NSE4_FGT-7.0 | The Secret Of Fortinet NSE4_FGT-7.0 Free Practice Exam

NEW QUESTION 1

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

• A. To remove the NAT operation.
• B. To generate logs
• C. To finish any inspection operations.
• D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Answer: D

NEW QUESTION 2

Refer to the exhibit.



The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

• A. Disable match-vip in the Deny policy.
• B. Set the Destination address as Deny_IP in the Allow-access policy.
• C. Enable match vip in the Deny policy.
• D. Set the Destination address as Web_server in the Deny policy.

Answer: CD

NEW QUESTION 3

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 4

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

• A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
• B. Enable Dead Peer Detection.
• C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
• D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Answer: BC

Explanation:
B - because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer.
C - remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel will be chosen to route packets towards their destination.

NEW QUESTION 5

Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

• A. Source IP
• B. Spillover
• C. Volume
• D. Session

Answer: CD

Explanation:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing

NEW QUESTION 6

Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

• A. A local FortiManager is one of the servers FortiGate communicates with.
• B. One server was contacted to retrieve the contract information.
• C. There is at least one server that lost packets consecutively.
• D. FortiGate is using default FortiGuard communication settings.

Answer: BD

NEW QUESTION 7

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

• A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
• B. An SA never expires.
• C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
• D. Phase 2 SA expiration can be time-based, volume-based, or both.
• E. Both the phase 1 SA and phase 2 SA are bidirectional.

Answer: ACD

NEW QUESTION 8

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser
does not report errors.
What is the reason for the certificate warning errors?

• A. The browser requires a software update.
• B. FortiGate does not support full SSL inspection when web filtering is enabled.
• C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
• D. There are network connectivity issues.

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41394

NEW QUESTION 9

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

• A. It always authorizes the traffic without requiring authentication.
• B. It drops the traffic.
• C. It authenticates the traffic using the authentication scheme SCHEME2.
• D. It authenticates the traffic using the authentication scheme SCHEME1.

Answer: D

Explanation:
“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”

NEW QUESTION 10

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

• A. Policy lookup will be disabled.
• B. By Sequence view will be disabled.
• C. Search option will be disabled
• D. Interface Pair view will be disabled.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47821

NEW QUESTION 11

Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

• A. Set the maximum session TTL value for the TELNET service object.
• B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
• C. Create a new service object for TELNET and set the maximum session TTL.
• D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Answer: CD

NEW QUESTION 12

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

• A. Source defined as Internet Services in the firewall policy.
• B. Destination defined as Internet Services in the firewall policy.
• C. Highest to lowest priority defined in the firewall policy.
• D. Services defined in the firewall policy.
• E. Lowest to highest policy ID number.

Answer: ABD

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47435

NEW QUESTION 13

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

• A. System time
• B. FortiGuaid update servers
• C. Operating mode
• D. NGFW mode

Answer: CD

Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide

NEW QUESTION 14

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

• A. FortiManager
• B. Root FortiGate
• C. FortiAnalyzer
• D. Downstream FortiGate

Answer: B

NEW QUESTION 15

View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 16

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

• A. Antivirus scanning
• B. File filter
• C. DNS filter
• D. Intrusion prevention

Answer: AD

NEW QUESTION 17

Refer to the exhibit.


The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

• A. ‘host 192.168.0.2 and port 8080’
• B. ‘host 10.0.0.50 and port 80’
• C. ‘host 192.168.0.1 and port 80’
• D. ‘host 10.0.0.50 and port 8080’

Answer: A

NEW QUESTION 18

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

• A. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
• B. The sensor will block all attacks aimed at Windows servers.
• C. The sensor will reset all connections that match these signatures.
• D. The sensor will gather a packet log for all matched traffic.

Answer: AB

NEW QUESTION 19
......