Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 161:

  An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

  A. The interface has been configured for one-arm sniffer.
  B. The interface is a member of a virtual wire pair.
  C. The operation mode is transparent.
  D. The interface is a member of a zone.
  E. Captive portal is enabled in the interface.
  A. The interface has been configured for one-arm sniffer.
  B. The interface is a member of a virtual wire pair.
  C. The operation mode is transparent.

  ---

  Explanation/Reference:

  https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

• Question 162:

  What are two features of collector agent advanced mode? (Choose two.)

  A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  B. In advanced mode, security profiles can be applied only to user groups, not individual users.
  C. Advanced mode uses the Windows convention--NetBios: Domain\Username.
  D. Advanced mode supports nested or inherited groups.
  A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  D. Advanced mode supports nested or inherited groups.

  ---

  Explanation/Reference:

  In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. This is true because advanced mode allows FortiGate to query the LDAP server directly for user information and group membership, without relying on the collector agent. This enables FortiGate to apply security policies based on LDAP group filters, which can be configured on FortiGate1 Advanced mode supports nested or inherited groups. This is true because advanced mode can handle complex group structures, such as nested groups or inherited groups, where a user belongs to a group that is a member of another group. This allows FortiGate to apply security policies based on the effective group membership of a user, not just the direct group membership1

  FortiGate Infrastructure 7.2 Study Guide (p.146): "Also, advanced mode supports nested or inherited groups; that is, users can be members of subgroups that belong to monitored parent groups." "In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate. You can also configure group filters on the collector agent."

• Question 163:

  Refer to the exhibit.

  The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

  An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

  

  What are two solutions for satisfying the requirement? (Choose two.)

  A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
  C. Set the Freeware and Software Downloads category Action to Warning.
  D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
  D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.268-269): "If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category." "Static URL filtering is another web filter feature. Configured URLs in the URL filter are checked against the visited websites. If a match is found, the configured action is taken. URL filtering has the same patterns as static domain filtering: simple, regular expressions, and wildcard."

  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.

  This is true because a web override rating is a feature that allows the administrator to change the FortiGuard category of a specific website or domain, and apply a different action to it based on the web filter profile. By configuring a web

  override rating for download.com and selecting Malicious Websites as the subcategory, the administrator can block access to download.com, which belongs to the Freeware and Software Downloads category by default, without affecting

  other websites in the same category. The Malicious Websites category has the action Block in the web filter profile shown in the exhibit. D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block,

  respectively.

  This is true because a static URL filter entry is a feature that allows the administrator to define custom rules for filtering specific URLs or domains, and apply an action to them based on the web filter profile. By configuring a static URL filter

  entry for download.com with Type and Action set to Wildcard and Block, respectively, the administrator can block access to download.com and any subdomains or paths under it, without affecting other websites in the Freeware and Software

  Downloads category. The static URL filter entries have higher priority than the FortiGuard category based filter entries in the web filter profile.

• Question 164:

  FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

  A. www.example.com:443
  B. www.example.com
  C. example.com
  D. www.example.com/index.html
  B. www.example.com
  C. example.com

  ---

  Explanation/Reference:

  When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names - no URLs or wildcard characters are allowed.

  OK: google.com or www.google.com

  NO OK: www.google.com/index.html or google.*

  FortiGate_Security_6.4 page 384

  When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names-- "no URLs or wildcard characters

  are allowed".

• Question 165:

  If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

  A. The Services field prevents SNAT and DNAT from being combined in the same policy.
  B. The Services field is used when you need to bundle several VIPs into VIP groups.
  C. The Services field removes the requirement to create multiple VIPs for different services.
  D. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.
  C. The Services field removes the requirement to create multiple VIPs for different services.

• Question 166:

  Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

  A. Antivirus engine
  B. Intrusion prevention system engine
  C. Flow engine
  D. Detection engine
  B. Intrusion prevention system engine

  ---

  Explanation/Reference:

  Reference: http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

• Question 167:

  FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

  In this scenario, what are two requirements for the VLAN ID? (Choose two.)

  A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
  B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
  C. The two VLAN subinterfaces must have different VLAN IDs.
  D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
  B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
  C. The two VLAN subinterfaces must have different VLAN IDs.

  ---

  Explanation/Reference:

  https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VLAN/ta-p/192843?externalID=FD43883

  When FortiGate is operating in NAT mode, it means that it uses network address translation (NAT) to modify the source or destination IP addresses of the traffic passing through it1. NAT mode allows FortiGate to hide the IP addresses of the internal network from the external network, and to conserve IP addresses by using a single public IP address for multiple private IP addresses1. A virtual LAN (VLAN) subinterface is a logical interface that allows traffic from different VLANs to enter and exit the FortiGate unit2. A VLAN subinterface is created by adding a VLAN ID to a physical interface or an aggregate interface2. A VLAN ID is a numerical identifier that distinguishes one VLAN from another2. In this scenario, there are two requirements for the VLAN ID of the VLAN subinterfaces added to the same physical interface: The two VLAN subinterfaces must have different VLAN IDs. This is because the VLAN ID is used to tag the traffic with the appropriate VLAN information, and to separate the traffic into different VLANs2. If the two VLAN subinterfaces have the same VLAN ID, they will not be able to distinguish the traffic from each other, and they will not be able to forward the traffic to the correct destination. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. This is because VDOMs are virtual instances of FortiGate that can have their own interfaces, policies, and routing tables3. Each VDOM operates independently from other VDOMs, and can have its own VLAN subinterfaces with different or identical VLAN IDs3. However, this requires inter-VDOM links to allow traffic between different VDOMs3.

• Question 168:

  An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?

  A. auth-on-demand
  B. soft-timeout
  C. idle-timeout
  D. new-session
  E. hard-timeout
  E. hard-timeout

  ---

  Explanation/Reference:

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout%3A%20User%20 https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Firewall/ta-p/189423

• Question 169:

  Refer to the exhibit to view the application control profile.

  

  

  

  

  Based on the configuration, what will happen to Apple FaceTime?

  A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration
  B. Apple FaceTime will be allowed, based on the Apple filter configuration.
  C. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
  D. Apple FaceTime will be allowed, based on the Categories configuration.
  A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

  ---

  Explanation/Reference:

• Question 170:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

  

  Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

  A. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
  B. FortiGate allocates port blocks on a first-come, first-served basis.
  C. FortiGate generates a system event log for every port block allocation made per user.
  D. FortiGate allocates 128 port blocks per user.
  B. FortiGate allocates port blocks on a first-come, first-served basis.
  C. FortiGate generates a system event log for every port block allocation made per user.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.109): "FortiGate allocates port blocks on a first-come, first-served basis." "For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator."