Fortinet Fortinet Certifications NSE4_FGT-7.0 Questions & Answers

• Question 121:

  An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

  A. Policy lookup will be disabled.

  B. By Sequence view will be disabled.

  C. Search option will be disabled

  D. Interface Pair view will be disabled.

  Correct Answer: D

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD47821

• Question 122:

  Refer to the exhibit.

  

  The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

  Which two statements are true? (Choose two.)

  A. FortiGate SN FGVM010000065036 HA uptime has been reset.

  B. FortiGate devices are not in sync because one device is down.

  C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

  D. FortiGate SN FGVM010000064692 has the higher HA priority.

  Correct Answer: AD

  1.

  Override is disable by default - OK

  2.

  "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.

  https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-overridedisabled-default

• Question 123:

  Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

  A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

  B. The client FortiGate requires a manually added route to remote subnets.

  C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

  D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

  Correct Answer: CD

  Reference: https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificateauthentication

• Question 124:

  Refer to the exhibit.

  

  An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

  A. The Detection Mode setting is not set to Passive.

  B. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

  C. The configured participants are not SD-WAN members.

  D. The Enable probe packets setting is not enabled.

  Correct Answer: BD

• Question 125:

  Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

  A. The collector agent uses a Windows API to query DCs for user logins.

  B. NetAPI polling can increase bandwidth usage in large networks.

  C. The collector agent must search security event logs.

  D. The NetSession Enum function is used to track user logouts.

  Correct Answer: D

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906 https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKCanddocType=kcandexternalId=F D34906andsliceId=1anddocTypeID=DT_KCARTICLE_1_1anddialogID=210966035andstateId=1%2 00% 20210968009%27

• Question 126:

  Refer to the exhibit.

  

  Examine the intrusion prevention system (IPS) diagnostic command.

  Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

  A. The IPS engine was inspecting high volume of traffic.

  B. The IPS engine was unable to prevent an intrusion attack.

  C. The IPS engine was blocking all traffic.

  D. The IPS engine will continue to run in a normal state.

  Correct Answer: A

  Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage

• Question 127:

  Refer to the exhibit.

  

  Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

  A. The port3 default route has the highest distance.

  B. The port3 default route has the lowest metric.

  C. There will be eight routes active in the routing table.

  D. The port1 and port2 default routes are active in the routing table.

  Correct Answer: AD

• Question 128:

  An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.

  Which timeout option should be configured on FortiGate?

  A. auth-on-demand

  B. soft-timeout

  C. idle-timeout

  D. new-session

  E. hard-timeout

  Correct Answer: E

  Reference:

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout %3A%20User

  %20entry%20will,(5%20minutes%20by%20default)

• Question 129:

  Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

  A. SSH

  B. HTTPS

  C. FTM

  D. FortiTelemetry

  Correct Answer: AB

  Reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/ buildingsecurity-into-fortios

• Question 130:

  A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

  What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  A. Static IP Address

  B. Dialup User

  C. Dynamic DNS

  D. Pre-shared Key

  Correct Answer: B

  Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS