Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 111:

  A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

  What is the reason for the failed virus detection by FortiGate?

  A. The website is exempted from SSL inspection.
  B. The EICAR test file exceeds the protocol options oversize limit.
  C. The selected SSL inspection profile has certificate inspection enabled.
  D. The browser does not trust the FortiGate self-signed CA certificate.
  A. The website is exempted from SSL inspection.
  C. The selected SSL inspection profile has certificate inspection enabled.

  ---

  Explanation/Reference:

  SSL Inspection Profile, on the Inspection method there are 2 options to choose from, SSL Certificate Inspection or Full SSL Inspection. FG SEC 7.2 Studi Guide: Full SSL Inspection level is the only choice that allows antivirus to be effective.

• Question 112:

  A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

  1.

  All traffic must be routed through the primary tunnel when both tunnels are up

  2.

  The secondary tunnel must be used only if the primary tunnel goes down

  3.

  In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

  Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

  A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
  B. Enable Dead Peer Detection.
  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  B. Enable Dead Peer Detection.
  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

  ---

  Explanation/Reference:

  Study Guide IPsec VPN IPsec configuration Phase 1 Network.

  When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same

  destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.

  There are three DPD modes. On demand is the default mode.

  Study Guide IPsec VPN Redundant VPNs.

  Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.

  Add at least one phase 2 definition for each phase 1.

  Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.

  Configure FW policies for each IPsec interface.

• Question 113:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

  When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

  

  Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

  A. Configure a loopback interface with address 203.0.113.2/32.
  B. In the VIP configuration, enable arp-reply.
  C. Enable port forwarding on the server to map the external service port to the internal service port.
  D. In the firewall policy configuration, enable match-vip.
  B. In the VIP configuration, enable arp-reply.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.115): "Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it's a best practice to keep ARP reply enabled."

• Question 114:

  An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?

  A. 192. 168.3.0/24
  B. 192. 168.2.0/24
  C. 192. 168. 1.0/24
  D. 192. 168.0.0/8
  B. 192. 168.2.0/24

• Question 115:

  Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  A. FortiGate points the collector agent to use a remote LDAP server.
  B. FortiGate uses the AD server as the collector agent.
  C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  D. FortiGate queries AD by using the LDAP to retrieve user group information.
  C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  D. FortiGate queries AD by using the LDAP to retrieve user group information.

  ---

  Explanation/Reference:

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

• Question 116:

  Refer to the exhibit.

  

  Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

  A. The session is in SYN_SENT state.
  B. The session is in FIN_ACK state.
  C. The session is in FTN_WAIT state.
  D. The session is in ESTABLISHED state.
  A. The session is in SYN_SENT state.

  ---

  Explanation/Reference:

  Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

• Question 117:

  Refer to the FortiGuard connection debug output.

  

  Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

  A. One server was contacted to retrieve the contract information.
  B. There is at least one server that lost packets consecutively.
  C. A local FortiManager is one of the servers FortiGate communicates with.
  D. FortiGate is using default FortiGuard communication settings
  A. One server was contacted to retrieve the contract information.
  D. FortiGate is using default FortiGuard communication settings

  ---

  Explanation/Reference:

• Question 118:

  If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

  A. IP address
  B. No other object can be added
  C. FQDN address
  D. User or User Group
  B. No other object can be added

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.59): "When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded."

  This is true because Internet Service is a special type of destination object that can only be used alone in a firewall policy. Internet Service is a feature that allows FortiGate to identify and filter traffic based on the internet service or application that it belongs to, such as Facebook, YouTube, Skype, etc. Internet Service uses a database of IP addresses and ports that are associated with each internet service or application, and updates it regularly from FortiGuard. When Internet Service is selected as the destination in a firewall policy, FortiGate will match the traffic to the corresponding internet service or application, and apply the appropriate action and security profiles to it. However, Internet Service cannot be combined with any other destination object, such as IP address, FQDN address, user or user group, etc., as this would create a conflict or ambiguity in the firewall policy. Therefore, no other object can be added if Internet Service is already selected as the destination in a firewall policy

• Question 119:

  What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  A. It limits the scope of application control to the browser-based technology category only.
  B. It limits the scope of application control to scan application traffic based on application category only.
  C. It limits the scope of application control to scan application traffic using parent signatures only
  D. It limits the scope of application control to scan application traffic on DNS protocol only.
  B. It limits the scope of application control to scan application traffic based on application category only.

• Question 120:

  Refer to the exhibits.

  Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1).

  Central NAT is enabled, so NAT settings from matching central SNAT policies will be applied.

  

  Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  A. 10.200.1.99
  B. 10.200.1.1
  C. 10.200.1.49
  D. 10.200.1.149
  A. 10.200.1.99

  ---

  Explanation/Reference: