Fortinet NSE4 Online Practice Questions and Exam Preparation

Fortinet NSE4 Online Questions & Answers

• Question 201:

  The exhibit shows a part output of the diagnostic command 'diagnose debug application ike 255', taken during establishment of a VPN. Which of the following statement are correct concerning this output? (choose two)

  

  A. The quick mode selectors negotiated between both IPsec VPN peers is 0.0.0.0/32 for both source and destination addresses.
  B. The output corresponds to a phase 2 negotiation
  C. NAT-T enabled and there is third device in the path performing NAT of the traffic between both IPsec VPN peers.
  D. The IP address of the remote IPsec VPN peer is 172.20.187.114
  B. The output corresponds to a phase 2 negotiation
  D. The IP address of the remote IPsec VPN peer is 172.20.187.114

• Question 202:

  What determines whether a log message is generated or not?

  A. Firewall policy setting
  B. Log Settings in the GUI
  C. 'config log' command in the CLI
  D. Syslog
  E. Webtrends
  A. Firewall policy setting

• Question 203:

  Which of the following statements are true regarding application control? (Choose two.)

  A. Application control is based on TCP destination port numbers.
  B. Application control is proxy based.
  C. Encrypted traffic can be identified by application control.
  D. Traffic shaping can be applied to the detected application traffic.
  C. Encrypted traffic can be identified by application control.
  D. Traffic shaping can be applied to the detected application traffic.

• Question 204:

  Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?

  A. no protection profile can be applied over the IPsec traffic.
  B. Phase-2 anti-replay must be disabled.
  C. Phase 2 must have an encryption algorithm supported by the NP6.
  D. IPsec traffic must not be inspected by any FortiGate session helper.
  C. Phase 2 must have an encryption algorithm supported by the NP6.

• Question 205:

  What is valid reason for using session based authentication instead of IP based authentication in a FortiGate web proxy solution?

  A. Users are required to manually enter their credentials each time they connect to a different web site.
  B. Proxy users are authenticated via FSSO.
  C. There are multiple users sharing the same IP address.
  D. Proxy users are authenticated via RADIUS.
  C. There are multiple users sharing the same IP address.

• Question 206:

  Which of the following statements are true about Man-in-the-middle SSL Content Inspection? (Choose three.)

  A. The FortiGate device "re-signs" all the certificates coming from the HTTPS servers
  B. The FortiGate device acts as a sub-CA
  C. The local service certificate of the web server must be installed in the FortiGate device
  D. The FortiGate device does man-in-the-middle inspection.
  E. The required SSL Proxy certificate must first be requested to a public certificate authority (CA).
  B. The FortiGate device acts as a sub-CA
  C. The local service certificate of the web server must be installed in the FortiGate device
  E. The required SSL Proxy certificate must first be requested to a public certificate authority (CA).

• Question 207:

  A FortiGate unit has multiple VDOMs in NAT/route mode with multiple VLAN interfaces in each VDOM. Which of the following statements is correct regarding the IP addresses assigned to each VLAN interface?

  A. Different VLANs can share the same IP address as long as they have different VLAN IDs.
  B. Different VLANs can share the same IP address as long as they are in different physical interface.
  C. Different VLANs can share the same IP address as long as they are in different VDOMs.
  D. Different VLANs can never share the same IP addresses.
  C. Different VLANs can share the same IP address as long as they are in different VDOMs.

• Question 208:

  What is IPsec Perfect Forwarding Secrecy (PFS)?

  A. A phase-1 setting that allows the use of symmetric encryption.
  B. A phase-2 setting that allows the recalculation of a new common secret key each time the session key expires.
  C. A `key-agreement' protocol.
  D. A `security-association- agreement' protocol.
  B. A phase-2 setting that allows the recalculation of a new common secret key each time the session key expires.

• Question 209:

  Which statements are true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)

  A. Only one proxy is supported.
  B. Can be manually imported to the browser.
  C. The browser can automatically download it from a web server.
  D. Can include a list of destination IP subnets where the browser can connect directly to without using a proxy.
  C. The browser can automatically download it from a web server.
  D. Can include a list of destination IP subnets where the browser can connect directly to without using a proxy.

• Question 210:

  Which of the following statements are correct regarding FortiGate virtual domains (VDOMs)? (Choose two)

  A. VDOMs divide a single FortiGate unit into two or more independent firewall.
  B. A management VDOM handles SNMP. logging, alert email and FortiGuard updates.
  C. Each VDOM can run different firmware versions.
  D. Administrative users with a 'super_admin' profile can administrate only one VDOM.
  A. VDOMs divide a single FortiGate unit into two or more independent firewall.
  B. A management VDOM handles SNMP. logging, alert email and FortiGuard updates.