Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 61:

  How can you disable RPF checking?

  A. Disable fail-detect on the interface level settings.
  B. Disable strict-src-check under system settings.
  C. Unset fail-alert-interfaces on the interface level settings.
  D. Disable src-check on the interface level settings.
  D. Disable src-check on the interface level settings.

  ---

  Explanation/Reference:

• Question 62:

  If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

  A. IP address
  B. Once Internet Service is selected, no other object can be added
  C. User or User Group
  D. FQDN address
  B. Once Internet Service is selected, no other object can be added

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy

• Question 63:

  Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

  A. The keyUsage extension must be set to keyCertSign.
  B. The common name on the subject field must use a wildcard name.
  C. The issuer must be a public CA.
  D. The CA extension must be set to TRUE.
  A. The keyUsage extension must be set to keyCertSign.
  D. The CA extension must be set to TRUE.

  ---

  Explanation/Reference:

  "In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign." Reference: https://www.reddit.com/r/fortinet/comments/c7j6jg/recommended_ssl_cert/

• Question 64:

  Refer to the web filter raw logs.

  

  Based on the raw logs shown in the exhibit, which statement is correct?

  A. Social networking web filter category is configured with the action set to authenticate.
  B. The action on firewall policy ID 1 is set to warning.
  C. Access to the social networking web filter category was explicitly blocked to all users.
  D. The name of the firewall policy is all_users_web.
  A. Social networking web filter category is configured with the action set to authenticate.

• Question 65:

  What are two functions of the ZTNA rule? (Choose two.)

  A. It redirects the client request to the access proxy.
  B. It applies security profiles to protect traffic.
  C. It defines the access proxy.
  D. It enforces access control.
  B. It applies security profiles to protect traffic.
  D. It enforces access control.

  ---

  Explanation/Reference:

  A ZTNA rule is a policy that enforces access control and applies security profiles to protect traffic between the client and the access proxy1. A ZTNA rule defines the following parameters1:

  Incoming interface: The interface that receives the client request.

  Source: The address and user group of the client.

  ZTNA tag: The tag that identifies the domain that the client belongs to. ZTNA server: The server that hosts the access proxy. Destination: The address of the application that the client wants to access. Action: The action to take for the traffic

  that matches the rule. It can be accept, deny, or redirect.

  Security profiles: The security features to apply to the traffic, such as antivirus, web filter, application control, and so on.

  A ZTNA rule does not redirect the client request to the access proxy. That is the function of a policy route that matches the ZTNA tag and sends the traffic to the ZTNA server2. A ZTNA rule does not define the access proxy. That is done by

  creating a ZTNA server object that specifies the IP address, port, and certificate of the access proxy3.

  FortiGate Infrastructure 7.2 Study Guide (p.177): "A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust role- based access. To create a rule, type a rule name, and add IP

  addresses and ZTNA tags or tag groups that are allowed or blocked access. You also select the ZTNA server as the destination. You can also apply security profiles to protect this traffic."

• Question 66:

  A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

  What is the reason for the certificate warning errors?

  A. The matching firewall policy is set to proxy inspection mode.
  B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
  C. The full SSL inspection feature does not have a valid license.
  D. The browser does not trust the certificate used by FortiGate for SSL inspection.
  D. The browser does not trust the certificate used by FortiGate for SSL inspection.

  ---

  Explanation/Reference:

  FortiGate Security 7.2 Study Guide (p.235): "If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."

• Question 67:

  Refer to the exhibit.

  A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

  

  Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

  A. On Remote-FortiGate, set Seconds to 43200.
  B. On HQ-FortiGate, set Encryption to AES256.
  C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
  D. On HQ-FortiGate, enable Auto-negotiate.
  B. On HQ-FortiGate, set Encryption to AES256.

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495

• Question 68:

  Refer to the exhibit.

  

  The exhibit shows the IPS sensor configuration.

  If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

  A. The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
  B. The sensor will block all attacks aimed at Windows servers.
  C. The sensor will reset all connections that match these signatures.
  D. The sensor will gather a packet log for all matched traffic.
  A. The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
  B. The sensor will block all attacks aimed at Windows servers.

• Question 69:

  Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

  A. SSH
  B. HTTPS
  C. FTM
  D. FortiTelemetry
  A. SSH
  B. HTTPS

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

• Question 70:

  An administrator configures outgoing interface any in a firewall policy. What is the result of the policy list view?

  A. Search option is disabled.
  B. Policy lookup is disabled.
  C. By Sequence view is disabled.
  D. Interface Pair view is disabled.
  D. Interface Pair view is disabled.

  ---

  Explanation/Reference:

  "If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface pairs--some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence)."