Fortinet NSE4 NSE4_FGT-7.2 Questions & Answers

• Question 1:

  Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

  A. Proxy-based inspection

  B. Certificate inspection

  C. Flow-based inspection

  D. Full Content inspection

  Correct Answer: AC

• Question 2:

  Refer to the exhibit.

  The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

  An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

  

  What are two solutions for satisfying the requirement? (Choose two.)

  A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.

  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.

  C. Set the Freeware and Software Downloads category Action to Warning.

  D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

  Correct Answer: BD

  FortiGate Security 7.2 Study Guide (p.268-269): "If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category." "Static URL filtering is another web filter feature. Configured URLs in the URL filter are checked against the visited websites. If a match is found, the configured action is taken. URL filtering has the same patterns as static domain filtering: simple, regular expressions, and wildcard."

  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.

  This is true because a web override rating is a feature that allows the administrator to change the FortiGuard category of a specific website or domain, and apply a different action to it based on the web filter profile. By configuring a web

  override rating for download.com and selecting Malicious Websites as the subcategory, the administrator can block access to download.com, which belongs to the Freeware and Software Downloads category by default, without affecting

  other websites in the same category. The Malicious Websites category has the action Block in the web filter profile shown in the exhibit. D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block,

  respectively.

  This is true because a static URL filter entry is a feature that allows the administrator to define custom rules for filtering specific URLs or domains, and apply an action to them based on the web filter profile. By configuring a static URL filter

  entry for download.com with Type and Action set to Wildcard and Block, respectively, the administrator can block access to download.com and any subdomains or paths under it, without affecting other websites in the Freeware and Software

  Downloads category. The static URL filter entries have higher priority than the FortiGuard category based filter entries in the web filter profile.

• Question 3:

  What are two functions of ZTNA? (Choose two.)

  A. ZTNA manages access through the client only.

  B. ZTNA manages access for remote users only.

  C. ZTNA provides a security posture check.

  D. ZTNA provides role-based access.

  Correct Answer: CD

  ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of "never trust, always verify," which means that all

  access to network resources is subject to strict verification and authentication.

  Two functions of ZTNA are:

  ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources.

  This can include checks on the device's software and hardware configurations, security settings, and the presence of malware.

  ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is

  denied.

  This helps to prevent unauthorized access and minimize the risk of data breaches.

  Reference:

  https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/8ddfc8d2-9b21-11ec-9fd1-fa163e15d75b/Zero_Trust_Network_Access-7.0-Deployment_Guide.pdf

• Question 4:

  Examine this output from a debug flow:

  

  Why did the FortiGate drop the packet?

  A. The next-hop IP address is unreachable.

  B. It failed the RPF check .

  C. It matched an explicitly configured firewall policy with the action DENY.

  D. It matched the default implicit firewall policy.

  Correct Answer: D

  https://kb.fortinet.com/kb/documentLink.do?externalID=13900 https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/

• Question 5:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

  

  Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

  A. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.

  B. FortiGate allocates port blocks on a first-come, first-served basis.

  C. FortiGate generates a system event log for every port block allocation made per user.

  D. FortiGate allocates 128 port blocks per user.

  Correct Answer: BC

  FortiGate Security 7.2 Study Guide (p.109): "FortiGate allocates port blocks on a first-come, first-served basis." "For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator."

• Question 6:

  Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

  A. The keyUsage extension must be set to keyCertSign.

  B. The common name on the subject field must use a wildcard name.

  C. The issuer must be a public CA.

  D. The CA extension must be set to TRUE.

  Correct Answer: AD

  "In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign." Reference: https://www.reddit.com/r/fortinet/comments/c7j6jg/recommended_ssl_cert/

• Question 7:

  Examine this FortiGate configuration: How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

  

  A. It always authorizes the traffic without requiring authentication.

  B. It drops the traffic.

  C. It authenticates the traffic using the authentication scheme SCHEME2.

  D. It authenticates the traffic using the authentication scheme SCHEME1.

  Correct Answer: D

  "What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting"

• Question 8:

  An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

  A. The administrator can register the same FortiToken on more than one FortiGate.

  B. The administrator must use a FortiAuthenticator device

  C. The administrator can use a third-party radius OTP server.

  D. The administrator must use the user self-registration server.

  Correct Answer: B

• Question 9:

  Which statement about the policy ID number of a firewall policy is true?

  A. It is required to modify a firewall policy using the CLI.

  B. It represents the number of objects used in the firewall policy.

  C. It changes when firewall policies are reordered.

  D. It defines the order in which rules are processed.

  Correct Answer: A

• Question 10:

  Refer to the exhibits.

  Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

  

  Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

  A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

  B. The traffic sourced from the client and destined to the server is sent to FGT-1.

  C. The cluster can load balance ICMP connections to the secondary.

  D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

  Correct Answer: AD

  FortiGate Infrastructure 7.2 Study Guide (p.317 and p.320): "To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses." "The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic."