Fortinet Fortinet Certifications NSE4-5.4 Questions & Answers

• Question 121:

  Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?

  A. No protection profile can be applied over the IPsec traffic.

  B. Phase-2 anti-replay must be disabled.

  C. Both the phase 1 and phases 2 must use encryption algorithms supported by the NP6.

  D. IPsec traffic must not be inspected by any FortiGate session helper.

  Correct Answer: C

• Question 122:

  Which statements are true about offloading antivirus inspection to a Security Processor (SP)? (Choose two.)

  A. Both proxy-based and flow-based inspection are supported.

  B. A replacement message cannot be presented to users when a virus has been detected.

  C. It saves CPU resources.

  D. The ingress and egress interfaces can be in different SPs.

  Correct Answer: BC

• Question 123:

  Which IP packets can be hardware-accelerated by a NP6 processor? (Choose two.)

  A. Fragmented packet.

  B. Multicast packet.

  C. SCTP packet

  D. GRE packet.

  Correct Answer: BC

• Question 124:

  Which statements are correct regarding an IPv6 over IPv4 IPsec configuration? (Choose two.)

  A. The source quick mode selector must be an IPv4 address.

  B. The destination quick mode selector must be an IPv6 address.

  C. The Local Gateway IP must be an IPv4 address.

  D. The remote gateway IP must be an IPv6 address.

  Correct Answer: BC

• Question 125:

  Which statements are true regarding IPv6 anycast addresses? (Choose two.)

  A. Multiple interfaces can share the same anycast address.

  B. They are allocated from the multicast address space.

  C. Different nodes cannot share the same anycast address.

  D. An anycast packet is routed to the nearest interface.

  Correct Answer: AD

• Question 126:

  What functions can the IPv6 Neighbor Discovery protocol accomplish? (Choose two.)

  A. Negotiate the encryption parameters to use.

  B. Auto-adjust the MTU setting.

  C. Autoconfigure addresses and prefixes.

  D. Determine other nodes reachability.

  Correct Answer: CD

• Question 127:

  Examine the following output from the diagnose sys session list command: Which statements are true regarding the session above? (Choose two.)

  

  A. Session Time-To-Live (TTL) was configured to 9 seconds.

  B. FortiGate is doing NAT of both the source and destination IP addresses on all packets coming from the 192.168.1.110 address.

  C. The IP address 192.168.1.110 is being translated to 172.17.87.16.

  D. The FortiGate is not translating the TCP port numbers of the packets in this session.

  Correct Answer: CD

• Question 128:

  For data leak prevention, which statement describes the difference between the block and quarantine actions?

  A. A block action prevents the transaction. A quarantine action blocks all future transactions, regardless of the protocol.

  B. A block action prevents the transaction. A quarantine action archives the data.

  C. A block action has a finite duration. A quarantine action must be removed by an administrator.

  D. A block action is used for known users. A quarantine action is used for unknown users.

  Correct Answer: A

• Question 129:

  In which process states is it impossible to interrupt/kill a process? (Choose two.)

  A. S-Sleep

  B. R-Running

  C. D-Uninterruptable Sleep

  D. Z-Zombie

  Correct Answer: CD

• Question 130:

  Which statements about virtual domains (VDOMs) are true? (Choose two.)

  A. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.

  B. Each VDOM can be configured with different system hostnames.

  C. Different VLAN sub-interfaces of the same physical interface can be assigned to different VDOMs.

  D. Each VDOM has its own routing table.

  Correct Answer: CD