Black Friday Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Fortinet NSE 4 - FortiOS 7.2 Question and Answers

Fortinet NSE 4 - FortiOS 7.2

Last Update Dec 2, 2024
Total Questions : 170

We are offering FREE NSE4_FGT-7.2 Fortinet exam questions. All you do is to just go and sign up. Give your details, prepare NSE4_FGT-7.2 free exam questions and then go for complete pool of Fortinet NSE 4 - FortiOS 7.2 test questions that will help you more.

NSE4_FGT-7.2 pdf

NSE4_FGT-7.2 PDF

$36.75  $104.99
NSE4_FGT-7.2 Engine

NSE4_FGT-7.2 Testing Engine

$43.75  $124.99
NSE4_FGT-7.2 PDF + Engine

NSE4_FGT-7.2 PDF + Testing Engine

$57.75  $164.99
Questions 1

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

Options:

A.  

www.example.com:443

B.  

www.example.com

C.  

example.com

D.  

www.example.com/index.html

Discussion 0
Questions 2

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Options:

A.  

Antivirus engine

B.  

Intrusion prevention system engine

C.  

Flow engine

D.  

Detection engine

Discussion 0
Questions 3

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

Options:

A.  

Disabled

B.  

On Demand

C.  

Enabled

D.  

On Idle

Discussion 0
Questions 4

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Options:

A.  

The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

B.  

The sensor will block all attacks aimed at Windows servers.

C.  

The sensor will reset all connections that match these signatures.

D.  

The sensor will gather a packet log for all matched traffic.

Discussion 0
Questions 5

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.  

The port3 default route has the lowest metric.

B.  

The port1 and port2 default routes are active in the routing table.

C.  

The ports default route has the highest distance.

D.  

There will be eight routes active in the routing table.

Discussion 0
Questions 6

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

Options:

A.  

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.  

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.  

The cluster can load balance ICMP connections to the secondary.

D.  

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Discussion 0
Questions 7

6

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

Options:

A.  

FortiCache

B.  

FortiSIEM

C.  

FortiAnalyzer

D.  

FortiSandbox

E.  

FortiCloud

Discussion 0
Questions 8

55

In which two ways can RPF checking be disabled? (Choose two )

Options:

A.  

Enable anti-replay in firewall policy.

B.  

Disable the RPF check at the FortiGate interface level for the source check

C.  

Enable asymmetric routing.

D.  

Disable strict-arc-check under system settings.

Discussion 0
Questions 9

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

Options:

A.  

The session is a UDP unidirectional state.

B.  

The session is in TCP ESTABLISHED state.

C.  

The session is a bidirectional UDP connection.

D.  

The session is a bidirectional TCP connection.

Discussion 0
Questions 10

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

Options:

A.  

10.200. 1. 1

B.  

10.200.3. 1

C.  

10.200. 1. 100

D.  

10.200. 1. 10

Discussion 0
Questions 11

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?

Options:

A.  

192. 168.3.0/24

B.  

192. 168.2.0/24

C.  

192. 168. 1.0/24

D.  

192. 168.0.0/8

Discussion 0
Questions 12

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

Options:

A.  

Traffic is blocked because Action is set to DENY in the firewall policy.

B.  

Traffic belongs to the root VDOM.

C.  

This is a security log.

D.  

Log severity is set to error on FortiGate.

Discussion 0
Questions 13

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

Options:

A.  

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

B.  

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C.  

The two VLAN subinterfaces must have different VLAN IDs.

D.  

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Discussion 0
Questions 14

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

Options:

A.  

On HQ-FortiGate, set IKE mode to Main (ID protection).

B.  

On both FortiGate devices, set Dead Peer Detection to On Demand.

C.  

On HQ-FortiGate, disable Diffie-Helman group 2.

D.  

On Remote-FortiGate, set port2 as Interface.

Discussion 0
Questions 15

Which scanning technique on FortiGate can be enabled only on the CLI?

Options:

A.  

Heuristics scan

B.  

Trojan scan

C.  

Antivirus scan

D.  

Ransomware scan

Discussion 0
Questions 16

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

Options:

A.  

System event logs

B.  

Forward traffic logs

C.  

Local traffic logs

D.  

Security logs

Discussion 0
Questions 17

53

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Options:

A.  

The public key of the web server certificate must be installed on the browser.

B.  

The web-server certificate must be installed on the browser.

C.  

The CA certificate that signed the web-server certificate must be installed on the browser.

D.  

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Discussion 0
Questions 18

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .

With this configuration, which statement is true?

Options:

A.  

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

B.  

A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

C.  

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

D.  

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Discussion 0
Questions 19

Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

Options:

A.  

Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.

B.  

Configure a web override rating for download.com and select Malicious Websites as the subcategory.

C.  

Set the Freeware and Software Downloads category Action to Warning.

D.  

Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

Discussion 0
Questions 20

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The administrator disabled the WebServer firewall policy.

Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

Options:

A.  

10.200.1.10

B.  

10.0.1.254

C.  

10.200.1.1

D.  

10.200.3.1

Discussion 0
Questions 21

82

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Options:

A.  

Set the maximum session TTL value for the TELNET service object.

B.  

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.  

Create a new service object for TELNET and set the maximum session TTL.

D.  

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Discussion 0
Questions 22

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Options:

A.  

SSL VPN idle-timeout

B.  

SSL VPN http-request-body-timeout

C.  

SSL VPN login-timeout

D.  

SSL VPN dtls-hello-timeout

Discussion 0
Questions 23

View the exhibit.

Which of the following statements are correct? (Choose two.)

Options:

A.  

This setup requires at least two firewall policies with the action set to IPsec.

B.  

Dead peer detection must be disabled to support this type of IPsec setup.

C.  

The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

D.  

This is a redundant IPsec setup.

Discussion 0
Questions 24

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

Options:

A.  

FortiGuard web filter cache

B.  

FortiGate hostname

C.  

NTP

D.  

DNS

Discussion 0
Questions 25

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Options:

A.  

idle-timeout

B.  

login-timeout

C.  

udp-idle-timer

D.  

session-ttl

Discussion 0
Questions 26

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.  

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B.  

If a virus is detected, the last packet is delivered to the client.

C.  

The IPS engine handles the process as a standalone.

D.  

FortiGate buffers the whole file but transmits to the client at the same time.

E.  

Flow-based inspection optimizes performance compared to proxy-based inspection.

Discussion 0
Questions 27

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

Options:

A.  

Change the csf setting on ISFW (downstream) to set configuration-sync local.

B.  

Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

C.  

Change the csf setting on both devices to set downstream-access enable.

D.  

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Discussion 0
Questions 28

Which statement correctly describes the use of reliable logging on FortiGate?

Options:

A.  

Reliable logging is enabled by default in all configuration scenarios.

B.  

Reliable logging is required to encrypt the transmission of logs.

C.  

Reliable logging can be configured only using the CLI.

D.  

Reliable logging prevents the loss of logs when the local disk is full.

Discussion 0
Questions 29

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Options:

A.  

Add the support of NTLM authentication.

B.  

Add user accounts to Active Directory (AD).

C.  

Add user accounts to the FortiGate group fitter.

D.  

Add user accounts to the Ignore User List.

Discussion 0
Questions 30

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

Options:

A.  

10.200. 1. 10

B.  

Any available IP address in the WAN (port1) subnet 10.200. 1.0/24

66 of 108

C.  

10.200. 1. 1

D.  

10.0. 1.254

Discussion 0
Questions 31

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

Options:

A.  

SSH

B.  

HTTPS

C.  

FTM

D.  

FortiTelemetry

Discussion 0
Questions 32

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

Options:

A.  

It always authorizes the traffic without requiring authentication.

B.  

It drops the traffic.

C.  

It authenticates the traffic using the authentication scheme SCHEME2.

D.  

It authenticates the traffic using the authentication scheme SCHEME1.

Discussion 0
Questions 33

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Options:

A.  

Interface name

B.  

Packet payload

C.  

Ethernet header

D.  

IP header

E.  

Application header

Discussion 0
Questions 34

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:

A.  

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.  

ADVPN is only supported with IKEv2.

C.  

Tunnels are negotiated dynamically between spokes.

D.  

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Discussion 0
Questions 35

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

Options:

A.  

FortiGate points the collector agent to use a remote LDAP server.

B.  

FortiGate uses the AD server as the collector agent.

C.  

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

D.  

FortiGate queries AD by using the LDAP to retrieve user group information.

Discussion 0
Questions 36

94

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

Options:

A.  

The interface has been configured for one-arm sniffer.

B.  

The interface is a member of a virtual wire pair.

C.  

The operation mode is transparent.

D.  

The interface is a member of a zone.

E.  

Captive portal is enabled in the interface.

Discussion 0
Questions 37

93

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Options:

A.  

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.  

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.  

Virtual IP addresses are used to distinguish between cluster members.

D.  

The primary device in the cluster is always assigned IP address 169.254.0.1.

Discussion 0
Questions 38

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.  

FortiGuard web filter queries

B.  

PKI

C.  

Traffic shaping

D.  

DNS

Discussion 0
Questions 39

An administrator wants to simplify remote access without asking users to provide user credentials.

Which access control method provides this solution?

Options:

A.  

ZTNA IP/MAC filtering mode

B.  

ZTNA access proxy

C.  

SSL VPN

D.  

L2TP

Discussion 0
Questions 40

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

Options:

A.  

VDOMs without ports with connected devices are not displayed in the topology.

B.  

Downstream devices can connect to the upstream device from any of their VDOMs.

C.  

Security rating reports can be run individually for each configured VDOM.

D.  

Each VDOM in the environment can be part of a different Security Fabric.

Discussion 0
Questions 41

Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

Options:

A.  

Traffic between port2 and port2-vlan1 is allowed by default.

B.  

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

C.  

port1 is a native VLAN.

D.  

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Discussion 0
Questions 42

68

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

Options:

A.  

The Services field prevents SNAT and DNAT from being combined in the same policy.

B.  

The Services field is used when you need to bundle several VIPs into VIP groups.

C.  

The Services field removes the requirement to create multiple VIPs for different services.

D.  

The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Discussion 0
Questions 43

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Options:

A.  

It limits the scope of application control to the browser-based technology category only.

B.  

It limits the scope of application control to scan application traffic based on application category only.

C.  

It limits the scope of application control to scan application traffic using parent signatures only

D.  

It limits the scope of application control to scan application traffic on DNS protocol only.

Discussion 0
Questions 44

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.  

Make SSL inspection needs to be a deep content inspection.

B.  

Force access to Facebook using the HTTP service.

C.  

Get the additional application signatures are required to add to the security policy.

D.  

Add Facebook in the URL category in the security policy.

Discussion 0
Questions 45

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

Options:

A.  

Policy lookup will be disabled.

B.  

By Sequence view will be disabled.

C.  

Search option will be disabled

D.  

Interface Pair view will be disabled.

Discussion 0
Questions 46

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

Options:

A.  

Policy with ID 4.

B.  

Policy with ID 5.

C.  

Policies with ID 2 and 3.

D.  

Policy with ID 4.

Discussion 0
Questions 47

Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)

Options:

A.  

Source IP

B.  

Spillover

C.  

Volume

D.  

Session

Discussion 0
Questions 48

Refer to the exhibits.

Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

Options:

A.  

Apple FaceTime will be allowed, based on the Categories configuration.

B.  

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

C.  

Apple FaceTime will be allowed, based on the Apple filter configuration.

D.  

Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

Discussion 0
Questions 49

17

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

Options:

A.  

The Detection Mode setting is not set to Passive.

B.  

Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C.  

The configured participants are not SD-WAN members.

D.  

The Enable probe packets setting is not enabled.

Discussion 0
Questions 50

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

Options:

A.  

FortiGate uses the AD server as the collector agent.

B.  

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

C.  

FortiGate does not support workstation check .

D.  

FortiGate directs the collector agent to use a remote LDAP server.

Discussion 0
Questions 51

Which statement about video filtering on FortiGate is true?

Options:

A.  

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

B.  

It does not require a separate FortiGuard license.

C.  

Full SSL inspection is not required.

D.  

its available only on a proxy-based firewall policy.

Discussion 0