Nse4 Exam Pdf_formatted

Recommend!! Get the Full NSE4_FGT-7.
0 dumps in VCE and PDF From SurePassExam

https://www.surepassexam.com/NSE4_FGT-7.0-exam-dumps.html (172 New Questions)
Fortinet
Exam Questions NSE4_FGT-7.0
Fortinet NSE 4 - FortiOS 7.0
Passing Certification Exams Made Easy visit - https://www.surepassexam.com
Recommend!! Get the Full NSE4_FGT-7.0 dumps in VCE and PDF From SurePassExam
NEW
Q1
- (Exam Topic 1)
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).
Which statement is correct if a user is unable to receive a block replacement message when downloading
an infected file for the first time?
A. The firewall policy performs the full content inspection on the file.
B. The flow-based inspection is used, which resets the last packet to the user.
C. The volume of traffic being inspected is too high for this model of FortiGate.
D. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.
B
Answer:
Explanation:
� "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block
replacement message immediately � When a virus is detected on a TCP session (FIRST TIME), but
where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection"
and does not send the last piece of the file. Although the receiver got most of the file content, the file has
been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file,
so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block
replacement message to the client instead of scanning the file again.
In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement
message cannot be displayed. If the file is attempted to download again the block message will be shown.
NEW
Q2
- (Exam Topic 1)
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer
should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?
A. auth-on-demand
B. soft-timeout
C. idle-timeout
D. new-session
E. hard-timeout
E
Answer:
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout
%3A%20User%20
NEW
Q3
- (Exam Topic 1)
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)
A. FortiCache
B. FortiSIEM
C. FortiAnalyzer
D. FortiSandbox
E. FortiCloud
BCE
Answer:
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-and-reporting-overview
NEW
Q4
- (Exam Topic 1)
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. System time
B. FortiGuaid update servers
C. Operating mode
D. NGFW mode
CD
Answer:
Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode
VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode
is flow, so NGFW Mode can be changed from Profile- base (Default) to Policy-base directly in System >
Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide
NEW
Q5
- (Exam Topic 1)
Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)
A. FortiGate uses the AD server as the collector agent.

B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
C. FortiGate does not support workstation check.
D. FortiGate directs the collector agent to use a remote LDAP server.
BD
Answer:
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732
NEW
Q6
- (Exam Topic 1)
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA
cluster? (Choose two.)
A. FortiGuard web filter cache

B. FortiGate hostname
C. NTP
D. DNS
CD
Answer:
NEW
Q7
- (Exam Topic 1)
Refer to the exhibit.
Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)
A. The port3 default route has the highest distance.

B. The port3 default route has the lowest metric.
C. There will be eight routes active in the routing table.
D. The port1 and port2 default routes are active in the routing table.
AD
Answer:
NEW
Q8
- (Exam Topic 1)
Which two statements about antivirus scanning mode are true? (Choose two.)
A. In proxy-based inspection mode, files bigger than the buffer size are scanned.
B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the
client.
C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending
it to the client.
D. In flow-based inspection mode, files bigger than the buffer size are scanned.
BC
Answer:
Explanation:
An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That
is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able
to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this
threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No.
Regardless of vendor or model, you must make a choice. This is because of the difference between
scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to
detect 100% of malware regardless of file size, a firewall would need infinitely large RAM--something that
no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can
see that with the default 10 MB threshold, only 0.01% of viruses pass through.
NEW
Q9
- (Exam Topic 1)
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict
RPF check?
A. The strict RPF check is run on the first sent and reply packet of any new session.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at cast one active route back to the source using the
incoming interface.
D. Strict RPF allows packets back to sources with all active routes.
B
Answer:
Explanation:
NEW
Q10
- (Exam Topic 1)
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection?
(Choose two.)
A. The keyUsage extension must be set to keyCertSign.

B. The common name on the subject field must use a wildcard name.
C. The issuer must be a public CA.
D. The CA extension must be set to TRUE.
AD
Answer:
Explanation:
Reference: https://www.reddit.com/r/fortinet/comments/c7j6jg/recommended_ssl_cert/
NEW
Q11
- (Exam Topic 1)
Which three statements about a flow-based antivirus profile are correct? (Choose three.)
A. IPS engine handles the process as a standalone.

B. FortiGate buffers the whole file but transmits to the client simultaneously.
C. If the virus is detected, the last packet is delivered to the client.
D. Optimized performance compared to proxy-based inspection.
E. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.
BDE
Answer:
Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=192309
NEW
Q12
- (Exam Topic 1)
Refer to the exhibits.
The SSL VPN connection fails when a user attempts to connect to it. What should the user do to
successfully connect to SSL VPN?
A. Change the SSL VPN port on the client.

B. Change the Server IP address.
C. Change the idle-timeout.
D. Change the SSL VPN portal to the tunnel.
A
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/150494
NEW
Q13
- (Exam Topic 1)
Which two statements are true about the FGCP protocol? (Choose two.)
A. Not used when FortiGate is in Transparent mode

B. Elects the primary FortiGate device
C. Runs only over the heartbeat links
D. Is used to discover FortiGate devices in different HA groups
BC
Answer:
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-clustering-
protocol
NEW
Q14
- (Exam Topic 1)
Which two statements are correct about SLA targets? (Choose two.)
A. You can configure only two SLA targets per one Performance SLA.
B. SLA targets are optional.
C. SLA targets are required for SD-WAN rules with a Best Quality strategy.
D. SLA targets are used only when referenced by an SD-WAN rule.
BD
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/382233/performance-sla-sla-
targets
NEW
Q15
- (Exam Topic 1)
How does FortiGate act when using SSL VPN in web mode?
A. FortiGate acts as an FDS server.

B. FortiGate acts as an HTTP reverse proxy.
C. FortiGate acts as DNS server.
D. FortiGate acts as router.
B
Answer:
Explanation:
Reference:
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/Fortigate_v4.0MR3/fortigate-sslvpn-40-
mr3.pdf
NEW
Q16
- (Exam Topic 1)
Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor
Facebook. Users are given access to the Facebook web application. They can play video content hosted
on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?
A. The SSL inspection needs to be a deep content inspection.

B. Force access to Facebook using the HTTP service.
C. Additional application signatures are required to add to the security policy.
D. Add Facebook in the URL category in the security policy.
A
Answer:
Explanation:
The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required.
NEW
Q17
- (Exam Topic 1)
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard
servers. Which CLI command will cause FortiGate to use an unreliable protocol to communicate with
FortiGuard
servers for live web filtering?
A. set fortiguard-anycast disable

B. set webfilter-force-off disable
C. set webfilter-cache disable
D. set protocol tcp
A
Answer:
Explanation:
NEW
Q18
- (Exam Topic 1)
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)
A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B. The client FortiGate requires a manually added route to remote subnets.
C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
CD
Answer:
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificate-authentication
NEW
Q19
- (Exam Topic 1)
The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two
statements are true? (Choose two.) The override setting is enable for the fortigate with
FGVM100000064692
A. FortiGate SN FGVM010000065036 HA uptime has been reset.

B. FortiGate devices are not in sync because one device is down.
C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
D. FortiGate SN FGVM010000064692 has the higher HA priority.
AD
Answer:
Explanation:
* 1. Override is disable by default - OK
* 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime
of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of
FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study
Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-
override-disab
NEW
Q20
- (Exam Topic 1)
Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)
A. Traffic between port2 and port2-vlan1 is allowed by default.

B. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
C. port1 is a native VLAN.
D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
CD
Answer:
Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-
interf https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883
NEW
Q21
- (Exam Topic 2)
View the exhibit:
Which the FortiGate handle web proxy traffic rue? (Choose two.)
A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

B. port-VLAN1 is the native VLAN for the port1 physical interface.
C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
AC
Answer:
NEW
Q22
- (Exam Topic 2)
Which two statements are true when FortiGate is in transparent mode? (Choose two.)
A. By default, all interfaces are part of the same broadcast domain.

B. The existing network IP schema must be changed when installing a transparent mode.
C. Static routes are required to allow traffic to the next hop.
D. FortiGate forwards frames without changing the MAC address.
AD
Answer:
Explanation:
Reference: https://kb.fortinet.com/kb/viewAttachment.do?
attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&documentID=FD3
3113
NEW
Q23
- (Exam Topic 2)
In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The
administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?
A. Run a sniffer on the web server.

B. Capture the traffic using an external sniffer connected to port1.
C. Execute another sniffer in the FortiGate, this time with the filter "host 10.0.1.10"
D. Execute a debug flow.
D
Answer:
NEW
Q24
- (Exam Topic 2)
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both
sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24
and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local
quick mode selector for site B?
A. 192.168.3.0/24
B. 192.168.2.0/24
C. 192.168.1.0/24
D. 192.168.0.0/8
B
Answer:
NEW
Q25
- (Exam Topic 2)
Refer to the FortiGuard connection debug output.
Based on the output shown in the exhibit, which two statements are correct? (Choose two.)
A. A local FortiManager is one of the servers FortiGate communicates with.

B. One server was contacted to retrieve the contract information.
C. There is at least one server that lost packets consecutively.
D. FortiGate is using default FortiGuard communication settings.
BD
Answer:
NEW
Q26
- (Exam Topic 2)
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)
A. To detect intermediary NAT devices in the tunnel path.

B. To dynamically change phase 1 negotiation mode aggressive mode.
C. To encapsulation ESP packets in UDP packets using port 4500.
D. To force a new DH exchange with each phase 2 rekey.
AC
Answer:
NEW
Q27
- (Exam Topic 2)
Refer to the exhibit
Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?
A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static
route to 10.0.4.0/24 through wan1.
B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static
route to 10.0.4.0/24 through wan1.
C. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static
route to 203.0.114.24/32 through port3.
D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static
route to 203.0.114.24/32 through port3.
D
Answer:
NEW
Q28
- (Exam Topic 2)
You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set
up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?
A. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of
95%.
B. No new log is recorded until you manually clear logs from the local disk.
C. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.
D. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.
C
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/462620/log-disk-setting
NEW
Q29
- (Exam Topic 2)
View the exhibit.
A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based
on this configuration, which statement is true?
A. Addicting.Games is allowed based on the Application Overrides configuration.

B. Addicting.Games is blocked on the Filter Overrides configuration.
C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
D. Addcting.Games is allowed based on the Categories configuration.
A
Answer:
NEW
Q30
- (Exam Topic 2)
In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.
Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy
configuration? (Choose three.)
A. The IP version of the sources and destinations in a firewall policy must be different.
B. The Incoming Interfac
C. Outgoing Interfac
D. Schedule, and Service fields can be shared with both IPv4 and IPv6.
E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources
and destinations.
F. The IP version of the sources and destinations in a policy must match.
G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and
destinations.
BDE
Answer:
NEW
Q31
- (Exam Topic 2)
Which two statements are true about the RPF check? (Choose two.)
A. The RPF check is run on the first sent packet of any new session.
B. The RPF check is run on the first reply packet of any new session.
C. The RPF check is run on the first sent and reply packet of any new session.
D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.
AD
Answer:
Explanation:
Reference: https://www.programmersought.com/article/16383871634/
NEW
Q32
- (Exam Topic 2)
When a firewall policy is created, which attribute is added to the policy to support recording logs to a
FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these
devices?
A. Log ID
B. Universally Unique Identifier
C. Policy ID
D. Sequence ID
B
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies
NEW
Q33
- (Exam Topic 2)
An administrator is running the following sniffer command:
Which three pieces of Information will be Included in me sniffer output? {Choose three.)
A. Interface name
B. Packet payload
C. Ethernet header
D. IP header
E. Application header
ABD
Answer:
NEW
Q34
- (Exam Topic 2)
To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?
A. FortiManager
B. Root FortiGate
C. FortiAnalyzer
D. Downstream FortiGate
B
Answer:
NEW
Q35
- (Exam Topic 2)
Which feature in the Security Fabric takes one or more actions based on event triggers?
A. Fabric Connectors
B. Automation Stitches
C. Security Rating
D. Logical Topology
B
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/286973/fortinet-security-fabric
NEW
Q36
- (Exam Topic 2)
Refer to the exhibit, which contains a session diagnostic output.
Which statement is true about the session diagnostic output?
A. The session is a UDP unidirectional state.

B. The session is in TCP ESTABLISHED state.
C. The session is a bidirectional UDP connection.
D. The session is a bidirectional TCP connection.
C
Answer:
NEW
Q37
- (Exam Topic 2)
Which two statements are true about collector agent standard access mode? (Choose two.)
A. Standard mode uses Windows convention-NetBios: Domain\Username.

B. Standard mode security profiles apply to organizational units (OU).
C. Standard mode security profiles apply to user groups.
D. Standard access mode supports nested groups.
AC
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso
NEW
Q38
- (Exam Topic 2)
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?
A. diagnose wad session list

B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list | grep "hook=pre"&"hook=out"
A
Answer:
NEW
Q39
- (Exam Topic 2)
View the exhibit.
Which of the following statements are correct? (Choose two.)
A. This setup requires at least two firewall policies with the action set to IPsec.
B. Dead peer detection must be disabled to support this type of IPsec setup.
C. The TunnelB route is the primary route for reaching the remote sit
D. The TunnelA route is used only if the TunnelB VPN is down.
E. This is a redundant IPsec setup.
CD
Answer:
NEW
Q40
- (Exam Topic 2)
Which two types of traffic are managed only by the management VDOM? (Choose two.)
A. FortiGuard web filter queries

B. PKI
C. Traffic shaping
D. DNS
AD
Answer:
NEW
Q41
- (Exam Topic 2)
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
B. ADVPN is only supported with IKEv2.
C. Tunnels are negotiated dynamically between spokes.
D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2
proposals are defined in advance.
AC
Answer:
NEW
Q42
- (Exam Topic 2)
Which of the following statements about central NAT are true? (Choose two.)
A. IP tool references must be removed from existing firewall policies before enabling central NAT.
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
AB
Answer:
NEW
Q43
- (Exam Topic 2)
Examine this FortiGate configuration:
How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires
authorization?
A. It always authorizes the traffic without requiring authentication.

B. It drops the traffic.
C. It authenticates the traffic using the authentication scheme SCHEME2.
D. It authenticates the traffic using the authentication scheme SCHEME1.
D
Answer:
Explanation:
"What happens to traffic that requires authorization, but does not match any authentication rule? The
active and passive SSO schemes to use for those cases is defined under config authentication setting"
NEW
Q44
- (Exam Topic 2)
Which of the following conditions must be met in order for a web browser to trust a web server certificate
signed by a third-party CA?
A. The public key of the web server certificate must be installed on the browser.
B. The web-server certificate must be installed on the browser.
C. The CA certificate that signed the web-server certificate must be installed on the browser.
D. The private key of the CA certificate that signed the browser certificate must be installed on the
browser.
C
Answer:
NEW
Q45
- (Exam Topic 2)
Which contains a Performance SLA configuration.
An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic.
Why is FortiGate not generating any traffic for the performance SLA?
A. Participants configured are not SD-WAN members.

B. There may not be a static route to route the performance SLA traffic.
C. The Ping protocol is not supported for the public servers that are configured.
D. You need to turn on the Enable probe packets switch.
Answer: D
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/478384/performance-sla-linkmonitoring
NEW
Q46
- (Exam Topic 2)
Based on the administrator profile settings, what permissions must the administrator set to run the
diagnose firewall auth list CLI command on FortiGate?
A. Custom permission for Network

B. Read/Write permission for Log & Report
C. CLI diagnostics commands permission
D. Read/Write permission for Firewall
C
Answer:
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220
NEW
Q47
- (Exam Topic 2)
Which three security features require the intrusion prevention system (IPS) engine to function? (Choose
three.)
A. Web filter in flow-based inspection

B. Antivirus in flow-based inspection
C. DNS filter
D. Web application firewall
E. Application control
ABE
Answer:
NEW
Q48
- (Exam Topic 2)
Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)
A. Source defined as Internet Services in the firewall policy.

B. Destination defined as Internet Services in the firewall policy.
C. Highest to lowest priority defined in the firewall policy.
D. Services defined in the firewall policy.
E. Lowest to highest policy ID number.
ABD
Answer:
Explanation:
NEW
Q49
- (Exam Topic 2)
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?
A. The Services field prevents SNAT and DNAT from being combined in the same policy.
B. The Services field is used when you need to bundle several VIPs into VIP groups.
C. The Services field removes the requirement to create multiple VIPs for different services.
D. The Services field prevents multiple sources of traffic from using multiple services to connect to a
singlecomputer.
C
Answer:
NEW
Q50
- (Exam Topic 2)
Which Security rating scorecard helps identify configuration weakness and best practice violations in your
network?
A. Fabric Coverage
B. Automated Response
C. Security Posture
D. Optimization
C
Answer:
Explanation:
Reference:
https://www.fortinet.com/content/dam/fortinet/assets/support/fortinet-recommended-security-
bestpractices.pdf
NEW
Q51
- (Exam Topic 2)
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any
HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the
browser
does not report errors.
What is the reason for the certificate warning errors?
A. The browser requires a software update.

B. FortiGate does not support full SSL inspection when web filtering is enabled.
C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
D. There are network connectivity issues.
C
Answer:
Explanation:
NEW
Q52
- (Exam Topic 2)
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed
port disabled? (Choose two.)
A. This is known as many-to-one NAT.

B. Source IP is translated to the outgoing interface IP.
C. Connections are tracked using source port and source MAC address.
D. Port address translation is not used.
BD
Answer:
NEW
Q53
- (Exam Topic 2)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can
be added to the Source filed of a firewall policy?
A. IP address
B. Once Internet Service is selected, no other object can be added
C. User or User Group
D. FQDN address
B
Answer:
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy
NEW
Q54
- (Exam Topic 2)
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?
A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
D
Answer:
NEW
Q55
- (Exam Topic 2)
Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled
on all FortiGate devices?
A. Root VDOM
B. FG-traffic VDOM
C. Customer VDOM
D. Global VDOM
A
Answer:
NEW
Q56
- (Exam Topic 2)
Which two statements are true about collector agent advanced mode? (Choose two.)
A. Advanced mode uses Windows convention--NetBios: Domain\Username.

B. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate
C. Advanced mode supports nested or inherited groups
D. Security profiles can be applied only to user groups, not individual users.
BC
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso
NEW
Q57
- (Exam Topic 2)
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question
below.
When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?
A. SMTP.Login.Brute.Force
B. IMAP.Login.brute.Force
C. ip_src_session
D. Location: server Protocol: SMTP
B
Answer:
NEW
Q58
- (Exam Topic 2)
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is
still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
A. The IPS filter is missing the Protocol: HTTPS option.

B. The HTTPS signatures have not been added to the sensor.
C. A DoS policy should be used, instead of an IPS sensor.
D. A DoS policy should be used, instead of an IPS sensor.
E. The firewall policy is not using a full SSL inspection profile.
E
Answer:
NEW
Q59
- (Exam Topic 2)
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-
based inspection mode? (Choose two.)
A. Warning
B. Exempt
C. Allow
D. Learn
AC
Answer:
NEW
Q60
- (Exam Topic 2)
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which
statement about this IPsec VPN configuration is true?
A. A phase 2 configuration is not required.

B. This VPN cannot be used as part of a hub-and-spoke topology.
C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
D. The IPsec firewall policies must be placed at the top of the list.
C
Answer:
Explanation:
In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name
(Infrastructure Study Guide, 206)
NEW
Q61
- (Exam Topic 2)
Which two statements ate true about the Security Fabric rating? (Choose two.)
A. It provides executive summaries of the four largest areas of security focus.

B. Many of the security issues can be fixed immediately by clicking Apply where available.
C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.
BC
Answer:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/292634/security-rating
NEW
Q62
- (Exam Topic 2)
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?
A. It limits the scope of application control to the browser-based technology category only.
B. It limits the scope of application control to scan application traffic based on application category only.
C. It limits the scope of application control to scan application traffic using parent signatures only
D. It limits the scope of application control to scan application traffic on DNS protocol only.
B
Answer:
NEW
Q63
- (Exam Topic 2)
Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)
A. hard-timeout
B. auth-on-demand
C. soft-timeout
D. new-session
E. Idle-timeout
ADE
Answer:
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221
NEW
Q64
- (Exam Topic 2)
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?
A. It limits the scanning of application traffic to the DNS protocol only.

B. It limits the scanning of application traffic to use parent signatures only.
C. It limits the scanning of application traffic to the browser-based technology category only.
D. It limits the scanning of application traffic to the application category only.
C
Answer:
NEW
Q65
- (Exam Topic 2)
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
A. The next-hop IP address is unreachable.

B. It failed the RPF check.
C. It matched an explicitly configured firewall policy with the action DENY.
D. It matched the default implicit firewall policy.
D
Answer:
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900
NEW
Q66
- (Exam Topic 2)
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)
A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
B. An SA never expires.
C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
D. Phase 2 SA expiration can be time-based, volume-based, or both.
E. Both the phase 1 SA and phase 2 SA are bidirectional.
ACD
Answer:
NEW
Q67
- (Exam Topic 2)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose
two.)
A. The firmware image must be manually uploaded to each FortiGate.

B. Only secondary FortiGate devices are rebooted.
C. Uninterruptable upgrade is enabled by default.
D. Traffic load balancing is temporally disabled while upgrading the firmware.
CD
Answer:
NEW
Q68
- (Exam Topic 2)
Refer to the exhibit to view the application control profile.
Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which
statement is true?
A. Apple FaceTime belongs to the custom monitored filter.

B. The category of Apple FaceTime is being monitored.
C. Apple FaceTime belongs to the custom blocked filter.
D. The category of Apple FaceTime is being blocked.
C
Answer:
NEW
Q69
- (Exam Topic 2)
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)
A. Shut down/reboot a downstream FortiGate device.

B. Disable FortiAnalyzer logging for a downstream FortiGate device.
C. Log in to a downstream FortiSwitch device.
D. Ban or unban compromised hosts.
AB
Answer:

NEW
Q70
- (Exam Topic 2)
Examine the following web filtering log.
Which statement about the log message is true?
A. The action for the category Games is set to block.

B. The usage quota for the IP address 10.0.1.10 has expired
C. The name of the applied web filter profile is default.
D. The web site miniclip.com matches a static URL filter whose action is set to Warning.
C
Answer:
NEW
Q71
- (Exam Topic 2)
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides
(client and server) have terminated the session?
A. To remove the NAT operation.

B. To generate logs
C. To finish any inspection operations.
D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.
D
Answer:
NEW
Q72
- (Exam Topic 2)
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?
A. remote user's public IP address

B. The public IP address of the FortiGate device.
C. The remote user's virtual IP address.
D. The internal IP address of the FortiGate device.
D
Answer:
Explanation:
Source IP seen by the remote resources is FortiGate's internal IP address and not the user's IP address

Nse4 Exam Pdf_formatted

Uploaded by

Copyright:

Available Formats

Nse4 Exam Pdf_formatted

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nse4 Exam Pdf_formatted

Uploaded by

Copyright:

Available Formats

Recommend!! Get the Full NSE4_FGT-7.

0 dumps in VCE and PDF From SurePassExam

Exam Questions NSE4_FGT-7.0

Fortinet NSE 4 - FortiOS 7.0

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. FortiGate uses the AD server as the collector agent.

A. FortiGuard web filter cache

A. The port3 default route has the highest distance.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. The keyUsage extension must be set to keyCertSign.

A. IPS engine handles the process as a standalone.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Change the SSL VPN port on the client.

A. Not used when FortiGate is in Transparent mode

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. FortiGate acts as an FDS server.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. The SSL inspection needs to be a deep content inspection.

A. set fortiguard-anycast disable

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. FortiGate SN FGVM010000065036 HA uptime has been reset.

A. Traffic between port2 and port2-vlan1 is allowed by default.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

A. By default, all interfaces are part of the same broadcast domain.

A. Run a sniffer on the web server.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. A local FortiManager is one of the servers FortiGate communicates with.

A. To detect intermediary NAT devices in the tunnel path.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Addicting.Games is allowed based on the Application Overrides configuration.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. The session is a UDP unidirectional state.

A. Standard mode uses Windows convention-NetBios: Domain\Username.

A. diagnose wad session list

Which of the following statements are correct? (Choose two.)

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. FortiGuard web filter queries

A. It always authorizes the traffic without requiring authentication.

A. Participants configured are not SD-WAN members.

A. Custom permission for Network

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Web filter in flow-based inspection

A. Source defined as Internet Services in the firewall policy.

A. The browser requires a software update.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. This is known as many-to-one NAT.

A. Advanced mode uses Windows convention--NetBios: Domain\Username.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. The IPS filter is missing the Protocol: HTTPS option.

A. A phase 2 configuration is not required.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. It provides executive summaries of the four largest areas of security focus.

A. It limits the scanning of application traffic to the DNS protocol only.

Why did the FortiGate drop the packet?

A. The next-hop IP address is unreachable.

A. The firmware image must be manually uploaded to each FortiGate.