Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 131:

  View the exhibit.

  

  Which of the following statements are correct? (Choose two.)

  A. This setup requires at least two firewall policies with the action set to IPsec.
  B. Dead peer detection must be disabled to support this type of IPsec setup.
  C. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
  D. This is a redundant IPsec setup.
  C. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
  D. This is a redundant IPsec setup.

  ---

  Explanation/Reference:

  https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/632796/ospf-with-ipsec-vpn-for-network-redundancy

• Question 132:

  Refer to the exhibit.

  

  Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

  A. Traffic between port2 and port2-vlan1 is allowed by default.
  B. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
  C. port1 is a native VLAN.
  D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
  C. port1 is a native VLAN.
  D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

  ---

  Explanation/Reference:

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration- and-VDOM-interf https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

• Question 133:

  What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  A. It limits the scanning of application traffic to the DNS protocol only.
  B. It limits the scanning of application traffic to use parent signatures only.
  C. It limits the scanning of application traffic to the browser-based technology category only.
  D. It limits the scanning of application traffic to the application category only.
  C. It limits the scanning of application traffic to the browser-based technology category only.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.317): "You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website."

• Question 134:

  Refer to the exhibit.

  An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

  

  What is the impact of using the Include in every user group option in a RADIUS configuration?

  A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
  B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
  C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
  D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
  A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/634373/authentication-servers

• Question 135:

  Refer to the exhibits.

  The exhibits show a network diagram and firewall configurations.

  An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.

  

  In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

  A. Disable match-vip in the Deny policy.
  B. Set the Destination address as Deny_IP in the Allow-access policy.
  C. Enable match vip in the Deny policy.
  D. Set the Destination address as Web_server in the Deny policy.
  B. Set the Destination address as Deny_IP in the Allow-access policy.
  C. Enable match vip in the Deny policy.

  ---

  Explanation/Reference:

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641

  The exhibits show a network diagram and firewall configurations for a FortiGate unit that has two policies: Allow_access and Deny. The Allow_access policy allows traffic from the WAN (port1) interface to the LAN (port3) interface with the destination address of VIP and the service of HTTPS. The VIP object maps the external IP address 10.200.1.10 and port 10443 to the internal IP address 10.0.1.10 and port 443 of the Webserver. The Deny policy denies traffic from the WAN (port1) interface to the LAN (port3) interface with the source address of Deny_IP and the destination address of All. In this scenario, the administrator wants to deny Webserver access for Remote-User2, who has the IP address 10.200.3.2, which is included in the Deny_IP address object. Remote- User1, who has the IP address 10.200.3.1, must be able to access the Webserver. To achieve this goal, the administrator can make two changes to deny Webserver access for Remote-User2: Set the Destination address as Webserver in the Deny policy. This will make the Deny policy more specific and match only the traffic that is destined for the Webserver's internal IP address, instead of any destination address. Enable matchvip in the Deny policy. This will make the Deny policy apply to traffic that matches a VIP object, instead of ignoring it1. This way, the Deny policy will block Remote-User2's traffic that uses the VIP object's external IP address and port.

• Question 136:

  Refer to the exhibit.

  

  Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

  A. The signature setting uses a custom rating threshold.
  B. The signature setting includes a group of other signatures.
  C. Traffic matching the signature will be allowed and logged.
  D. Traffic matching the signature will be silently dropped and logged.
  D. Traffic matching the signature will be silently dropped and logged.

  ---

  Explanation/Reference:

  Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.

  Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.

• Question 137:

  Refer to the exhibit showing a debug flow output.

  

  What two conclusions can you make from the debug flow output? (Choose two.)

  A. The debug flow is for ICMP traffic.
  B. The default route is required to receive a reply.
  C. Anew traffic session was created.
  D. A firewall policy allowed the connection.
  A. The debug flow is for ICMP traffic.
  C. Anew traffic session was created.

  ---

  Explanation/Reference:

  The debug flow output shows the result of a diagnose command that captures the traffic flow between the source and destination IP addresses1. The debug flow output reveals the following information about the traffic flow1:

  The protocol is 1, which means that the traffic uses ICMP protocol2. ICMP is a protocol that is used to send error messages and test connectivity between devices2.

  The session state is 0, which means that a new traffic session was created3. A session is a data structure that stores information about a connection between two devices3.

  The policy ID is 1, which means that the traffic matched the firewall policy with ID

  14. A firewall policy is a rule that defines how FortiGate processes traffic based on the source, destination, service, and action parameters4. The action is 0, which means that the traffic was allowed by the firewall policy. An action is a

  parameter that specifies what FortiGate does with the traffic that matches a firewall policy.

  Therefore, two conclusions that can be made from the debug flow output are:

  The debug flow is for ICMP traffic.

  A new traffic session was created.

• Question 138:

  When configuring a firewall virtual wire pair policy, which following statement is true?

  A. Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.
  B. Only a single virtual wire pair can be included in each policy.
  C. Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
  D. Exactly two virtual wire pairs need to be included in each policy.
  A. Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

  ---

  Explanation/Reference:

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48690

• Question 139:

  If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

  A. A CRL
  B. A person
  C. A subordinate CA
  D. A root CA
  D. A root CA

• Question 140:

  Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

  A. diagnose wad session list
  B. diagnose wad session list | grep hook-preandandhook-out
  C. diagnose wad session list | grep hook=preandandhook=out
  D. diagnose wad session list | grep "hook=pre"and"hook=out"
  A. diagnose wad session list