Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 51:

  Which statement is correct regarding the use of application control for inspecting web applications?

  A. Application control can identity child and parent applications, and perform different actions on them.

  B. Application control signatures are organized in a nonhierarchical structure.

  C. Application control does not require SSL inspection to identity web applications.

  D. Application control does not display a replacement message for a blocked web application.

  Correct Answer: A

  Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.

• Question 52:

  Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

  A. FortiCache

  B. FortiSIEM

  C. FortiAnalyzer

  D. FortiSandbox

  E. FortiCloud

  Correct Answer: BCE

  Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-and-reporting-overview

• Question 53:

  Refer to the exhibit.

  

  The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

  The override setting is enable for the FortiGate with SN FGVM010000064692.

  Which two statements are true? (Choose two.)

  A. FortiGate SN FGVM010000065036 HA uptime has been reset.

  B. FortiGate devices are not in sync because one device is down.

  C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

  D. FortiGate SN FGVM010000064692 has the higher HA priority.

  Correct Answer: AD

  Study Guide

• Question 54:

  Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  A. To allow for out-of-order packets that could arrive after the FIN/ACK packets

  B. To finish any inspection operations

  C. To remove the NAT operation

  D. To generate logs

  Correct Answer: A

  TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

• Question 55:

  A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

  What is the reason for the failed virus detection by FortiGate?

  A. The website is exempted from SSL inspection.

  B. The EICAR test file exceeds the protocol options oversize limit.

  C. The selected SSL inspection profile has certificate inspection enabled.

  D. The browser does not trust the FortiGate self-signed CA certificate.

  Correct Answer: AC

  SSL Inspection Profile, on the Inspection method there are 2 options to choose from, SSL Certificate Inspection or Full SSL Inspection. FG SEC 7.2 Studi Guide: Full SSL Inspection level is the only choice that allows antivirus to be effective.

• Question 56:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

  When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

  

  Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

  A. Configure a loopback interface with address 203.0.113.2/32.

  B. In the VIP configuration, enable arp-reply.

  C. Enable port forwarding on the server to map the external service port to the internal service port.

  D. In the firewall policy configuration, enable match-vip.

  Correct Answer: B

  FortiGate Security 7.2 Study Guide (p.115): "Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it's a best practice to keep ARP reply enabled."

• Question 57:

  Refer to the exhibit.

  The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

  An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

  

  What are two solutions for satisfying the requirement? (Choose two.)

  A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.

  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.

  C. Set the Freeware and Software Downloads category Action to Warning.

  D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

  Correct Answer: BD

  FortiGate Security 7.2 Study Guide (p.268-269): "If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category." "Static URL filtering is another web filter feature. Configured URLs in the URL filter are checked against the visited websites. If a match is found, the configured action is taken. URL filtering has the same patterns as static domain filtering: simple, regular expressions, and wildcard."

  B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.

  This is true because a web override rating is a feature that allows the administrator to change the FortiGuard category of a specific website or domain, and apply a different action to it based on the web filter profile. By configuring a web

  override rating for download.com and selecting Malicious Websites as the subcategory, the administrator can block access to download.com, which belongs to the Freeware and Software Downloads category by default, without affecting

  other websites in the same category. The Malicious Websites category has the action Block in the web filter profile shown in the exhibit. D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block,

  respectively.

  This is true because a static URL filter entry is a feature that allows the administrator to define custom rules for filtering specific URLs or domains, and apply an action to them based on the web filter profile. By configuring a static URL filter

  entry for download.com with Type and Action set to Wildcard and Block, respectively, the administrator can block access to download.com and any subdomains or paths under it, without affecting other websites in the Freeware and Software

  Downloads category. The static URL filter entries have higher priority than the FortiGuard category based filter entries in the web filter profile.

• Question 58:

  What are two functions of ZTNA? (Choose two.)

  A. ZTNA manages access through the client only.

  B. ZTNA manages access for remote users only.

  C. ZTNA provides a security posture check.

  D. ZTNA provides role-based access.

  Correct Answer: CD

  ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of "never trust, always verify," which means that all

  access to network resources is subject to strict verification and authentication.

  Two functions of ZTNA are:

  ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources.

  This can include checks on the device's software and hardware configurations, security settings, and the presence of malware.

  ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is

  denied.

  This helps to prevent unauthorized access and minimize the risk of data breaches.

  Reference:

  https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/8ddfc8d2-9b21-11ec-9fd1-fa163e15d75b/Zero_Trust_Network_Access-7.0-Deployment_Guide.pdf

• Question 59:

  Which two statements describe how the RPF check is used? (Choose two.)

  A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

  B. The RPF check is run on the first sent and reply packet of any new session.

  C. The RPF check is run on the first sent packet of any new session.

  D. The RPF check is run on the first reply packet of any new session.

  Correct Answer: AC

  FortiGate Infrastructure 7.2 Study Guide (p.41): "The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table." "FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn't perform any additional RPF checks on that session."

  A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host. This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1 C. The RPF check is run on the first sent packet of any new session. This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation. This reduces the processing overhead and improves performance2

• Question 60:

  FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

  Which two other security profiles can you apply to the security policy? (Choose two.)

  A. Antivirus scanning

  B. File filter

  C. DNS filter

  D. Intrusion prevention

  Correct Answer: AD

  Security policy: If the traffic is allowed as per the consolidated policy, FortiGate will then process it based on the security policy to analyze additional criteria, such as URL categories for web filtering and application control. Also, if enabled, the security policy further inspects traffic using security profiles such as IPS and AV.