Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 11:

  Examine the exhibit, which contains a virtual IP and firewall policy configuration.

  

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port2) interface has the IP address 10.0.1.254/24.

  The first firewall policy has NAT enabled on the outgoing interface address.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

  A. 10.200.1.10

  B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24 66 of 108

  C. 10.200.1.1

  D. 10.0.1.254

  Correct Answer: A

  https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

• Question 12:

  Refer to the exhibit.

  

  The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

  1.

  The WAN (port1) interface has the IP address 10.200. 1. 1/24.

  2.

  The LAN (port3) interface has the IP address 10 .0.1.254. /24.

  3.

  The first firewall policy has NAT enabled using IP Pool.

  4.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

  A. 10.200.1.1

  B. 10.200.3.1

  C. 10.200.1.100

  D. 10.200.1.10

  Correct Answer: C

  Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN- LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

• Question 13:

  Which three methods are used by the collector agent for AD polling? (Choose three.)

  A. FortiGate polling

  B. NetAPI

  C. Novell API

  D. WMI

  E. WinSecLog

  Correct Answer: BDE

  FortiGate Infrastructure 7.2 Study Guide (p.127-128): "As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide from left to right shows most recommend to

  least recommended:

  (WMI, WinSecLog, and NetAPI)"

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

• Question 14:

  What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  A. It limits the scope of application control to the browser-based technology category only.

  B. It limits the scope of application control to scan application traffic based on application category only.

  C. It limits the scope of application control to scan application traffic using parent signatures only

  D. It limits the scope of application control to scan application traffic on DNS protocol only.

  Correct Answer: B

• Question 15:

  Refer to the exhibit.

  

  Which contains a network diagram and routing table output.

  The Student is unable to access Webserver.

  What is the cause of the problem and what is the solution for the problem?

  A. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

  B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

  C. The first reply packet for Student failed the RPF check . This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

  D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

  Correct Answer: D

• Question 16:

  Which two statements ate true about the Security Fabric rating? (Choose two.)

  A. It provides executive summaries of the four largest areas of security focus.

  B. Many of the security issues can be fixed immediately by clicking Apply where available.

  C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

  D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

  Correct Answer: BC

  Reference: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/292634/security-rating

• Question 17:

  The exhibit shows the configuration for the SD-WAN member, Performance SLA, and SD-WAN Rule, as well as the output of diagnose sys virtual-wan-link health-check.

  

  Which interface will be selected as an outgoing interface?

  A. port2

  B. port3

  C. port4

  D. port1

  Correct Answer: A

  To determine the best path for traffic in Fortinet's SD-WAN implementation, a "lowest cost" algorithm is used that considers the cost metric associated with each available WAN link. In this case, Port 4 and 3 are eliminated due to packet loss,

  leaving Port 1 and Port 2 as the available paths.

  The next stage of elimination is based on the highest cost. Port 1 has a high cost of 15, which makes it less desirable than Port 2. Therefore, Port 1 is eliminated, and Port 2 is selected as the winner.

• Question 18:

  Refer to the exhibits.

  The exhibits contain a network diagram, virtual IP, IP pool, and firewall policies configuration.

  

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  The first firewall policy has NAT enabled using IP Pool.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

  A. 10.200.1.100

  B. 10.200.1.10

  C. 10.200.1.1

  D. 10.200.3.1

  Correct Answer: A

  Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN-LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

• Question 19:

  Refer to the exhibits.

  Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  The administrator disabled the WebServer firewall policy.

  

  

  Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

  A. 10.200.1.10

  B. 10.0.1.254

  C. 10.200.1.1

  D. 10.200.3.1

  Correct Answer: C

  Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT.

• Question 20:

  To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

  A. FortiManager

  B. Root FortiGate

  C. FortiAnalyzer

  D. Downstream FortiGate

  Correct Answer: B