Fortinet NSE4_FGT-7.0 Free Practice Questions

NEW QUESTION 1

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate, enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495
Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

NEW QUESTION 2

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

• A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
• B. FortiGate automatically negotiates a new security association after the existing security association expires.
• C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
• D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=12069

NEW QUESTION 3

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

• A. Disabled
• B. On Demand
• C. Enabled
• D. On Idle

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

NEW QUESTION 4

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?

• A. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.
• B. No new log is recorded until you manually clear logs from the local disk.
• C. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.
• D. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

Answer: C

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/462620/log-disk-setting

NEW QUESTION 5

Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

• A. FortiGate will load balance all traffic across both routes.
• B. FortiGate will use the port1 route as the primary candidate.
• C. FortiGate will route twice as much traffic to the port2 route
• D. FortiGate will only actuate the port1 route in the routing table

Answer: B

Explanation:
“If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.”

NEW QUESTION 6

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

• A. The session is a UDP unidirectional state.
• B. The session is in TCP ESTABLISHED state.
• C. The session is a bidirectional UDP connection.
• D. The session is a bidirectional TCP connection.

Answer: C

NEW QUESTION 7

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

• A. Static IP Address
• B. Dialup User
• C. Dynamic DNS
• D. Pre-shared Key

Answer: B

Explanation:
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

NEW QUESTION 8

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard
servers for live web filtering?

• A. set fortiguard-anycast disable
• B. set webfilter-force-off disable
• C. set webfilter-cache disable
• D. set protocol tcp

Answer: A

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48294

NEW QUESTION 9

Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

• A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• C. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
• D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer: D

NEW QUESTION 10

Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

• A. Destination NAT is disabled in the firewall policy.
• B. One-to-one NAT IP pool is used in the firewall policy.
• C. Overload NAT IP pool is used in the firewall policy.
• D. Port block allocation IP pool is used in the firewall policy.

Answer: B

Explanation:
FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.

NEW QUESTION 11

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

• A. Traffic to botnetservers
• B. Traffic to inappropriate web sites
• C. Server information disclosure attacks
• D. Credit card data leaks
• E. SQL injection attacks

Answer: CDE

NEW QUESTION 12

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

• A. Add the support of NTLM authentication.
• B. Add user accounts to Active Directory (AD).
• C. Add user accounts to the FortiGate group fitter.
• D. Add user accounts to the Ignore User List.

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

NEW QUESTION 13

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

• A. NGFW policy-based mode does not require the use of central source NAT policy
• B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
• C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
• D. NGFW policy-based mode policies support only flow inspection

Answer: CD

NEW QUESTION 14

Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies. The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a
form-based authentication scheme for the FortiGate local user database. Users will be prompted for
authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.1.1.10 to the destination http://www.fortinet.com? (Choose two.)

• A. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.
• B. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.
• C. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.
• D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

Answer: BD

NEW QUESTION 15

Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

• A. SMTP.Login.Brute.Force
• B. IMAP.Login.brute.Force
• C. ip_src_session
• D. Location: server Protocol: SMTP

Answer: B

NEW QUESTION 16

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log downloads from the GUI are limited to the current filter view
• B. Log backups from the CLI cannot be restored to another FortiGate.
• C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: AB

NEW QUESTION 17
......