Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 61:

  An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

  Which DPD mode on FortiGate will meet the above requirement?

  A. Disabled

  B. On Demand

  C. Enabled

  D. On Idle

  Correct Answer: D

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

• Question 62:

  Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

  A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

  B. ADVPN is only supported with IKEv2.

  C. Tunnels are negotiated dynamically between spokes.

  D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

  Correct Answer: AC

• Question 63:

  In an explicit proxy setup, where is the authentication method and database configured?

  A. Proxy Policy

  B. Authentication Rule

  C. Firewall Policy

  D. Authentication scheme

  Correct Answer: D

• Question 64:

  Refer to the exhibit showing a debug flow output.

  

  What two conclusions can you make from the debug flow output? (Choose two.)

  A. The debug flow is for ICMP traffic.

  B. The default route is required to receive a reply.

  C. Anew traffic session was created.

  D. A firewall policy allowed the connection.

  Correct Answer: AC

  The debug flow output shows the result of a diagnose command that captures the traffic flow between the source and destination IP addresses1. The debug flow output reveals the following information about the traffic flow1:

  The protocol is 1, which means that the traffic uses ICMP protocol2. ICMP is a protocol that is used to send error messages and test connectivity between devices2.

  The session state is 0, which means that a new traffic session was created3. A session is a data structure that stores information about a connection between two devices3.

  The policy ID is 1, which means that the traffic matched the firewall policy with ID

  14. A firewall policy is a rule that defines how FortiGate processes traffic based on the source, destination, service, and action parameters4. The action is 0, which means that the traffic was allowed by the firewall policy. An action is a

  parameter that specifies what FortiGate does with the traffic that matches a firewall policy.

  Therefore, two conclusions that can be made from the debug flow output are:

  The debug flow is for ICMP traffic.

  A new traffic session was created.

• Question 65:

  Refer to the exhibit.

  

  The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

  The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet.

  The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .

  With this configuration, which statement is true?

  A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

  B. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

  C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

  D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

  Correct Answer: A

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46542

• Question 66:

  Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

  A. By default, FortiGate uses WINS servers to resolve names.

  B. By default, the SSL VPN portal requires the installation of a client's certificate.

  C. By default, split tunneling is enabled.

  D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

  Correct Answer: D

• Question 67:

  An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

  A. Configure Source IP Pools.

  B. Configure split tunneling in tunnel mode.

  C. Configure different SSL VPN realms.

  D. Configure host check .

  Correct Answer: D

• Question 68:

  Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

  A. Antivirus engine

  B. Intrusion prevention system engine

  C. Flow engine

  D. Detection engine

  Correct Answer: B

  Reference: http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

• Question 69:

  A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

  A. Implement a web filter category override for the specified website

  B. Implement a DNS filter for the specified website.

  C. Implement web filter quotas for the specified website

  D. Implement web filter authentication for the specified website.

  Correct Answer: D

• Question 70:

  An administrator must disable RPF check to investigate an issue.

  Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

  A. Enable asymmetric routing, so the RPF check will be bypassed.

  B. Disable the RPF check at the FortiGate interface level for the source check.

  C. Disable the RPF check at the FortiGate interface level for the reply check .

  D. Enable asymmetric routing at the interface level.

  Correct Answer: B

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955