Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 41:

  Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

  A. Source defined as Internet Services in the firewall policy.
  B. Destination defined as Internet Services in the firewall policy.
  C. Highest to lowest priority defined in the firewall policy.
  D. Services defined in the firewall policy.
  E. Lowest to highest policy ID number.
  A. Source defined as Internet Services in the firewall policy.
  B. Destination defined as Internet Services in the firewall policy.
  D. Services defined in the firewall policy.

  ---

  Explanation/Reference:

  When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects:

  1.

  Incoming Interface

  2.

  Outgoing Interface

  3.

  Source: IP address, user, internet services

  4.

  Destination: IP address or internet services

  5.

  Service: IP protocol and port number

  6.

  Schedule: Applies during configured times

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47435

• Question 42:

  Refer to the exhibits.

  Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive- Bandwidth and Apple filter details.

  

  Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

  A. Apple FaceTime will be allowed, based on the Categories configuration.
  B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
  C. Apple FaceTime will be allowed, based on the Apple filter configuration.
  D. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
  B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.310): "Then, FortiGate scans packets for matches, in this order, for the application control profile: 1. Application and filter overrides: If you have configured any application overrides or filter overrides, the application control profile considers those first. It looks for a matching override starting at the top of the list, like firewall policies. 2. Categories: Finally, the application control profile applies the action that you've configured for applications in your selected categories."

• Question 43:

  Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

  

  

  Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

  A. The firewall policy performs the full content inspection on the file.
  B. The flow-based inspection is used, which resets the last packet to the user.
  C. The volume of traffic being inspected is too high for this model of FortiGate.
  D. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.
  B. The flow-based inspection is used, which resets the last packet to the user.

  ---

  Explanation/Reference:

  ONL"; If the virus is detected at the";STAR"; of the connection, the IPS engine sends the block replacement message immediately When a virus is detected on a TCP session (FIRST TIME), but where";SOME PACKET"; have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again. In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement message cannot be displayed. If the file is attempted to download again the block message will be shown.

• Question 44:

  Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

  A. The firmware image must be manually uploaded to each FortiGate.
  B. Only secondary FortiGate devices are rebooted.
  C. Uninterruptable upgrade is enabled by default.
  D. Traffic load balancing is temporally disabled while upgrading the firmware.
  C. Uninterruptable upgrade is enabled by default.
  D. Traffic load balancing is temporally disabled while upgrading the firmware.

• Question 45:

  Which two types of traffic are managed only by the management VDOM? (Choose two.)

  A. FortiGuard web filter queries
  B. PKI
  C. Traffic shaping
  D. DNS
  A. FortiGuard web filter queries
  D. DNS

  ---

  Explanation/Reference:

  FortiGate Infrastructure 7.2 Study Guide (p.73): "What about traffic originating from FortiGate? Some system daemons, such as NTP and FortiGuard updates, generate traffic coming from FortiGate. Traffic coming from FortiGate to those global services originates from the management VDOM. One, and only one, of the VDOMs on a FortiGate device is assigned the role of the management VDOM. It is important to note that the management VDOM designation is solely for traffic originated by FortiGate, such as FortiGuard updates, and has no effect on traffic passing through FortiGate."

• Question 46:

  The IPS engine is used by which three security features? (Choose three.)

  A. Antivirus in flow-based inspection
  B. Web filter in flow-based inspection
  C. Application control
  D. DNS filter
  E. Web application firewall
  A. Antivirus in flow-based inspection
  B. Web filter in flow-based inspection
  C. Application control

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.385): "The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It's also responsible for application control, flow-based antivirus protection, web filtering, and email filtering."

• Question 47:

  Refer to the exhibit.

  

  Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

  A. The port3 default route has the lowest metric.
  B. The port1 and port2 default routes are active in the routing table.
  C. The ports default route has the highest distance.
  D. There will be eight routes active in the routing table.
  B. The port1 and port2 default routes are active in the routing table.
  C. The ports default route has the highest distance.

  ---

  Explanation/Reference:

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-identify-Inactive-Routes-in-the-Routing/ta-p/197595

• Question 48:

  Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

  A. The host field in the HTTP header
  B. The subject alternative name (SAN) field in the server certificate
  C. The subject field in the server certificate
  D. The server name indication (SNI) extension in the client hello message
  E. The serial number in the server certificate
  B. The subject alternative name (SAN) field in the server certificate
  C. The subject field in the server certificate
  D. The server name indication (SNI) extension in the client hello message

  ---

  Explanation/Reference:

• Question 49:

  Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

  A. Web filter in flow-based inspection
  B. Antivirus in flow-based inspection
  C. DNS filter
  D. Web application firewall
  E. Application control
  A. Web filter in flow-based inspection
  B. Antivirus in flow-based inspection
  E. Application control

  ---

  Explanation/Reference:

  https://docs.fortinet.com/document/fortigate/7.0.0/new-features/739623/dns-filter-handled-by-ips-engine-in-flow-mode

• Question 50:

  What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

  A. Virtual IP addresses are used to distinguish between cluster members.
  B. Heartbeat interfaces have virtual IP addresses that are manually assigned.
  C. The primary device in the cluster is always assigned IP address 169.254.0.1.
  D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
  A. Virtual IP addresses are used to distinguish between cluster members.
  D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

  ---

  Explanation/Reference:

  "FGCP automatically assigns the heartbeat IP addresses based on the serial number of each device. The IP address 169.254.0.1 is assigned to the device with the highest serial number."

  "A change in the heartbeat IP addresses may happen when a FortiGate device joins or leaves the cluster."

  "The HA cluster uses the heartbeat IP addresses to distinguish the cluster members and synchronize data."

  https://networkinterview.com/fortigate-ha-high-availability/