Fortinet Fortinet Certifications NSE4_FGT-6.4 Questions & Answers

• Question 101:

  Refer to the exhibit.

  

  Which contains a network diagram and routing table output.

  The Student is unable to access Webserver.

  What is the cause of the problem and what is the solution for the problem?

  A. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

  B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

  C. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

  D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

  Correct Answer: D

• Question 102:

  Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

  A. get system status

  B. get system performance status

  C. diagnose sys top

  D. get system arp

  Correct Answer: D

• Question 103:

  When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

  A. remote user's public IP address

  B. The public IP address of the FortiGate device.

  C. The remote user's virtual IP address.

  D. The internal IP address of the FortiGate device.

  Correct Answer: D

  Source IP seen by the remote resources is FortiGate's internal IP address and not the user's IP address

• Question 104:

  Examine the following web filtering log.

  

  Which statement about the log message is true?

  A. The action for the category Games is set to block.

  B. The usage quota for the IP address 10.0.1.10 has expired

  C. The name of the applied web filter profile is default.

  D. The web site miniclip.com matches a static URL filter whose action is set to Warning.

  Correct Answer: C

• Question 105:

  Which two statements about antivirus scanning mode are true? (Choose two.)

  A. In proxy-based inspection mode, files bigger than the buffer size are scanned.

  B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

  C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

  D. In flow-based inspection mode, files bigger than the buffer size are scanned.

  Correct Answer: BC

• Question 106:

  A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

  What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  A. Static IP Address

  B. Dialup User

  C. Dynamic DNS

  D. Pre-shared Key

  Correct Answer: B

• Question 107:

  Refer to the FortiGuard connection debug output.

  

  Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

  A. A local FortiManager is one of the servers FortiGate communicates with.

  B. One server was contacted to retrieve the contract information.

  C. There is at least one server that lost packets consecutively.

  D. FortiGate is using default FortiGuard communication settings.

  Correct Answer: BD

• Question 108:

  A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.

  Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

  A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

  B. The two VLAN sub interfaces must have different VLAN IDs.

  C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

  D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

  Correct Answer: B

  FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf ?gt; page 147 "Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID"

• Question 109:

  A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

  *

  All traffic must be routed through the primary tunnel when both tunnels are up

  *

  The secondary tunnel must be used only if the primary tunnel goes down

  *

  In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

  Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

  A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

  B. Enable Dead Peer Detection.

  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

  D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

  Correct Answer: BC

• Question 110:

  Which two statements are true about the FGCP protocol? (Choose two.)

  A. Not used when FortiGate is in Transparent mode

  B. Elects the primary FortiGate device

  C. Runs only over the heartbeat links

  D. Is used to discover FortiGate devices in different HA groups

  Correct Answer: BC