Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 71:

  Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

  A. By default, FortiGate uses WINS servers to resolve names.
  B. By default, the SSL VPN portal requires the installation of a client's certificate.
  C. By default, split tunneling is enabled.
  D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.
  D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

• Question 72:

  Refer to the exhibit.

  

  Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

  A. Custom permission for Network
  B. Read/Write permission for Log and Report
  C. CLI diagnostics commands permission
  D. Read/Write permission for Firewall
  C. CLI diagnostics commands permission

  ---

  Explanation/Reference:

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220

• Question 73:

  What inspection mode does FortiGate use if it is configured as a policy-based next- generation firewall (NGFW)?

  A. Full Content inspection
  B. Proxy-based inspection
  C. Certificate inspection
  D. Flow-based inspection
  D. Flow-based inspection

• Question 74:

  Which timeout setting can be responsible for deleting SSL VPN associated sessions?

  A. SSL VPN idle-timeout
  B. SSL VPN http-request-body-timeout
  C. SSL VPN login-timeout
  D. SSL VPN dtls-hello-timeout
  A. SSL VPN idle-timeout

  ---

  Explanation/Reference:

  Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-disconnection-issues-when-connected-with/ta-p/207851#:~:text=By%20default%2C%20a%20SSL%2DVPN,hours%20due%20to%20auth%2Dtimeout

  The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

• Question 75:

  Examine this FortiGate configuration: How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

  

  A. It always authorizes the traffic without requiring authentication.
  B. It drops the traffic.
  C. It authenticates the traffic using the authentication scheme SCHEME2.
  D. It authenticates the traffic using the authentication scheme SCHEME1.
  D. It authenticates the traffic using the authentication scheme SCHEME1.

  ---

  Explanation/Reference:

  "What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting"

• Question 76:

  What is the primary FortiGate election process when the HA override setting is disabled?

  A. Connected monitored ports > Priority > HA uptime > FortiGate serial number
  B. Connected monitored ports > System uptime > Priority > FortiGate serial number
  C. Connected monitored ports > Priority > System uptime > FortiGate serial number
  D. Connected monitored ports > HA uptime > Priority > FortiGate serial number
  D. Connected monitored ports > HA uptime > Priority > FortiGate serial number

  ---

  Explanation/Reference:

• Question 77:

  FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

  Which two other security profiles can you apply to the security policy? (Choose two.)

  A. Antivirus scanning
  B. File filter
  C. DNS filter
  D. Intrusion prevention
  A. Antivirus scanning
  D. Intrusion prevention

  ---

  Explanation/Reference:

  Security policy: If the traffic is allowed as per the consolidated policy, FortiGate will then process it based on the security policy to analyze additional criteria, such as URL categories for web filtering and application control. Also, if enabled, the security policy further inspects traffic using security profiles such as IPS and AV.

• Question 78:

  In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

  A. The IP version of the sources and destinations in a firewall policy must be different.
  B. The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.
  C. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
  D. The IP version of the sources and destinations in a policy must match.
  E. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.
  B. The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.
  D. The IP version of the sources and destinations in a policy must match.
  E. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

• Question 79:

  What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
  B. FortiGate automatically negotiates a new security association after the existing security association expires.
  C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

  ---

  Explanation/Reference:

  https://kb.fortinet.com/kb/documentLink.do?externalID=12069

  FortiGate Infrastructure 7.2 Study Guide (p.264): "...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto- negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away." "Another benefit of enabling Auto- negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled."

• Question 80:

  Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

  A. Warning
  B. Exempt
  C. Allow
  D. Learn
  A. Warning
  C. Allow