are processed.
  • C. Are required to modify a firewall policy from the CLI.
  • D. Represent the number of objects used in the firewall policy.


Answer : B

What traffic and attacks can be blocked by a web application firewall (WAF) profile?
(Choose three.)

  • A. Traffic to inappropriate web sites
  • B. SQL injection attacks
  • C. Server information disclosure attacks
  • D. Credit card data leaks
  • E. Traffic to botnet command and control (C&C) servers


Answer : B,C,E

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

  • A. The FortiGate unit’s public IP address
  • B. The FortiGate unit’s internal IP address
  • C. The remote user’s virtual IP address
  • D. The remote user’s public IP address


Answer : B

Which statements about application control are true? (Choose two.)

  • A. Enabling application control profile in a security profile enables application control for all the traffic flowing through the FortiGate.
  • B. It cannot take an action on unknown applications.
  • C. It can inspect encrypted traffic.
  • D. It can identify traffic from known applications, even when they are using non-standard TCP/UDP ports.


Answer : A,D

Which statements about One-to-One IP pool are true? (Choose two.)

  • A. It allows configuration of ARP replies.
  • B. It allows fixed mapping of an internal address range to an external address range.
  • C. It is used for destination NAT.
  • D. It does not use port address translation.


Answer : B,C

View the exhibit.


This is a sniffer output of a telnet connection request from 172.20.120.186 to the port1 interface of FGT1.

In this scenario. FGT1 has the following routing table:

Assuming telnet service is enabled for port1, which of the following statements correctly describes why FGT1 is not responding?

  • A. The port1 cable is disconnected.
  • B. The connection is dropped due to reverse path forwarding check.
  • C. The connection is denied due to forward policy check.
  • D. FGT1’s port1 interface is administratively down.


Answer : B

Which of the following statements about advanced AD access mode for FSSO collector agent are true? (Choose two.)

  • A. It is only supported if DC agents are deployed.
  • B. FortiGate can act as an LDAP client configure the group filters.
  • C. It supports monitoring of nested groups.
  • D. It uses the Windows convention for naming, that is, Domain\Username.


Answer : B,D

View the exhibit.


A user behind the FortiGate is trying to go to http://www.addictinggames.com
(Addicting.Games). Based on this configuration, which statement is true?

  • A. Addicting.Games is allowed based on the Application Overrides configuration.
  • B. Addicting.Games is blocked based on the Filter Overrides configuration.
  • C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
  • D. Addicting.Games is allowed based on the Categories configuration.


Answer : D

Which of the following statements about NTLM authentication are correct? (Choose two.)

  • A. It is useful when users log in to DCs that are not monitored by a collector agent.
  • B. It takes over as the primary authentication method when configured alongside FSSO.
  • C. Multi-domain environments require DC agents on every domain controller.
  • D. NTLM-enabled web browsers are required.


Answer : A,C

Which statement about the FortiGuard services for the FortiGate is true?

  • A. Antivirus signatures are downloaded locally on the FortiGate.
  • B. FortiGate downloads IPS updates using UDP port 53 or 8888.
  • C. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates.
  • D. The web filtering database is downloaded locally on the FortiGate.


Answer : C

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

  • A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
  • B. ADVPN is only supported with IKEv2.
  • C. Tunnels are negotiated dynamically between spokes.
  • D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.


Answer : A,C

View the exhibit.



Which of the following statements are correct? (Choose two.)

  • A. This is a redundant IPsec setup.
  • B. The TunnelB route is the primary one for searching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
  • C. This setup requires at least two firewall policies with action set to IPsec.
  • D. Dead peer detection must be disabled to support this type of IPsec setup.


Answer : A,B

An administrator has configured two VLAN interfaces:


A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the
VLAN5 interface. However, the DHCP client cannot get a dynamic IP address from the
DHCP server. What is the cause of the problem?

  • A. Both interfaces must be in different VDOMs
  • B. Both interfaces must have the same VLAN ID.
  • C. The role of the VLAN10 interface must be set to server.
  • D. Both interfaces must belong to the same forward domain.


Answer : B

How does FortiGate verify the login credentials of a remote LDAP user?

  • A. FortiGate sends the user entered credentials to the LDAP server for authentication.
  • B. FortiGate re-generates the algorithm based on the login credentials and compares it against the algorithm stored on the LDAP server.
  • C. FortiGate queries its own database for credentials.
  • D. FortiGate queries the LDAP server for credentials.


Answer : D

Page:    1 / 4   
Total 60 questions