Fortinet NSE4_FGT-7.0 Free Practice Questions

NEW QUESTION 1

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

• A. On HQ-FortiGate, set IKE mode to Main (ID protection).
• B. On both FortiGate devices, set Dead Peer Detection to On Demand.
• C. On HQ-FortiGate, disable Diffie-Helman group 2.
• D. On Remote-FortiGate, set port2 as Interface.

Answer: AD

NEW QUESTION 2

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

• A. Antivirus engine
• B. Intrusion prevention system engine
• C. Flow engine
• D. Detection engine

Answer: B

Explanation:
Reference: http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

NEW QUESTION 3

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

• A. diagnose sys top
• B. execute ping
• C. execute traceroute
• D. diagnose sniffer packet any
• E. get system arp

Answer: BCD

NEW QUESTION 4

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

• A. The administrator can register the same FortiToken on more than one FortiGate.
• B. The administrator must use a FortiAuthenticator device.
• C. The administrator can use a third-party radius OTP server.
• D. The administrator must use the user self-registration server.

Answer: B

NEW QUESTION 5

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

• A. SSH
• B. HTTPS
• C. FTM
• D. FortiTelemetry

Answer: AB

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

NEW QUESTION 6

Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall Objects/Virtual IPs.

NEW QUESTION 7

Which of statement is true about SSL VPN web mode?

• A. The tunnel is up while the client is connected.
• B. It supports a limited number of protocols.
• C. The external network application sends data through the VPN.
• D. It assigns a virtual IP address to the client.

Answer: B

Explanation:
FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.

NEW QUESTION 8

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?
A User or User Group

• A. IP address
• B. No other object can be added
• C. FQDN address

Answer: B

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy

NEW QUESTION 9

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

• A. hard-timeout
• B. auth-on-demand
• C. soft-timeout
• D. new-session
• E. Idle-timeout

Answer: ADE

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

NEW QUESTION 10

Which two types of traffic are managed only by the management VDOM? (Choose two.)

• A. FortiGuard web filter queries
• B. PKI
• C. Traffic shaping
• D. DNS

Answer: AD

NEW QUESTION 11

Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?

• A. A user
• B. A root CA
• C. A bridge CA
• D. A subordinate

Answer: A

NEW QUESTION 12

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

• A. Proxy-based inspection
• B. Certificate inspection
• C. Flow-based inspection
• D. Full Content inspection

Answer: AC

NEW QUESTION 13

Refer to the exhibit, which contains a radius server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator
selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?

• A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
• B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
• C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
• D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Answer: A

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/634373/authentication-servers

NEW QUESTION 14

Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

• A. The debug flow is of ICMP traffic.
• B. A firewall policy allowed the connection.
• C. A new traffic session is created.
• D. The default route is required to receive a reply.

Answer: AC

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

NEW QUESTION 15

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

• A. System time
• B. FortiGuaid update servers
• C. Operating mode
• D. NGFW mode

Answer: CD

Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide

NEW QUESTION 16

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

• A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
• B. Create a new service object for HTTP service and set the session TTL to never
• C. Set the TTL value to never under config system-ttl
• D. Set the session TTL on the HTTP policy to maximum

Answer: BC

NEW QUESTION 17
......