Fortinet NSE 4 - FortiOS 7.2 v1.0 (NSE4_FGT-7.2)

Page:    1 / 7   
Total 104 questions

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address
The LAN (port3) interface has the IP address

If the host sends a TCP SYN packet on port 10443 to, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A.,, and 443, respectively
  • B.,, and 443, respectively
  • C.,, and 443, respectively
  • D.,, and 10443, respectively

Answer : C

Which three methods are used by the collector agent for AD polling? (Choose three.)

  • A. FortiGate polling
  • C. WMI
  • D. NetAPI
  • E. WinSecLog

Answer : CDE

What are two functions of the ZTNA rule? (Choose two.)

  • A. It redirects the client request to the access proxy.
  • B. It applies security profiles to protect traffic.
  • C. It defines the access proxy.
  • D. It enforces access control.

Answer : BC

Which two statements describe how the RPF check is used? (Choose two.)

  • A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
  • B. The RPF check is run on the first sent and reply packet of any new session.
  • C. The RPF check is run on the first sent packet of any new session.
  • D. The RPF check is run on the first reply packet of any new session.

Answer : AC

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

  • A. On both FortiGate devices, set Dead Peer Detection to On Demand.
  • B. On HQ-FortiGate, set IKE mode to Main (ID protection).
  • C. On HO-FortiGate, disable Diffie-Helman group 2.
  • D. On Remote-FortiGate, set port2 as Interface.

Answer : BD

An administrator needs to increase network bandwidth and provide redundancy.

Which interface type must the administrator select to bind multiple FortiGate interfaces?

  • A. Redundant interface
  • B. Software switch interface
  • C. VLAN interface
  • D. Aggregate interface

Answer : D

FortiGate is integrated with FortiAnalyzer and FortiManager.

When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?

  • A. Policy ID
  • B. Log ID
  • C. Sequence ID
  • D. Universally Unique Identifier

Answer : D

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

Which CLI command must the administrator use to view the route?

  • A. get router info routing-table database
  • B. diagnose firewall route list
  • C. get internet-service route list
  • D. get router info routing-table all

Answer : B

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.

Which FortiGate configuration can achieve this goal?

  • A. SSL VPN bookmark
  • B. SSL VPN tunnel
  • C. Zero trust network access
  • D. SSL VPN quick connection

Answer : B

The IPS engine is used by which three security features? (Choose three.)

  • A. Antivirus in flow-based inspection
  • B. Web filter in flow-based inspection
  • C. Application control
  • D. DNS filter
  • E. Web application firewall

Answer : ABC

You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

  • A. No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.
  • B. No new log is recorded until you manually clear logs from the local disk.
  • C. Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.
  • D. Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.

Answer : C

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

  • A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
  • B. Extended authentication (XAuth) to request the remote peer to provide a username and password
  • C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
  • D. Pre-shared key and certificate signature as authentication methods

Answer : BD

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

  • A. IP address
  • B. No other object can be added
  • C. FQDN address
  • D. User or User Group

Answer : B

Which statement is correct regarding the security fabric?

  • A. FortiManager is one of the required member devices.
  • B. FortiGate devices must be operating in NAT mode.
  • C. A minimum of two Fortinet devices is required.
  • D. FortiGate Cloud cannot be used for logging purposes.

Answer : C

Refer to the exhibit showing a FortiGuard connection debug output.

Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)

  • A. One server was contacted to retrieve the contract information.
  • B. There is at least one server that lost packets consecutively.
  • C. A local FortiManager is one of the servers FortiGate communicates with.
  • D. FortiGate is using default FortiGuard communication settings.

Answer : AD

Page:    1 / 7   
Total 104 questions