Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 101:

  Refer to the exhibit.

  

  The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

  A. Change password
  B. Enable restrict access to trusted hosts
  C. Change Administrator profile
  D. Enable two-factor authentication
  C. Change Administrator profile

  ---

  Explanation/Reference:

  Reference: https://kb.fortinet.com/kb/documentLink .do?externalID=FD34502

• Question 102:

  Refer to the exhibits.

  Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  The administrator disabled the WebServer firewall policy.

  

  

  Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

  A. 10.200.1.10
  B. 10.0.1.254
  C. 10.200.1.1
  D. 10.200.3.1
  C. 10.200.1.1

  ---

  Explanation/Reference:

  Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT.

• Question 103:

  Refer to the exhibit.

  

  The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

  1.

  The WAN (port1) interface has the IP address 10.200. 1. 1/24.

  2.

  The LAN (port3) interface has the IP address 10 .0.1.254. /24.

  3.

  The first firewall policy has NAT enabled using IP Pool.

  4.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

  A. 10.200.1.1
  B. 10.200.3.1
  C. 10.200.1.100
  D. 10.200.1.10
  C. 10.200.1.100

  ---

  Explanation/Reference:

  Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN- LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

• Question 104:

  An administrator wants to simplify remote access without asking users to provide user credentials. Which access control method provides this solution?

  A. ZTNA IP/MAC filtering mode
  B. ZTNA access proxy
  C. SSL VPN
  D. L2TP
  B. ZTNA access proxy

  ---

  Explanation/Reference:

  FortiGate Infrastructure 7.2 Study Guide (p.165): "ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by eliminating the use of VPNs."

  This is true because ZTNA access proxy is a feature that allows remote users to access internal applications without requiring VPN or user credentials.

  ZTNA access proxy uses a secure tunnel between the user's device and the FortiGate, and authenticates the user based on device identity and context.

  The user only needs to install a lightweight agent on their device, and the FortiGate will automatically assign them to the appropriate application group based on their device profile.

  This simplifies remote access and enhances security by reducing the attack surface12

• Question 105:

  Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

  A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
  B. Extended authentication (XAuth) to request the remote peer to provide a username and password
  C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
  D. Pre-shared key and certificate signature as authentication methods
  B. Extended authentication (XAuth) to request the remote peer to provide a username and password
  D. Pre-shared key and certificate signature as authentication methods

  ---

  Explanation/Reference:

  B. Extended authentication (XAuth) to request the remote peer to provide a username and password This is true because extended authentication (XAuth) is a feature that allows FortiGate to request the remote peer to provide a username and password during the IPsec IKEv1 authentication process. XAuth is an extension of the IKEv1 protocol that adds an additional authentication step after the main mode or aggressive mode exchange. XAuth can be used with either pre-shared key or certificate signature as the primary authentication method, and it can provide stronger security and granular access control for IPsec VPNs12 D. Pre-shared key and certificate signature as authentication methods This is true because pre-shared key and certificate signature are two authentication methods that are supported by FortiGate for IPsec IKEv1 VPNs. Pre-shared key is a method where both peers share a secret key that is used to authenticate each other during the IKEv1 exchange. Certificate signature is a method where both peers have digital certificates that are used to verify each other's identity and public key during the IKEv1 exchange. Both methods can be combined with XAuth for additional authentication

• Question 106:

  An administrator is running the following sniffer command:

  Which three pieces of Information will be Included in me sniffer output? {Choose three.)

  A. Interface name
  B. Packet payload
  C. Ethernet header
  D. IP header
  E. Application header
  A. Interface name
  B. Packet payload
  D. IP header

• Question 107:

  Refer to the exhibit.

  

  The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

  The WAN (port1) interface has the IP address 10.200. 1. 1/24.

  The LAN (port3) interface has the IP address 10.0. 1.254/24.

  A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

  Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

  Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  A. 10.200. 1. 149
  B. 10.200. 1. 1
  C. 10.200. 1.49
  D. 10.200. 1.99
  D. 10.200. 1.99

  ---

  Explanation/Reference:

• Question 108:

  A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

  A. Implement a web filter category override for the specified website
  B. Implement a DNS filter for the specified website.
  C. Implement web filter quotas for the specified website
  D. Implement web filter authentication for the specified website.
  D. Implement web filter authentication for the specified website.

• Question 109:

  An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick

  mode selector is 192.

  168.2.0/24.

  Which subnet must the administrator configure for the local quick mode selector for site B?

  A. 192. 168. 1.0/24
  B. 192. 168.0.0/24
  C. 192. 168.2.0/24
  D. 192. 168.3.0/24
  C. 192. 168.2.0/24

  ---

  Explanation/Reference:

  For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B.

  To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A.

  Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.

• Question 110:

  Refer to the exhibits.

  Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  

  If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  A. 10.0.1.254, 10.0.1.10, and 443, respectively
  B. 10.0.1.254, 10.200.1.10, and 443, respectively
  C. 10.200.3.1, 10.0.1.10, and 443, respectively
  D. 10.0.1.254, 10.0.1.10, and 10443, respectively
  A. 10.0.1.254, 10.0.1.10, and 443, respectively

  ---

  Explanation/Reference:

  Translations:

  10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy

  10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP

  Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html