1. Home
  2. Fortinet
  3. NSE4_FGT-6.4

Fortinet NSE 4 - FortiOS 6.4

Exam Details

  • Exam Code
    :NSE4_FGT-6.4
  • Exam Name
    :Fortinet NSE 4 - FortiOS 6.4
  • Certification
    :Fortinet Certifications
  • Vendor
    :Fortinet
  • Total Questions
    :163 Q&As
  • Last Updated
    :Jun 11, 2025

Fortinet Fortinet Certifications NSE4_FGT-6.4 Questions & Answers

  • Question 41:

    View the exhibit.

    Which of the following statements are correct? (Choose two.)

    A. This setup requires at least two firewall policies with the action set to IPsec.

    B. Dead peer detection must be disabled to support this type of IPsec setup.

    C. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if

    the TunnelB VPN is down.

    D. This is a redundant IPsec setup.

  • Question 42:

    Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

    A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

    B. An SA never expires.

    C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.

    D. Phase 2 SA expiration can be time-based, volume-based, or both.

    E. Both the phase 1 SA and phase 2 SA are bidirectional.

  • Question 43:

    An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

    A. The interface has been configured for one-arm sniffer.

    B. The interface is a member of a virtual wire pair.

    C. The operation mode is transparent.

    D. The interface is a member of a zone.

    E. Captive portal is enabled in the interface.

  • Question 44:

    Refer to the exhibit.

    A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

    Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

    A. On HQ-FortiGate, enable Auto-negotiate.

    B. On Remote-FortiGate, set Seconds to 43200.

    C. On HQ-FortiGate, enable Diffie-Hellman Group 2.

    D. On HQ-FortiGate, set Encryption to AES256.

  • Question 45:

    If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

    A. IP address

    B. Once Internet Service is selected, no other object can be added

    C. User or User Group

    D. FQDN address

  • Question 46:

    Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

    A. To remove the NAT operation.

    B. To generate logs

    C. To finish any inspection operations.

    D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

  • Question 47:

    When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

    A. Log ID

    B. Universally Unique Identifier

    C. Policy ID

    D. Sequence ID

  • Question 48:

    If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

    A. The Services field prevents SNAT and DNAT from being combined in the same policy.

    B. The Services field is used when you need to bundle several VIPs into VIP groups.

    C. The Services field removes the requirement to create multiple VIPs for different services.

    D. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

  • Question 49:

    Which two statements ate true about the Security Fabric rating? (Choose two.)

    A. It provides executive summaries of the four largest areas of security focus.

    B. Many of the security issues can be fixed immediately by click ng Apply where available.

    C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

    D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

  • Question 50:

    Which three statements about a flow-based antivirus profile are correct? (Choose three.)

    A. IPS engine handles the process as a standalone.

    B. FortiGate buffers the whole file but transmits to the client simultaneously.

    C. If the virus is detected, the last packet is delivered to the client.

    D. Optimized performance compared to proxy-based inspection.

    E. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Fortinet exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your NSE4_FGT-6.4 exam preparations and Fortinet certification application, do not hesitate to visit our Vcedump.com to find your solutions here.