Fortinet NSE4_FGT-7.0 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.0 Online Questions & Answers

• Question 161:

  What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
  B. FortiGate automatically negotiates a new security association after the existing security association expires.
  C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

  ---

  https://kb.fortinet.com/kb/documentLink.do?externalID=12069

• Question 162:

  Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

  A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
  B. FortiGate supports pre-shared key and signature as authentication methods.
  C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
  D. A certificate is not required on the remote peer when you set the signature as the authentication method.
  A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
  B. FortiGate supports pre-shared key and signature as authentication methods.

  ---

  Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/913287/ipsec-vpn-authenticating-aremote-fortigate-peer-with-a-pre-shared-key

• Question 163:

  By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.

  Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

  A. set fortiguard-anycast disable
  B. set webfilter-force-off disable
  C. set webfilter-cache disable
  D. set protocol tcp
  A. set fortiguard-anycast disable

  ---

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48294

• Question 164:

  You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk. What is the default behavior when the local disk is full?

  A. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.
  B. No new log is recorded until you manually clear logs from the local disk.
  C. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.
  D. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.
  C. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

  ---

  Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/462620/log-disk-setting

• Question 165:

  An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

  A. A phase 2 configuration is not required.
  B. This VPN cannot be used as part of a hub-and-spoke topology.
  C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
  D. The IPsec firewall policies must be placed at the top of the list.
  C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

  ---

  In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name (Infrastructure Study Guide, 206)

• Question 166:

  Refer to the FortiGuard connection debug output.

  

  Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

  A. A local FortiManager is one of the servers FortiGate communicates with.
  B. One server was contacted to retrieve the contract information.
  C. There is at least one server that lost packets consecutively.
  D. FortiGate is using default FortiGuard communication settings.
  B. One server was contacted to retrieve the contract information.
  D. FortiGate is using default FortiGuard communication settings.

• Question 167:

  Refer to the exhibit.

  

  The exhibits show a network diagram and the explicit web proxy configuration.

  In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

  A. `host 192.168.0.2 and port 8080'
  B. `host 10.0.0.50 and port 80'
  C. `host 192.168.0.1 and port 80'
  D. `host 10.0.0.50 and port 8080'
  A. `host 192.168.0.2 and port 8080'

• Question 168:

  Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

  A. The collector agent uses a Windows API to query DCs for user logins.
  B. NetAPI polling can increase bandwidth usage in large networks.
  C. The collector agent must search security event logs.
  D. The NetSession Enum function is used to track user logouts.
  D. The NetSession Enum function is used to track user logouts.

  ---

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906 https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKCanddocType=kcandexternalId=F D34906andsliceId=1anddocTypeID=DT_KCARTICLE_1_1anddialogID=210966035andstateId=1%2 00%20210968009%27

• Question 169:

  Refer to the exhibit.

  

  According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?

  A. A user
  B. A root CA
  C. A bridge CA
  D. A subordinate
  A. A user

• Question 170:

  A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

  1.

  All traffic must be routed through the primary tunnel when both tunnels are up

  2.

  The secondary tunnel must be used only if the primary tunnel goes down

  3.

  In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

  Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

  A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
  B. Enable Dead Peer Detection.
  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  B. Enable Dead Peer Detection.
  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

  ---

  B - because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a

  response from its peer.

  C - remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that

  the primary tunnel will be chosen to route packets towards their destination.