Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 91:

  Refer to the exhibit, which contains a session diagnostic output.

  

  Which statement is true about the session diagnostic output?

  A. The session is a UDP unidirectional state.

  B. The session is in TCP ESTABLISHED state.

  C. The session is a bidirectional UDP connection.

  D. The session is a bidirectional TCP connection.

  Correct Answer: C

  https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

• Question 92:

  Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

  A. Warning

  B. Exempt

  C. Allow

  D. Learn

  Correct Answer: AC

• Question 93:

  An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

  A. The strict RPF check is run on the first sent and reply packet of any new session.

  B. Strict RPF checks the best route back to the source using the incoming interface.

  C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

  D. Strict RPF allows packets back to sources with all active routes.

  Correct Answer: B

  Strict Reverse Path Forwarding (RPF) is a security feature that is used to detect and prevent IP spoofing attacks on a network. It works by checking the routing information for incoming packets to ensure that they are coming from the source address that is indicated in the packet's header. In strict RPF mode, the firewall will check the best route back to the source of the incoming packet using the incoming interface. If the packet's source address does not match the route back to the source, the packet is dropped. This helps to prevent attackers from spoofing their IP address and attempting to access the network.

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

• Question 94:

  Which two types of traffic are managed only by the management VDOM? (Choose two.)

  A. FortiGuard web filter queries

  B. PKI

  C. Traffic shaping

  D. DNS

  Correct Answer: AD

  FortiGate Infrastructure 7.2 Study Guide (p.73): "What about traffic originating from FortiGate? Some system daemons, such as NTP and FortiGuard updates, generate traffic coming from FortiGate. Traffic coming from FortiGate to those global services originates from the management VDOM. One, and only one, of the VDOMs on a FortiGate device is assigned the role of the management VDOM. It is important to note that the management VDOM designation is solely for traffic originated by FortiGate, such as FortiGuard updates, and has no effect on traffic passing through FortiGate."

• Question 95:

  Refer to the FortiGuard connection debug output.

  

  Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

  A. One server was contacted to retrieve the contract information.

  B. There is at least one server that lost packets consecutively.

  C. A local FortiManager is one of the servers FortiGate communicates with.

  D. FortiGate is using default FortiGuard communication settings

  Correct Answer: AD

• Question 96:

  Which two types of traffic are managed only by the management VDOM? (Choose two.)

  A. FortiGuard web filter queries

  B. PKI

  C. Traffic shaping

  D. DNS

  Correct Answer: AD

• Question 97:

  A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

  What is the reason for the certificate warning errors?

  A. The matching firewall policy is set to proxy inspection mode.

  B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

  C. The full SSL inspection feature does not have a valid license.

  D. The browser does not trust the certificate used by FortiGate for SSL inspection.

  Correct Answer: D

  FortiGate Security 7.2 Study Guide (p.235): "If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."

• Question 98:

  Examine this PAC file configuration.

  Which of the following statements are true? (Choose two.)

  A. Browsers can be configured to retrieve this PAC file from the FortiGate.

  B. Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

  C. All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.

  D. Any web request fortinet.com is allowed to bypass the proxy.

  Correct Answer: AD

• Question 99:

  An employee needs to connect to the office through a high-latency internet connection.

  Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

  A. idle-timeout

  B. login-timeout

  C. udp-idle-timer

  D. session-ttl

  Correct Answer: B

  FortiGate Infrastructure 7.2 Study Guide (p.222):

  "When connected to SSL VPN over high latency connections, FortiGate can time out the client before the client can finish the negotiation process, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl

  settings have been added to address this. The first command allows you to set up the login timeout, replacing the previous hard timeout value. The second command allows you to set up the maximum DTLS hello timeout for SSL VPN

  connections."

• Question 100:

  Refer to the exhibits.

  

  An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object?

  A. Change the csf setting on ISFW (downstream) to set configuration-sync local.

  B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

  C. Change the csf setting on both devices to set downstream-access enable.

  D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

  Correct Answer: C

  Reference: https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/880913/synchronizing-objects-across-the-security-fabric