Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 1:

  What is the primary FortiGate election process when the HA override setting is disabled?

  A. Connected monitored ports > Priority > HA uptime > FortiGate serial number

  B. Connected monitored ports > System uptime > Priority > FortiGate serial number

  C. Connected monitored ports > Priority > System uptime > FortiGate serial number

  D. Connected monitored ports > HA uptime > Priority > FortiGate serial number

  Correct Answer: D

• Question 2:

  Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

  A. The host field in the HTTP header

  B. The subject alternative name (SAN) field in the server certificate

  C. The subject field in the server certificate

  D. The server name indication (SNI) extension in the client hello message

  E. The serial number in the server certificate

  Correct Answer: BCD

• Question 3:

  Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

  A. hard-timeout

  B. auth-on-demand

  C. soft-timeout

  D. new-session

  E. Idle-timeout

  Correct Answer: ADE

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

• Question 4:

  An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must the administrator do to achieve this objective?

  A. The administrator must register the same FortiToken on more than one FortiGate device.

  B. The administrator must use the user self-registration server.

  C. The administrator must use a FortiAuthenticator device.

  D. The administrator must use a third-party RADIUS OTP server.

  Correct Answer: C

• Question 5:

  Refer to the exhibits.

  Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1).

  Central NAT is enabled, so NAT settings from matching central SNAT policies will be applied.

  

  Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  A. 10.200.1.99

  B. 10.200.1.1

  C. 10.200.1.49

  D. 10.200.1.149

  Correct Answer: A

• Question 6:

  Refer to the exhibits.

  The exhibits contain a network interface configuration, firewall policies, and a CLI console configuration.

  

  

  How will the FortiGate device handle user authentication for traffic that arrives on the LAN interface?

  A. All users will be prompted for authentication; users from the HR group can authenticate successfully with the correct credentials.

  B. If there is a fall-through policy in place, users will not be prompted for authentication.

  C. All users will be prompted for authentication; users from the sales group can authenticate successfully with the correct credentials.

  D. Authentication is enforced only at a policy level; all users will be prompted for authentication.

  Correct Answer: A

• Question 7:

  Refer to the exhibit.

  In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.

  

  What should the administrator do next, to troubleshoot the problem?

  A. Execute a debug flow.

  B. Capture the traffic using an external sniffer connected to port1.

  C. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".

  D. Run a sniffer on the web server.

  Correct Answer: A

• Question 8:

  How can you disable RPF checking?

  A. Disable fail-detect on the interface level settings.

  B. Disable strict-src-check under system settings.

  C. Unset fail-alert-interfaces on the interface level settings.

  D. Disable src-check on the interface level settings.

  Correct Answer: D

• Question 9:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

  Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.

  

  Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)

  A. In the IP pool configuration, set type to overload. Most Voted

  B. Configure 192.2.0.12/24 as the secondary IP address on port1.

  C. In the firewall policy configuration, disable ippool. Most Voted

  D. In the IP pool configuration, set endip to 192.2.0.12. Most Voted

  E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.

  Correct Answer: ACD

• Question 10:

  Refer to the exhibit to view the firewall policy.

  

  Why would the firewall policy not block a well-known virus, for example eicar?

  A. Web filter is not enabled on the firewall policy to complement the antivirus profile.

  B. The firewall policy is not configured in proxy-based inspection mode.

  C. The firewall policy does not apply deep content inspection.

  D. The action on the firewall policy is not set to deny.

  Correct Answer: C