Fortinet NSE 4 - FortiOS 6.4 v1.0 (NSE4-FGT-6.4)

Page:    1 / 8   
Total 127 questions

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  • A. FortiGuard update servers
  • B. System time
  • C. Operating mode
  • D. NGFW mode


Answer : BD

An administrator does not want to report the logon events of service accounts to FortiGate.
What setting on the collector agent is required to achieve this?

  • A. Add the support of NTLM authentication
  • B. Add user accounts to the FortiGate group filter
  • C. Add user accounts to Active Directory (AD)
  • D. Add user accounts to the Ignore User List


Answer : D

Refer to the exhibit.


The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
Which two statements are true? (Choose two.)

  • A. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
  • B. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
  • C. A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.
  • D. Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used only as a management VDOM.


Answer : AD

Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  • A. To generate logs
  • B. To finish any inspection operations
  • C. To remove the NAT operation
  • D. To allow for out-of-order packets that could arrive after the FIN/ACK packets


Answer : D

Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.
Exhibit A.


Exhibit B.

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

  • A. Add Facebook in the URL category in the security policy
  • B. Force access to Facebook using the HTTP service
  • C. Additional application signatures are required to add to the security policy
  • D. The SSL inspection needs to be a deep content inspection


Answer : D

Which two statements are correct about a software switch on FortiGate? (Choose two.)

  • A. It can be configured only when FortiGate is operating in NAT mode
  • B. Can act as a Layer 2 switch as well as a Layer 3 router
  • C. All interfaces in the software switch share the same IP address
  • D. It can group only physical interfaces


Answer : AC

Refer to the exhibit.


The global settings on a FortiGate device must be changed to align with company security policies.
What does the Administrator account need to access the FortiGate global settings?

  • A. Enable restrict access to trusted hosts
  • B. Change password
  • C. Enable two-factor authentication
  • D. Change Administrator profile


Answer : C

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

  • A. NGFW policy-based mode does not require the use of central source NAT policy
  • B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
  • C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
  • D. NGFW policy-based mode policies support only flow inspection


Answer : CD

Refer to the exhibit showing a debug flow output.


Which two statements about the debug flow output are correct? (Choose two.)

  • A. The debug flow is of ICMP traffic
  • B. The default route is required to receive a reply
  • C. A firewall policy allowed the connection
  • D. A new traffic session is created


Answer : AC

Refer to the exhibit, which contains a radius server configuration.


An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?

  • A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
  • B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
  • C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
  • D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.


Answer : A

Which of statement is true about SSL VPN web mode?

  • A. The external network application sends data through the VPN
  • B. It assigns a virtual IP address to the client
  • C. It supports a limited number of protocols
  • D. The tunnel is up while the client is connected


Answer : A

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

  • A. Antivirus engine
  • B. Intrusion prevention system engine
  • C. Flow engine
  • D. Detection engine


Answer : B

An administrator has configured the following settings:


What are the two results of this configuration? (Choose two.)

  • A. Device detection on all interfaces is enforced for 30 minutes
  • B. Denied users are blocked for 30 minutes
  • C. A session for denied traffic is created
  • D. The number of logs generated by denied traffic is reduced


Answer : CD

Refer to the exhibit.


An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

  • A. Interface name
  • B. Ethernet header
  • C. IP header
  • D. Application header
  • E. Packet payload


Answer : BCE

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  • A. Static IP Address
  • B. Dialup User
  • C. Dynamic DNS
  • D. Pre-shared Key


Answer : C

Page:    1 / 8   
Total 127 questions