Fortinet NSE4_FGT-7.0 Free Practice Questions

NEW QUESTION 1

Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

• A. Custom permission for Network
• B. Read/Write permission for Log & Report
• C. CLI diagnostics commands permission
• D. Read/Write permission for Firewall

Answer: C

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220

NEW QUESTION 2

Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. The IPS filter is missing the Protocol: HTTPS option.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. A DoS policy should be used, instead of an IPS sensor.
• E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 3

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 4

Which scanning technique on FortiGate can be enabled only on the CLI?

• A. Heuristics scan
• B. Trojan scan
• C. Antivirus scan
• D. Ransomware scan

Answer: A

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/567568/enabling-scanning

NEW QUESTION 5

Examine the following web filtering log.

Which statement about the log message is true?

• A. The action for the category Games is set to block.
• B. The usage quota for the IP address 10.0.1.10 has expired
• C. The name of the applied web filter profile is default.
• D. The web site miniclip.com matches a static URL filter whose action is set to Warning.

Answer: C

NEW QUESTION 6

Exhibit:

Refer to the exhibit to view the authentication rule configuration In this scenario, which statement is true?

• A. IP-based authentication is enabled
• B. Route-based authentication is enabled
• C. Session-based authentication is enabled.
• D. Policy-based authentication is enabled

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD45387

NEW QUESTION 7

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

• A. The Detection Mode setting is not set to Passive.
• B. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
• C. The configured participants are not SD-WAN members.
• D. The Enable probe packets setting is not enabled.

Answer: BD

NEW QUESTION 8

NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

• A. Web filtering
• B. Antivirus
• C. Web proxy
• D. Application control

Answer: B

NEW QUESTION 9

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

• A. Antivirus scanning
• B. File filter
• C. DNS filter
• D. Intrusion prevention

Answer: AD

NEW QUESTION 10

Refer to the exhibits.
Exhibit A.

Exhibit B.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

• A. Change the csf setting on Local-FortiGate (root) to sec configuration-sync local.
• B. Change the csf setting on ISFW (downstream) to sec configuracion-sync local.
• C. Change the csf setting on Local-FortiGate (root) to sec fabric-objecc-unificacion defaulc.
• D. Change the csf setting on ISFW (downstream) to sec fabric-objecc-unificacion defaulc.

Answer: A

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD43820

NEW QUESTION 11

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

• A. The public key of the web server certificate must be installed on the browser.
• B. The web-server certificate must be installed on the browser.
• C. The CA certificate that signed the web-server certificate must be installed on the browser.
• D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Answer: C

NEW QUESTION 12

Refer to the exhibit.



The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

• A. Disable match-vip in the Deny policy.
• B. Set the Destination address as Deny_IP in the Allow-access policy.
• C. Enable match vip in the Deny policy.
• D. Set the Destination address as Web_server in the Deny policy.

Answer: CD

NEW QUESTION 13

Refer to the exhibit.

Which contains a Performance SLA configuration.
An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

• A. Participants configured are not SD-WAN members.
• B. There may not be a static route to route the performance SLA traffic.
• C. The Ping protocol is not supported for the public servers that are configured.
• D. You need to turn on the Enable probe packets switch.

Answer: D

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/478384/performance-sla-linkmonitoring

NEW QUESTION 14

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

• A. Subject Key Identifier value
• B. SMMIE Capabilities value
• C. Subject value
• D. Subject Alternative Name value

Answer: A

NEW QUESTION 15

An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

• A. VLAN interface
• B. Software Switch interface
• C. Aggregate interface
• D. Redundant interface

Answer: C

Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=120324

NEW QUESTION 16

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

• A. The IP version of the sources and destinations in a firewall policy must be different.
• B. The Incoming Interfac
• C. Outgoing Interfac
• D. Schedule, and Service fields can be shared with both IPv4 and IPv6.
• E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
• F. The IP version of the sources and destinations in a policy must match.
• G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer: BDE

NEW QUESTION 17
......