Fortinet NSE4 NSE4_FGT-7.0 Questions & Answers

• Question 1:

  A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not

  Which configuration option is the most effective way to support this request?

  A. Implement a web filter category override for the specified website

  B. Implement a DNS filter for the specified website.

  C. Implement web filter quotas for the specified website

  D. Implement web filter authentication for the specified website.

  Correct Answer: D

• Question 2:

  What devices form the core of the security fabric?

  A. Two FortiGate devices and one FortiManager device

  B. One FortiGate device and one FortiManager device

  C. Two FortiGate devices and one FortiAnalyzer device

  D. One FortiGate device and one FortiAnalyzer device

  Correct Answer: C

  Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/425100/components

• Question 3:

  Refer to the exhibit.

  

  Which contains a network diagram and routing table output.

  The Student is unable to access Webserver.

  What is the cause of the problem and what is the solution for the problem?

  A. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

  B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

  C. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

  D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

  Correct Answer: D

• Question 4:

  Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

  A. Shut down/reboot a downstream FortiGate device.

  B. Disable FortiAnalyzer logging for a downstream FortiGate device.

  C. Log in to a downstream FortiSwitch device.

  D. Ban or unban compromised hosts.

  Correct Answer: AB

• Question 5:

  Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

  A. Heartbeat interfaces have virtual IP addresses that are manually assigned.

  B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

  C. Virtual IP addresses are used to distinguish between cluster members.

  D. The primary device in the cluster is always assigned IP address 169.254.0.1.

  Correct Answer: BD

• Question 6:

  Consider the topology:

  Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

  An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

  The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

  What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

  A. Set the maximum session TTL value for the TELNET service object.

  B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

  C. Create a new service object for TELNET and set the maximum session TTL.

  D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

  Correct Answer: CD

• Question 7:

  Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

  A. This is known as many-to-one NAT.

  B. Source IP is translated to the outgoing interface IP.

  C. Connections are tracked using source port and source MAC address.

  D. Port address translation is not used.

  Correct Answer: BD

• Question 8:

  An organization's employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

  A. Change the session-ttl.

  B. Change the login timeout.

  C. Change the idle-timeout.

  D. Change the udp idle timer.

  Correct Answer: B

• Question 9:

  Examine this FortiGate configuration:

  

  Examine the output of the following debug command:

  

  Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

  A. It is allowed, but with no inspection

  B. It is allowed and inspected as long as the inspection is flow based

  C. It is dropped.

  D. It is allowed and inspected, as long as the only inspection required is antivirus.

  Correct Answer: C

• Question 10:

  Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

  A. The public key of the web server certificate must be installed on the browser.

  B. The web-server certificate must be installed on the browser.

  C. The CA certificate that signed the web-server certificate must be installed on the browser.

  D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

  Correct Answer: C