Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 21:

  Which statement about video filtering on FortiGate is true?

  A. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
  B. It does not require a separate FortiGuard license.
  C. Full SSL inspection is not required.
  D. its available only on a proxy-based firewall policy.
  D. its available only on a proxy-based firewall policy.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.279): "To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must enable full SSL inspection on the firewall policy." https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/860867/filtering-based-on-fortiguard-categories

• Question 22:

  Refer to the exhibit.

  In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.

  

  What should the administrator do next, to troubleshoot the problem?

  A. Execute a debug flow.
  B. Capture the traffic using an external sniffer connected to port1.
  C. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".
  D. Run a sniffer on the web server.
  A. Execute a debug flow.

  ---

  Explanation/Reference:

• Question 23:

  Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)

  A. Source IP
  B. Spillover
  C. Volume
  D. Session
  C. Volume
  D. Session

  ---

  Explanation/Reference:

  https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing

• Question 24:

  An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.

  Which FortiGate configuration can achieve this goal?

  A. SSL VPN bookmark
  B. SSL VPN tunnel
  C. Zero trust network access
  D. SSL VPN quick connection
  B. SSL VPN tunnel

  ---

  Explanation/Reference:

  FortiGate Infrastructure 7.2 Study Guide (p.198): "Tunnel mode requires FortiClient to connect to FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user's PC. This virtual adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is SSL/TLS encapsulated. The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send traffic through the tunnel."

  An SSL VPN tunnel allows remote users to establish a secure and encrypted Virtual Private Network (VPN) connection to the private network using the SSL/TLS protocol1. An SSL VPN tunnel can provide access to network resources such as FTP servers, as well as external applications running on the user's PC1. An SSL VPN bookmark is a web link that provides access to network resources through the SSL VPN web portal1. It does not support external applications running on the user's PC. Zero trust network access (ZTNA) is a security model that provides role-based application access to remote users without exposing the private network to the internet2. It does not use SSL/TLS protocol, but rather a proprietary ZTNA protocol. SSL VPN quick connection is a feature that allows users to connect to an SSL VPN tunnel without installing FortiClient or any other software on their PC3. It requires a web browser that supports Java or ActiveX. It does not support external applications running on the user's PC.

• Question 25:

  Refer to the exhibit.

  

  The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

  The override setting is enable for the FortiGate with SN FGVM010000064692.

  Which two statements are true? (Choose two.)

  A. FortiGate SN FGVM010000065036 HA uptime has been reset.
  B. FortiGate devices are not in sync because one device is down.
  C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
  D. FortiGate SN FGVM010000064692 has the higher HA priority.
  A. FortiGate SN FGVM010000065036 HA uptime has been reset.
  D. FortiGate SN FGVM010000064692 has the higher HA priority.

  ---

  Explanation/Reference:

  Study Guide

• Question 26:

  Refer to the exhibits.

  

  The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

  A. Change the SSL VPN port on the client.
  B. Change the Server IP address.
  C. Change the idle-timeout.
  D. Change the SSL VPN portal to the tunnel.
  A. Change the SSL VPN port on the client.

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/150494

• Question 27:

  What are two scanning techniques supported by FortiGate? (Choose two.)

  A. Machine learning scan
  B. Antivirus scan
  C. Ransomware scan
  D. Trojan scan
  A. Machine learning scan
  B. Antivirus scan

  ---

  Explanation/Reference:

• Question 28:

  Refer to the exhibit.

  

  An administrator is running a sniffer command as shown in the exhibit.

  Which three pieces of information are included in the sniffer output? (Choose three.)

  A. Interface name
  B. Ethernet header
  C. IP header
  D. Application header
  E. Packet payload
  A. Interface name
  C. IP header
  E. Packet payload

  ---

  Explanation/Reference:

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

  Study Guide Routing Diagnostics Packet Capture Verbosity Level.

  # diagnose sniffer packet `'

  In the example, verbosity is 5.

  The verbosity level specifies how much info you want to display.

  1 (default): IP Headers.

  2: IP Headers, Packet Payload.

  3. IP Headers, Packet Payload, Ethernet Headers.

  4: IP Headers, Interface Name.

  5: IP Headers, Packet Payload, Interface Name.

  6: IP Headers, Packet Payload, Ethernet Headers, Interface Name.

• Question 29:

  Which scanning technique on FortiGate can be enabled only on the CLI?

  A. Heuristics scan
  B. Trojan scan
  C. Antivirus scan
  D. Ransomware scan
  A. Heuristics scan

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/567568/enabling-scanning

• Question 30:

  Refer to the exhibit showing a debug flow output.

  

  Which two statements about the debug flow output are correct? (Choose two.)

  A. The debug flow is of ICMP traffic.
  B. A firewall policy allowed the connection.
  C. A new traffic session is created.
  D. The default route is required to receive a reply.
  A. The debug flow is of ICMP traffic.
  C. A new traffic session is created.

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow