Fortinet NSE4_FGT-7.0 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.0 Online Questions & Answers

• Question 71:

  Which of the following statements about central NAT are true? (Choose two.)

  A. IP tool references must be removed from existing firewall policies before enabling central NAT.
  B. Central NAT can be enabled or disabled from the CLI only.
  C. Source NAT, using central NAT, requires at least one central SNAT policy.
  D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
  A. IP tool references must be removed from existing firewall policies before enabling central NAT.
  B. Central NAT can be enabled or disabled from the CLI only.

• Question 72:

  Which of the following SD-WAN load 璪alancing method use interface weight value to distribute traffic? (Choose two.)

  A. Source IP
  B. Spillover
  C. Volume
  D. Session
  C. Volume
  D. Session

  ---

  https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing

• Question 73:

  Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

  A. The security actions applied on the web applications will also be explicitly applied on the third-party websites.
  B. The application signature database inspects traffic only from the original web application server.
  C. FortiGuard maintains only one signature of each web application that is unique.
  D. FortiGate can inspect sub-application traffic regardless where it was originated.
  D. FortiGate can inspect sub-application traffic regardless where it was originated.

  ---

  Reference: https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/300_System/303d_FortiGuard.htm

• Question 74:

  Which scanning technique on FortiGate can be enabled only on the CLI?

  A. Heuristics scan
  B. Trojan scan
  C. Antivirus scan
  D. Ransomware scan
  A. Heuristics scan

  ---

  Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/567568/enabling-scanning

• Question 75:

  Refer to the exhibit.

  

  The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10 .0.1.254. /24.

  The first firewall policy has NAT enabled using IP Pool.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

  A. 10.200.1.1
  B. 10.200.3.1
  C. 10.200.1.100
  D. 10.200.1.10
  A. 10.200.1.1

  ---

  Reference: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Static%20NAT.htm https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

• Question 76:

  If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

  A. A CRL
  B. A person
  C. A subordinate CA
  D. A root CA
  D. A root CA

• Question 77:

  Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  A. FortiGate points the collector agent to use a remote LDAP server.
  B. FortiGate uses the AD server as the collector agent.
  C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  D. FortiGate queries AD by using the LDAP to retrieve user group information.
  C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  D. FortiGate queries AD by using the LDAP to retrieve user group information.

  ---

  Fortigate Infrastructure 7.0 Study Guide P.272-273 https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

• Question 78:

  In which two ways can RPF checking be disabled? (Choose two )

  A. Enable anti-replay in firewall policy.
  B. Disable the RPF check at the FortiGate interface level for the source check
  C. Enable asymmetric routing.
  D. Disable strict-arc-check under system settings.
  C. Enable asymmetric routing.
  D. Disable strict-arc-check under system settings.

  ---

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

• Question 79:

  Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

  A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
  B. The client FortiGate requires a manually added route to remote subnets.
  C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
  D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
  C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
  D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

  ---

  Reference: https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificate-authentication

• Question 80:

  Refer to the exhibit.

  

  Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

  A. There are five devices that are part of the security fabric.
  B. Device detection is disabled on all FortiGate devices.
  C. This security fabric topology is a logical topology view.
  D. There are 19 security recommendations for the security fabric.
  C. This security fabric topology is a logical topology view.
  D. There are 19 security recommendations for the security fabric.

  ---

  https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/761085/results https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/736125/security-fabric-topology