Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 121:

  What are two functions of the ZTNA rule? (Choose two.)

  A. It redirects the client request to the access proxy.

  B. It applies security profiles to protect traffic.

  C. It defines the access proxy.

  D. It enforces access control.

  Correct Answer: BD

  A ZTNA rule is a policy that enforces access control and applies security profiles to protect traffic between the client and the access proxy1. A ZTNA rule defines the following parameters1:

  Incoming interface: The interface that receives the client request.

  Source: The address and user group of the client.

  ZTNA tag: The tag that identifies the domain that the client belongs to. ZTNA server: The server that hosts the access proxy. Destination: The address of the application that the client wants to access. Action: The action to take for the traffic

  that matches the rule. It can be accept, deny, or redirect.

  Security profiles: The security features to apply to the traffic, such as antivirus, web filter, application control, and so on.

  A ZTNA rule does not redirect the client request to the access proxy. That is the function of a policy route that matches the ZTNA tag and sends the traffic to the ZTNA server2. A ZTNA rule does not define the access proxy. That is done by

  creating a ZTNA server object that specifies the IP address, port, and certificate of the access proxy3.

  FortiGate Infrastructure 7.2 Study Guide (p.177): "A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust role- based access. To create a rule, type a rule name, and add IP

  addresses and ZTNA tags or tag groups that are allowed or blocked access. You also select the ZTNA server as the destination. You can also apply security profiles to protect this traffic."

• Question 122:

  Refer to the exhibit.

  

  The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

  A. Change password

  B. Enable restrict access to trusted hosts

  C. Change Administrator profile

  D. Enable two-factor authentication

  Correct Answer: C

  Reference: https://kb.fortinet.com/kb/documentLink .do?externalID=FD34502

• Question 123:

  Refer to the exhibit.

  

  Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

  A. Traffic between port2 and port2-vlan1 is allowed by default.

  B. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

  C. port1 is a native VLAN.

  D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

  Correct Answer: CD

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration- and-VDOM-interf https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

• Question 124:

  Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web Services.

  

  Which CLI command must the administrator use to view the route?

  A. get router info routing-table database

  B. diagnose firewall route list

  C. get internet-service route list

  D. get router info routing-table all

  Correct Answer: B

  ISDB static route will not create entry directly in routing-table. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for- Predefined-Internet/ta-p/198756 and here https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching- policy-route/ta-p/190640

  FortiGate Infrastructure 7.2 Study Guide (p.16 and p.59): "Even though they are configured as static routes, ISDB routes are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table." "FortiOS maintains a policy route table that you can view by running the diagnose firewall proute list command."

• Question 125:

  Refer to the exhibit.

  

  Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

  A. The port3 default route has the lowest metric.

  B. The port1 and port2 default routes are active in the routing table.

  C. The ports default route has the highest distance.

  D. There will be eight routes active in the routing table.

  Correct Answer: BC

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-identify-Inactive-Routes-in-the-Routing/ta-p/197595

• Question 126:

  Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

  A. SSH

  B. HTTPS

  C. FTM

  D. FortiTelemetry

  Correct Answer: AB

  Reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

• Question 127:

  Refer to the exhibit.

  

  A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

  A. On HQ-FortiGate, enable Auto-negotiate.

  B. On Remote-FortiGate, set Seconds to 43200.

  C. On HQ-FortiGate, enable Diffie-Hellman Group 2.

  D. On HQ-FortiGate, set Encryption to AES256.

  Correct Answer: D

  Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495

  Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

• Question 128:

  An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?

  A. 192. 168.3.0/24

  B. 192. 168.2.0/24

  C. 192. 168. 1.0/24

  D. 192. 168.0.0/8

  Correct Answer: B

• Question 129:

  Refer to the exhibits.

  The exhibits show a network diagram and firewall configurations.

  An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.

  

  In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

  A. Disable match-vip in the Deny policy.

  B. Set the Destination address as Deny_IP in the Allow-access policy.

  C. Enable match vip in the Deny policy.

  D. Set the Destination address as Web_server in the Deny policy.

  Correct Answer: BC

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641

  The exhibits show a network diagram and firewall configurations for a FortiGate unit that has two policies: Allow_access and Deny. The Allow_access policy allows traffic from the WAN (port1) interface to the LAN (port3) interface with the destination address of VIP and the service of HTTPS. The VIP object maps the external IP address 10.200.1.10 and port 10443 to the internal IP address 10.0.1.10 and port 443 of the Webserver. The Deny policy denies traffic from the WAN (port1) interface to the LAN (port3) interface with the source address of Deny_IP and the destination address of All. In this scenario, the administrator wants to deny Webserver access for Remote-User2, who has the IP address 10.200.3.2, which is included in the Deny_IP address object. Remote- User1, who has the IP address 10.200.3.1, must be able to access the Webserver. To achieve this goal, the administrator can make two changes to deny Webserver access for Remote-User2: Set the Destination address as Webserver in the Deny policy. This will make the Deny policy more specific and match only the traffic that is destined for the Webserver's internal IP address, instead of any destination address. Enable matchvip in the Deny policy. This will make the Deny policy apply to traffic that matches a VIP object, instead of ignoring it1. This way, the Deny policy will block Remote-User2's traffic that uses the VIP object's external IP address and port.

• Question 130:

  Which two statements explain antivirus scanning modes? (Choose two.)

  A. In proxy-based inspection mode, files bigger than the buffer size are scanned.

  B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

  C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

  D. In flow-based inspection mode, files bigger than the buffer size are scanned.

  Correct Answer: BC

  An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM-- something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

  FortiGate Security 7.2 Study Guide (p.350 and 352): "In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. Because the file is ransmitted simultaneously, flow-based mode consumes more CPU cycles than proxy-based." "Each protocol's proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is reached) before scanning. The client must wait for the scanning to finish."