Fortinet Fortinet Certifications NSE4 Questions & Answers

• Question 131:

  The exhibit shows a FortiGate routing table.

  

  Which of the following statements are correct?(Choose two)

  A. There is only one active default route.

  B. The distance values for the route to 192.168.1.0/24 is 200

  C. An IP address in the subnet 172.16.78.0/24 has been assigned to the dmz interface.

  D. The FortiGate will route the traffic to 172.17.1.2 to next hop with the IP address 192.168.11.254

  Correct Answer: AD

• Question 132:

  Which of the following statements is true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)

  A. More than one proxy is supported.

  B. Can contain a list of destinations that will be exempt from the use of any proxy.

  C. Can contain a list of URLs that will be exempted from the FortiGate web filtering inspection.

  D. Can contain a list of users that will be exempted from the use of any proxy.

  Correct Answer: BC

• Question 133:

  An Internet browser is using the WPAD DNS method to discover the PAC file's URL. The DNS server replies to the browser's request with the IP address 10.100.1.10. Which URL will the browser use to download the PAC file?

  A. http://10.100.1.10/proxy.pac

  B. https://10.100.1.10/

  C. http://10.100.1.10/wpad.dat

  D. https://10.100.1.10/proxy.pac

  Correct Answer: C

• Question 134:

  Acme Web Hosting is replacing one of their firewalls with a FortiGate. It must be able to apply port forwarding to their back-end web servers while blocking virus uploads and TCP SYN floods from attackers. Which operation mode is the best choice for these requirements?

  A. NAT/route

  B. NAT mode with an interface in one-arm sniffer mode

  C. Transparent mode

  D. No appropriate operation mode exists

  Correct Answer: A

• Question 135:

  When an administrator attempts to manage FortiGate from an IP address that is not a trusted host, what happens?

  A. FortiGate will still subject that person's traffic to firewall policies; it will not bypass them.

  B. FortiGate will drop the packets and not respond.

  C. FortiGate responds with a block message, indicating that it will not allow that person to log in.

  D. FortiGate responds only if the administrator uses a secure protocol. Otherwise, it does not respond

  Correct Answer: B

• Question 136:

  An administrator has formed a high availability cluster involving two FortiGate units.

  [Multiple upstream Layer 2 switches] ?[FortiGate HA Cluster] ?[Multiple downstream Layer 2 Switches]

  The administrator wishes to ensure that a single link failure will have minimal impact upon the overall

  throughput of traffic through this cluster.

  Which of the following options describes the best step the administrator can take?

  The administrator should _____________________

  A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode.

  B. Enable monitoring of all active interfaces.

  C. Set up a full-mesh design which uses redundant interfaces.

  D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted.

  Correct Answer: C

• Question 137:

  Which is NOT true about source matching with firewall policies?

  A. A source address object must be selected in the firewall policy.

  B. A source user/group may be selected in the firewall policy.

  C. A source device may be defined in the firewall policy.

  D. A source interface must be selected in the firewall policy.

  E. A source user/group and device must be specified in the firewall policy.

  Correct Answer: E

• Question 138:

  Which of the following statements is true regarding a FortiGate device operating in transparent mode? (Choose three.)

  A. It acts as a layer 2 bridge

  B. It acts as a layer 3 router

  C. It forwards frames using the destination MAC address.

  D. It forwards packets using the destination IP address.

  E. It can perform content inspection (antivirus, web filtering, etc)

  Correct Answer: ACE

• Question 139:

  Which of the following statements are true regarding application control? (Choose two.)

  A. Application control is based on TCP destination port numbers.

  B. Application control is proxy based.

  C. Encrypted traffic can be identified by application control.

  D. Traffic shaping can be applied to the detected application traffic.

  Correct Answer: CD

• Question 140:

  A FortiGate unit is configured with three Virtual Domains (VDOMs) as illustrated in the exhibit.

  

  Which of the following statements are true if the network administrator wants to route traffic between all the VDOMs? (Choose three.)

  A. The administrator can configure inter-VDOM links to avoid using external interfaces and routers.

  B. As with all FortiGate unit interfaces, firewall policies must be in place for traffic to be allowed to pass through any interface, including inter-VDOM links.

  C. This configuration requires a router to be positioned between the FortiGate unit and the Internet for proper routing.

  D. Inter-VDOM routing is automatically provided if all the subnets that need to be routed are locally attached.

  E. As each VDOM has an independent routing table, routing rules need to be set (for example, static routing, OSPF) in each VDOM to route traffic between VDOMs.

  Correct Answer: ABE