1. Home
  2. Fortinet
  3. NSE4_FGT-7.0

Fortinet NSE4_FGT-7.0 Online Practice Questions and Exam Preparation

NSE4_FGT-7.0 Exam Details

  • Exam Code
    :NSE4_FGT-7.0
  • Exam Name
    :Fortinet NSE 4 - FortiOS 7.0
  • Certification
    :Fortinet Certifications
  • Vendor
    :Fortinet
  • Total Questions
    :172 Q&As
  • Last Updated
    :May 27, 2026

Fortinet NSE4_FGT-7.0 Online Questions & Answers

  • Question 41:

    Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

    A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
    B. An SA never expires.
    C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
    D. Phase 2 SA expiration can be time-based, volume-based, or both.
    E. Both the phase 1 SA and phase 2 SA are bidirectional.

  • Question 42:

    Refer to the exhibit.

    A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

    Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

    A. On HQ-FortiGate, set IKE mode to Main (ID protection).
    B. On both FortiGate devices, set Dead Peer Detection to On Demand.
    C. On HQ-FortiGate, disable Diffie-Helman group 2.
    D. On Remote-FortiGate, set port2 as Interface.

  • Question 43:

    Which two statements are true about the FGCP protocol? (Choose two.)

    A. Not used when FortiGate is in Transparent mode
    B. Elects the primary FortiGate device
    C. Runs only over the heartbeat links
    D. Is used to discover FortiGate devices in different HA groups

  • Question 44:

    A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface. Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

    A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
    B. The two VLAN sub interfaces must have different VLAN IDs.
    C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
    D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

  • Question 45:

    Which two configuration settings are synchronized when FortiGate devices are in an active- active HA cluster? (Choose two.)

    A. FortiGuard web filter cache
    B. FortiGate hostname
    C. NTP
    D. DNS

  • Question 46:

    Refer to the exhibit.

    In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit. What should the administrator do next to troubleshoot the problem?

    A. Run a sniffer on the web server.
    B. Capture the traffic using an external sniffer connected to port1.
    C. Execute another sniffer in the FortiGate, this time with the filter "host 10.0.1.10"
    D. Execute a debug flow.

  • Question 47:

    Refer to the exhibit.

    A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

    A. On HQ-FortiGate, enable Auto-negotiate.
    B. On Remote-FortiGate, set Seconds to 43200.
    C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
    D. On HQ-FortiGate, set Encryption to AES256.

  • Question 48:

    Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

    A. The keyUsage extension must be set to keyCertSign.
    B. The common name on the subject field must use a wildcard name.
    C. The issuer must be a public CA.
    D. The CA extension must be set to TRUE.

  • Question 49:

    Refer to the exhibit.

    An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

    A. The Detection Mode setting is not set to Passive.
    B. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
    C. The configured participants are not SD-WAN members.
    D. The Enable probe packets setting is not enabled.

  • Question 50:

    Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

    A. hard-timeout
    B. auth-on-demand
    C. soft-timeout
    D. new-session
    E. Idle-timeout

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Fortinet exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your NSE4_FGT-7.0 exam preparations and Fortinet certification application, do not hesitate to visit our Vcedump.com to find your solutions here.