Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 31:

  FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

  A. The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.
  B. The two VLAN subinterfaces must have different VLAN IDs.
  C. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
  D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.
  C. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
  D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans

• Question 32:

  Which statement about the policy ID number of a firewall policy is true?

  A. It is required to modify a firewall policy using the CLI.
  B. It represents the number of objects used in the firewall policy.
  C. It changes when firewall policies are reordered.
  D. It defines the order in which rules are processed.
  A. It is required to modify a firewall policy using the CLI.

• Question 33:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

  Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.

  

  Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)

  A. In the IP pool configuration, set type to overload. Most Voted
  B. Configure 192.2.0.12/24 as the secondary IP address on port1.
  C. In the firewall policy configuration, disable ippool. Most Voted
  D. In the IP pool configuration, set endip to 192.2.0.12. Most Voted
  E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
  A. In the IP pool configuration, set type to overload. Most Voted
  C. In the firewall policy configuration, disable ippool. Most Voted
  D. In the IP pool configuration, set endip to 192.2.0.12. Most Voted

  ---

  Explanation/Reference:

• Question 34:

  Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  A. System time
  B. FortiGuaid update servers
  C. Operating mode
  D. NGFW mode
  C. Operating mode
  D. NGFW mode

  ---

  Explanation/Reference:

  C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.

  D:

  "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide

• Question 35:

  Examine the exhibit, which contains a virtual IP and firewall policy configuration.

  

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port2) interface has the IP address 10.0.1.254/24.

  The first firewall policy has NAT enabled on the outgoing interface address.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

  A. 10.200.1.10
  B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24 66 of 108
  C. 10.200.1.1
  D. 10.0.1.254
  A. 10.200.1.10

  ---

  Explanation/Reference:

  https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

• Question 36:

  Which statement regarding the firewall policy authentication timeout is true?

  A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
  B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
  C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
  D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.
  A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

• Question 37:

  Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

  A. DNS
  B. ping
  C. udp-echo
  D. TWAMP
  C. udp-echo
  D. TWAMP

• Question 38:

  The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

  A. DNS-based web filter and proxy-based web filter
  B. Static URL filter, FortiGuard category filter, and advanced filters
  C. Static domain filter, SSL inspection filter, and external connectors filters
  D. FortiGuard category filter and rating filter
  B. Static URL filter, FortiGuard category filter, and advanced filters

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.285): "Remember that the web filtering profile has several features. So, if you have enabled many of them, the inspection order flows as follows:

  1.

  The local static URL filter

  2.

  FortiGuard category filtering (to determine a rating)

  3.

  Advanced filters (such as safe search or removing Active X components)" Reference: https://fortinet121.rssing.com/chan-67705148/all_p1.html

• Question 39:

  Which two types of traffic are managed only by the management VDOM? (Choose two.)

  A. FortiGuard web filter queries
  B. PKI
  C. Traffic shaping
  D. DNS
  A. FortiGuard web filter queries
  D. DNS

• Question 40:

  Refer to the exhibit.

  

  Which contains a network diagram and routing table output.

  The Student is unable to access Webserver.

  What is the cause of the problem and what is the solution for the problem?

  A. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
  B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
  C. The first reply packet for Student failed the RPF check . This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
  D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
  D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

  ---

  Explanation/Reference: