New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

NSE4_FGT-7.2 Questions and Answers

Question # 6

6

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A.

FortiCache

B.

FortiSIEM

C.

FortiAnalyzer

D.

FortiSandbox

E.

FortiCloud

Full Access
Question # 7

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

A.

IP address

B.

No other object can be added

C.

FQDN address

D.

User or User Group

Full Access
Question # 8

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

A.

On HQ-FortiGate, set IKE mode to Main (ID protection).

B.

On both FortiGate devices, set Dead Peer Detection to On Demand.

C.

On HQ-FortiGate, disable Diffie-Helman group 2.

D.

On Remote-FortiGate, set port2 as Interface.

Full Access
Question # 9

94

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

A.

The interface has been configured for one-arm sniffer.

B.

The interface is a member of a virtual wire pair.

C.

The operation mode is transparent.

D.

The interface is a member of a zone.

E.

Captive portal is enabled in the interface.

Full Access
Question # 10

Refer to the exhibit.

The exhibit shows the output of a diagnose command.

What does the output reveal about the policy route?

A.

It is an ISDB route in policy route.

B.

It is a regular policy route.

C.

It is an ISDB policy route with an SDWAN rule.

D.

It is an SDWAN rule in policy route.

Full Access
Question # 11

108

Which statement about the IP authentication header (AH) used by IPsec is true?

A.

AH does not provide any data integrity or encryption.

B.

AH does not support perfect forward secrecy.

C.

AH provides data integrity bur no encryption.

D.

AH provides strong data integrity but weak encryption.

Full Access
Question # 12

82

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

A.

Set the maximum session TTL value for the TELNET service object.

B.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.

Create a new service object for TELNET and set the maximum session TTL.

D.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Full Access
Question # 13

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

Which CLI command must the administrator use to view the route?

A.

get router info routing-table database

B.

diagnose firewall route list

C.

get internet-service route list

D.

get router info routing-table all

Full Access
Question # 14

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The administrator disabled the WebServer firewall policy.

Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

A.

10.200.1.10

B.

10.0.1.254

C.

10.200.1.1

D.

10.200.3.1

Full Access
Question # 15

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

A.

VDOMs without ports with connected devices are not displayed in the topology.

B.

Downstream devices can connect to the upstream device from any of their VDOMs.

C.

Security rating reports can be run individually for each configured VDOM.

D.

Each VDOM in the environment can be part of a different Security Fabric.

Full Access
Question # 16

24

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on

which device?

A.

FortiManager

B.

Root FortiGate

C.

FortiAnalyzer

D.

Downstream FortiGate

Full Access
Question # 17

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A.

The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

B.

The sensor will block all attacks aimed at Windows servers.

C.

The sensor will reset all connections that match these signatures.

D.

The sensor will gather a packet log for all matched traffic.

Full Access
Question # 18

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A.

Web filter in flow-based inspection

B.

Antivirus in flow-based inspection

C.

DNS filter

D.

Web application firewall

E.

Application control

Full Access
Question # 19

113

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

A.

Full Content inspection

B.

Proxy-based inspection

C.

Certificate inspection

D.

Flow-based inspection

Full Access
Question # 20

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

A.

FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.

B.

FortiGate allocates port blocks on a first-come, first-served basis.

C.

FortiGate generates a system event log for every port block allocation made per user.

D.

FortiGate allocates 128 port blocks per user.

Full Access
Question # 21

29

Which two statements are correct about a software switch on FortiGate? (Choose two.)

A.

It can be configured only when FortiGate is operating in NAT mode

B.

Can act as a Layer 2 switch as well as a Layer 3 router

C.

All interfaces in the software switch share the same IP address

D.

It can group only physical interfaces

Full Access
Question # 22

Refer to the exhibit.

Which contains a network diagram and routing table output.

The Student is unable to access Webserver.

What is the cause of the problem and what is the solution for the problem?

A.

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

B.

The first reply packet for Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

C.

The first reply packet for Student failed the RPF check .

This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

D.

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

Full Access
Question # 23

31

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

A.

get system status

B.

get system performance status

C.

diagnose sys top

D.

get system arp

Full Access
Question # 24

55

In which two ways can RPF checking be disabled? (Choose two )

A.

Enable anti-replay in firewall policy.

B.

Disable the RPF check at the FortiGate interface level for the source check

C.

Enable asymmetric routing.

D.

Disable strict-arc-check under system settings.

Full Access
Question # 25

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A.

The port3 default route has the lowest metric.

B.

The port1 and port2 default routes are active in the routing table.

C.

The ports default route has the highest distance.

D.

There will be eight routes active in the routing table.

Full Access
Question # 26

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

A.

VLAN interface

B.

Software Switch interface

C.

Aggregate interface

D.

Redundant interface

Full Access
Question # 27

Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10.0. 1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10) pings the IP address of Remote-FortiGate (10.200.3. 1)?

A.

10.200. 1. 149

B.

10.200. 1. 1

C.

10.200. 1.49

D.

10.200. 1.99

Full Access
Question # 28

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .

With this configuration, which statement is true?

A.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

B.

A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

C.

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

D.

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Full Access
Question # 29

93

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.

Virtual IP addresses are used to distinguish between cluster members.

D.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Full Access
Question # 30

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

A.

The session is a UDP unidirectional state.

B.

The session is in TCP ESTABLISHED state.

C.

The session is a bidirectional UDP connection.

D.

The session is a bidirectional TCP connection.

Full Access
Question # 31

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

A.

System event logs

B.

Forward traffic logs

C.

Local traffic logs

D.

Security logs

Full Access
Question # 32

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

A.

10.200. 1. 1

B.

10.200.3. 1

C.

10.200. 1. 100

D.

10.200. 1. 10

Full Access
Question # 33

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A.

idle-timeout

B.

login-timeout

C.

udp-idle-timer

D.

session-ttl

Full Access
Question # 34

84

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Full Access
Question # 35

An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?

A.

auth-on-demand

B.

soft-timeout

C.

idle-timeout

D.

new-session

E.

hard-timeout

Full Access
Question # 36

Which statement is correct regarding the use of application control for inspecting web applications?

A.

Application control can identity child and parent applications, and perform different actions on them.

B.

Application control signatures are organized in a nonhierarchical structure.

C.

Application control does not require SSL inspection to identity web applications.

D.

Application control does not display a replacement message for a blocked web application.

Full Access
Question # 37

In an explicit proxy setup, where is the authentication method and database configured?

A.

Proxy Policy

B.

Authentication Rule

C.

Firewall Policy

D.

Authentication scheme

Full Access
Question # 38

33

Which of statement is true about SSL VPN web mode?

A.

The tunnel is up while the client is connected.

B.

It supports a limited number of protocols.

C.

The external network application sends data through the VPN.

D.

It assigns a virtual IP address to the client.

Full Access
Question # 39

58

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

A.

Interface name

B.

Ethernet header

C.

IP header

D.

Application header

E.

Packet payload

Full Access
Question # 40

What are two functions of ZTNA? (Choose two.)

A.

ZTNA manages access through the client only.

B.

ZTNA manages access for remote users only.

C.

ZTNA provides a security posture check.

D.

ZTNA provides role-based access.

Full Access
Question # 41

Which two types of traffic are managed only by the management VDOM? (Choose two.)

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Full Access
Question # 42

Which scanning technique on FortiGate can be enabled only on the CLI?

A.

Heuristics scan

B.

Trojan scan

C.

Antivirus scan

D.

Ransomware scan

Full Access
Question # 43

Which two types of traffic are managed only by the management VDOM? (Choose two.)

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Full Access
Question # 44

53

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

A.

The public key of the web server certificate must be installed on the browser.

B.

The web-server certificate must be installed on the browser.

C.

The CA certificate that signed the web-server certificate must be installed on the browser.

D.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Full Access
Question # 45

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

A.

The debug flow is for ICMP traffic.

B.

The default route is required to receive a reply.

C.

Anew traffic session was created.

D.

A firewall policy allowed the connection.

Full Access
Question # 46

Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

A.

Destination NAT is disabled in the firewall policy.

B.

One-to-one NAT IP pool is used in the firewall policy.

C.

Overload NAT IP pool is used in the firewall policy.

D.

Port block allocation IP pool is used in the firewall policy.

Full Access
Question # 47

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

A.

It uses UDP 8888.

B.

It uses UDP 53.

C.

It uses DNS over HTTPS.

D.

It uses DNS overTLS.

Full Access
Question # 48

56

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

A.

DNS

B.

ping

C.

udp-echo

D.

TWAMP

Full Access
Question # 49

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

A.

FortiGate uses the AD server as the collector agent.

B.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.

FortiGate does not support workstation check .

D.

FortiGate directs the collector agent to use a remote LDAP server.

Full Access
Question # 50

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

A.

10.200. 1. 10

B.

Any available IP address in the WAN (port1) subnet 10.200. 1.0/24

66 of 108

C.

10.200. 1. 1

D.

10.0. 1.254

Full Access
Question # 51

Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

A.

There are five devices that are part of the security fabric.

B.

Device detection is disabled on all FortiGate devices.

C.

This security fabric topology is a logical topology view.

D.

There are 19 security recommendations for the security fabric.

Full Access