Fortinet Fortinet Certifications NSE4-5.4 Questions & Answers

• Question 1:

  Examine the following web filtering log.

  

  Which statement about the log message is true?

  A. The action for the category Games is set to block.

  B. The usage quota for the IP address 10.0.1.10 has expired.

  C. The name of the applied web filter profile is default.

  D. The web site miniclip.com matches a static URL filter whose action is set to Warning.

  Correct Answer: D

• Question 2:

  View the exhibit.

  

  What does this exhibit represent?

  A. SSL handshake

  B. Interchanging digital certificates

  C. Certificate signing request (CSR)

  D. Inline SSL inspection

  Correct Answer: A

• Question 3:

  Which condition must be met to offload the encryption and decryption of IPsec traffic to an NP6 processor?

  A. Phase 2 must use an encryption algorithm supported by the NP6.

  B. Anti-replay must be disabled.

  C. IPsec traffic must not be inspected by a session helper.

  D. No content inspection can be applied to traffic that is going to be encrypted.

  Correct Answer: A

• Question 4:

  What FortiGate feature can be used to prevent a cross-site scripting (XSS) attack?

  A. Web application firewall (WAF)

  B. DoS policies

  C. Rate based IPS signatures

  D. One-arm sniffer

  Correct Answer: A

• Question 5:

  What is the purpose of the Policy Lookup feature?

  A. It searches the matching policy based on an input criteria.

  B. It enables hidden security profiles with full logging capabilities and generates Learning Reports based on an input criteria.

  C. It finds duplicate objects in firewall policies.

  D. It creates a new firewall policy based on an input criteria.

  Correct Answer: A

• Question 6:

  View the exhibit.

  

  Which of the following statements are correct? (Choose two.)

  A. next-hop IP address is not required when configuring a static route that uses the wan-load balance interface.

  B. Sessions will be load-balanced based on source and destination IP addresses.

  C. Each member interface requires its own firewall policy to allow traffic.

  D. The wan-load-balance interface must be manually created.

  Correct Answer: AB

• Question 7:

  Which election criterion is used to elect the primary FortiGate in a high availability (HA) cluster when override is enabled?

  A. uptime > priority > port monitor > serial number

  B. port monitor > uptime > priority >serial number

  C. priority > port monitor >uptime >serial number

  D. port monitor > priority > uptime >serial number

  Correct Answer: D

• Question 8:

  View the exhibit.

  

  What does the log message indicate? (Choose two.)

  A. The log type is utm.

  B. 10.0.1.10 is the IP address for mind-surf.net.

  C. FortiGate blocked the traffic.

  D. Firewall policy ID 6 matched the traffic.

  Correct Answer: AC

• Question 9:

  View the exhibit.

  

  In this scenario, FGT1 has the following routing table:

  S* 0. 0. 0. 0/0 [10/0] via 10. 40. 72. 2, port1 C 172. 16. 32. 0/24 is directly connected, port2 C 10. 40. 72. 0/30 is directly connected, port1

  A user at 192.168.32.15 is trying to access the web server at 172.16.32.254. Which of the following statements best describe how the FortiGate will perform reverse path forwarding checks on this traffic? (Choose two.)

  A. Strict RPF check will deny the traffic.

  B. Strict RPF check will allow the traffic.

  C. Loose RPF check will allow the traffic.

  D. Loose RPF check will deny the traffic.

  Correct Answer: BD

• Question 10:

  What FortiGate configuration is required to actively prompt users for credentials?

  A. You must enable one or more protocols that support active authentication on a firewall policy.

  B. You must assign users to a group for active authentication.

  C. You must place the firewall policy for active authentication before a firewall policy for passive authentication.

  D. You must enable the Authentication setting on the firewall policy.

  Correct Answer: B