Fortinet NSE4_FGT-7.0 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.0 Online Questions & Answers

• Question 31:

  Which two statements are true when FortiGate is in transparent mode? (Choose two.)

  A. By default, all interfaces are part of the same broadcast domain.
  B. The existing network IP schema must be changed when installing a transparent mode.
  C. Static routes are required to allow traffic to the next hop.
  D. FortiGate forwards frames without changing the MAC address.
  A. By default, all interfaces are part of the same broadcast domain.
  D. FortiGate forwards frames without changing the MAC address.

  ---

  Reference: https://kb.fortinet.com/kb/viewAttachment.do?attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdfanddo cumentID=FD33113

• Question 32:

  Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

  A. Lookup is done on the first packet from the session originator
  B. Lookup is done on the last packet sent from the responder
  C. Lookup is done on every packet, regardless of direction
  D. Lookup is done on the trust reply packet from the responder
  A. Lookup is done on the first packet from the session originator
  D. Lookup is done on the trust reply packet from the responder

• Question 33:

  Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

  A. Shut down/reboot a downstream FortiGate device.
  B. Disable FortiAnalyzer logging for a downstream FortiGate device.
  C. Log in to a downstream FortiSwitch device.
  D. Ban or unban compromised hosts.
  A. Shut down/reboot a downstream FortiGate device.
  B. Disable FortiAnalyzer logging for a downstream FortiGate device.

• Question 34:

  Examine this FortiGate configuration:

  

  Examine the output of the following debug command:

  

  Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

  A. It is allowed, but with no inspection
  B. It is allowed and inspected as long as the inspection is flow based
  C. It is dropped.
  D. It is allowed and inspected, as long as the only inspection required is antivirus.
  C. It is dropped.

• Question 35:

  When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

  A. Log ID
  B. Universally Unique Identifier
  C. Policy ID
  D. Sequence ID
  B. Universally Unique Identifier

  ---

  Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies

• Question 36:

  Refer to the exhibit.

  

  Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

  A. The session is in SYN_SENT state.
  B. The session is in FIN_ACK state.
  C. The session is in FTN_WAIT state.
  D. The session is in ESTABLISHED state.
  A. The session is in SYN_SENT state.

  ---

  Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

• Question 37:

  FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

  A. www.example.com:443
  B. www.example.com
  C. example.com
  D. www.example.com/index.html
  B. www.example.com
  C. example.com

  ---

  FortiGate_Security_6.4 page 384

  When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names-- "no URLs or wildcard characters are allowed".

• Question 38:

  Which statement about the policy ID number of a firewall policy is true?

  A. It is required to modify a firewall policy using the CLI.
  B. It represents the number of objects used in the firewall policy.
  C. It changes when firewall policies are reordered.
  D. It defines the order in which rules are processed.
  A. It is required to modify a firewall policy using the CLI.

• Question 39:

  A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

  What is the reason for the failed virus detection by FortiGate?

  A. Application control is not enabled
  B. SSL/SSH Inspection profile is incorrect
  C. Antivirus profile configuration is incorrect
  D. Antivirus definitions are not up to date
  B. SSL/SSH Inspection profile is incorrect

  ---

  https traffic requires SSL decryption. Check the ssh inspection profile

• Question 40:

  Refer to the exhibit.

  

  Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

  A. Destination NAT is disabled in the firewall policy.
  B. One-to-one NAT IP pool is used in the firewall policy.
  C. Overload NAT IP pool is used in the firewall policy.
  D. Port block allocation IP pool is used in the firewall policy.
  B. One-to-one NAT IP pool is used in the firewall policy.

  ---

  FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.