Fortinet NSE4_FGT-6.4 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-6.4 Online Questions & Answers

• Question 111:

  An administrator has configured the following settings:

  

  What are the two results of this configuration? (Choose two.)

  A. Device detection on all interfaces is enforced for 30 minutes.
  B. Denied users are blocked for 30 minutes.
  C. A session for denied traffic is created.
  D. The number of logs generated by denied traffic is reduced.
  C. A session for denied traffic is created.
  D. The number of logs generated by denied traffic is reduced.

• Question 112:

  An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

  A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
  B. Create a new service object for HTTP service and set the session TTL to never
  C. Set the TTL value to never under config system-ttl
  D. Set the session TTL on the HTTP policy to maximum
  B. Create a new service object for HTTP service and set the session TTL to never
  C. Set the TTL value to never under config system-ttl

• Question 113:

  Refer to the exhibit.

  

  The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses. How does FortiGate process the traffic sent to http://www.fortinet.com?

  A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
  B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
  C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
  D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
  D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

• Question 114:

  Examine this PAC file configuration.

  

  Which of the following statements are true? (Choose two.)

  A. Browsers can be configured to retrieve this PAC file from the FortiGate.
  B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
  C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
  D. Any web request fortinet.com is allowed to bypass the proxy.
  A. Browsers can be configured to retrieve this PAC file from the FortiGate.
  D. Any web request fortinet.com is allowed to bypass the proxy.

• Question 115:

  An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

  A. Policy lookup will be disabled.
  B. By Sequence view will be disabled.
  C. Search option will be disabled
  D. Interface Pair view will be disabled.
  D. Interface Pair view will be disabled.

• Question 116:

  What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
  B. FortiGate automatically negotiates a new security association after the existing security association expires.
  C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

• Question 117:

  Which two statements are true about collector agent standard access mode? (Choose two.)

  A. Standard mode uses Windows convention-NetBios: Domain\Username.
  B. Standard mode security profiles apply to organizational units (OU).
  C. Standard mode security profiles apply to user groups.
  D. Standard access mode supports nested groups.
  A. Standard mode uses Windows convention-NetBios: Domain\Username.
  C. Standard mode security profiles apply to user groups.

• Question 118:

  Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

  A. The keyUsage extension must be set to keyCertSign.
  B. The common name on the subject field must use a wildcard name.
  C. The issuer must be a public CA.
  D. The CA extension must be set to TRUE.
  A. The keyUsage extension must be set to keyCertSign.
  D. The CA extension must be set to TRUE.

• Question 119:

  Which of the following statements about central NAT are true? (Choose two.)

  A. IP tool references must be removed from existing firewall policies before enabling central NAT.
  B. Central NAT can be enabled or disabled from the CLI only.
  C. Source NAT, using central NAT, requires at least one central SNAT policy.
  D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
  A. IP tool references must be removed from existing firewall policies before enabling central NAT.
  B. Central NAT can be enabled or disabled from the CLI only.

• Question 120:

  Examine the following web filtering log.

  

  Which statement about the log message is true?

  A. The action for the category Games is set to block.
  B. The usage quota for the IP address 10.0.1.10 has expired
  C. The name of the applied web filter profile is default.
  D. The web site miniclip.com matches a static URL filter whose action is set to Warning.
  C. The name of the applied web filter profile is default.