Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 111:

  Which statement about video filtering on FortiGate is true?

  A. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

  B. It does not require a separate FortiGuard license.

  C. Full SSL inspection is not required.

  D. its available only on a proxy-based firewall policy.

  Correct Answer: D

  FortiGate Security 7.2 Study Guide (p.279): "To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must enable full SSL inspection on the firewall policy." https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/860867/filtering-based-on-fortiguard-categories

• Question 112:

  Refer to the exhibits.

  Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  

  If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  A. 10.0.1.254, 10.0.1.10, and 443, respectively

  B. 10.0.1.254, 10.200.1.10, and 443, respectively

  C. 10.200.3.1, 10.0.1.10, and 443, respectively

  D. 10.0.1.254, 10.0.1.10, and 10443, respectively

  Correct Answer: A

  Translations:

  10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy

  10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP

  Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

• Question 113:

  Which statement about video filtering on FortiGate is true?

  A. Full SSL Inspection is not required.

  B. It is available only on a proxy-based firewall policy.

  C. It inspects video files hosted on file sharing services.

  D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

  Correct Answer: B

  Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

• Question 114:

  An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.

  Which FortiGate configuration can achieve this goal?

  A. SSL VPN bookmark

  B. SSL VPN tunnel

  C. Zero trust network access

  D. SSL VPN quick connection

  Correct Answer: B

  FortiGate Infrastructure 7.2 Study Guide (p.198): "Tunnel mode requires FortiClient to connect to FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user's PC. This virtual adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is SSL/TLS encapsulated. The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send traffic through the tunnel."

  An SSL VPN tunnel allows remote users to establish a secure and encrypted Virtual Private Network (VPN) connection to the private network using the SSL/TLS protocol1. An SSL VPN tunnel can provide access to network resources such as FTP servers, as well as external applications running on the user's PC1. An SSL VPN bookmark is a web link that provides access to network resources through the SSL VPN web portal1. It does not support external applications running on the user's PC. Zero trust network access (ZTNA) is a security model that provides role-based application access to remote users without exposing the private network to the internet2. It does not use SSL/TLS protocol, but rather a proprietary ZTNA protocol. SSL VPN quick connection is a feature that allows users to connect to an SSL VPN tunnel without installing FortiClient or any other software on their PC3. It requires a web browser that supports Java or ActiveX. It does not support external applications running on the user's PC.

• Question 115:

  If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

  A. The Services field prevents SNAT and DNAT from being combined in the same policy.

  B. The Services field is used when you need to bundle several VIPs into VIP groups.

  C. The Services field removes the requirement to create multiple VIPs for different services.

  D. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

  Correct Answer: C

• Question 116:

  Which of statement is true about SSL VPN web mode?

  A. The tunnel is up while the client is connected.

  B. It supports a limited number of protocols.

  C. The external network application sends data through the VPN.

  D. It assigns a virtual IP address to the client.

  Correct Answer: B

  FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.

• Question 117:

  Refer to the exhibit.

  

  The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

  The WAN (port1) interface has the IP address 10.200. 1. 1/24.

  The LAN (port3) interface has the IP address 10.0. 1.254/24.

  A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

  Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

  Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  A. 10.200. 1. 149

  B. 10.200. 1. 1

  C. 10.200. 1.49

  D. 10.200. 1.99

  Correct Answer: D

• Question 118:

  An administrator wants to simplify remote access without asking users to provide user credentials. Which access control method provides this solution?

  A. ZTNA IP/MAC filtering mode

  B. ZTNA access proxy

  C. SSL VPN

  D. L2TP

  Correct Answer: B

  FortiGate Infrastructure 7.2 Study Guide (p.165): "ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by eliminating the use of VPNs."

  This is true because ZTNA access proxy is a feature that allows remote users to access internal applications without requiring VPN or user credentials.

  ZTNA access proxy uses a secure tunnel between the user's device and the FortiGate, and authenticates the user based on device identity and context.

  The user only needs to install a lightweight agent on their device, and the FortiGate will automatically assign them to the appropriate application group based on their device profile.

  This simplifies remote access and enhances security by reducing the attack surface12

• Question 119:

  Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

  A. The firmware image must be manually uploaded to each FortiGate.

  B. Only secondary FortiGate devices are rebooted.

  C. Uninterruptable upgrade is enabled by default.

  D. Traffic load balancing is temporally disabled while upgrading the firmware.

  Correct Answer: CD

• Question 120:

  What is a reason for triggering IPS fail open?

  A. The IPS socket buffer is full and the IPS engine cannot process additional packets.

  B. The IPS engine cannot decode a packet.

  C. The IPS engine is upgraded.

  D. The administrator enabled NTurbo acceleration.

  Correct Answer: A