Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 101:

  Which two configuration settings are synchronized when FortiGate devices are in an active- active HA cluster? (Choose two.)

  A. FortiGuard web filter cache

  B. FortiGate hostname

  C. NTP

  D. DNS

  Correct Answer: CD

  In the 7.2 Infrastructure Guide (page 306) the list of configuration settings that are NOT synchronized includes both 'FortiGate host name' and 'Cache'

• Question 102:

  Refer to the exhibit.

  

  Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

  A. The session is in SYN_SENT state.

  B. The session is in FIN_ACK state.

  C. The session is in FTN_WAIT state.

  D. The session is in ESTABLISHED state.

  Correct Answer: A

  Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

• Question 103:

  What inspection mode does FortiGate use if it is configured as a policy-based next- generation firewall (NGFW)?

  A. Full Content inspection

  B. Proxy-based inspection

  C. Certificate inspection

  D. Flow-based inspection

  Correct Answer: D

• Question 104:

  If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

  A. IP address

  B. No other object can be added

  C. FQDN address

  D. User or User Group

  Correct Answer: B

  FortiGate Security 7.2 Study Guide (p.59): "When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded."

  This is true because Internet Service is a special type of destination object that can only be used alone in a firewall policy. Internet Service is a feature that allows FortiGate to identify and filter traffic based on the internet service or application that it belongs to, such as Facebook, YouTube, Skype, etc. Internet Service uses a database of IP addresses and ports that are associated with each internet service or application, and updates it regularly from FortiGuard. When Internet Service is selected as the destination in a firewall policy, FortiGate will match the traffic to the corresponding internet service or application, and apply the appropriate action and security profiles to it. However, Internet Service cannot be combined with any other destination object, such as IP address, FQDN address, user or user group, etc., as this would create a conflict or ambiguity in the firewall policy. Therefore, no other object can be added if Internet Service is already selected as the destination in a firewall policy

• Question 105:

  A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

  What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  A. Static IP Address

  B. Dialup User

  C. Dynamic DNS

  D. Pre-shared Key

  Correct Answer: B

  Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

• Question 106:

  Which statement correctly describes the use of reliable logging on FortiGate?

  A. Reliable logging is enabled by default in all configuration scenarios.

  B. Reliable logging is required to encrypt the transmission of logs.

  C. Reliable logging can be configured only using the CLI.

  D. Reliable logging prevents the loss of logs when the local disk is full.

  Correct Answer: B

  FortiGate Security 7.2 Study Guide (p.192): "if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI."

• Question 107:

  Which two statements are true when FortiGate is in transparent mode? (Choose two.)

  A. By default, all interfaces are part of the same broadcast domain.

  B. The existing network IP schema must be changed when installing a transparent mode.

  C. Static routes are required to allow traffic to the next hop.

  D. FortiGate forwards frames without changing the MAC address.

  Correct Answer: AD

  Reference: https://kb.fortinet.com/kb/viewAttachment.do?attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdfanddo cumentID=FD33113

• Question 108:

  Refer to the exhibits.

  Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive- Bandwidth and Apple filter details.

  

  Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

  A. Apple FaceTime will be allowed, based on the Categories configuration.

  B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

  C. Apple FaceTime will be allowed, based on the Apple filter configuration.

  D. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

  Correct Answer: B

  FortiGate Security 7.2 Study Guide (p.310): "Then, FortiGate scans packets for matches, in this order, for the application control profile: 1. Application and filter overrides: If you have configured any application overrides or filter overrides, the application control profile considers those first. It looks for a matching override starting at the top of the list, like firewall policies. 2. Categories: Finally, the application control profile applies the action that you've configured for applications in your selected categories."

• Question 109:

  FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

  A. The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

  B. The two VLAN subinterfaces must have different VLAN IDs.

  C. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

  D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

  Correct Answer: CD

  Reference: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans

• Question 110:

  Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

  A. Source defined as Internet Services in the firewall policy.

  B. Destination defined as Internet Services in the firewall policy.

  C. Highest to lowest priority defined in the firewall policy.

  D. Services defined in the firewall policy.

  E. Lowest to highest policy ID number.

  Correct Answer: ABD

  When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects:

  1.

  Incoming Interface

  2.

  Outgoing Interface

  3.

  Source: IP address, user, internet services

  4.

  Destination: IP address or internet services

  5.

  Service: IP protocol and port number

  6.

  Schedule: Applies during configured times

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47435