Fortinet Fortinet Certifications NSE4_FGT-7.2 Questions & Answers

• Question 71:

  FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

  In this scenario, what are two requirements for the VLAN ID? (Choose two.)

  A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

  B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

  C. The two VLAN subinterfaces must have different VLAN IDs.

  D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

  Correct Answer: BC

  https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VLAN/ta-p/192843?externalID=FD43883

  When FortiGate is operating in NAT mode, it means that it uses network address translation (NAT) to modify the source or destination IP addresses of the traffic passing through it1. NAT mode allows FortiGate to hide the IP addresses of the internal network from the external network, and to conserve IP addresses by using a single public IP address for multiple private IP addresses1. A virtual LAN (VLAN) subinterface is a logical interface that allows traffic from different VLANs to enter and exit the FortiGate unit2. A VLAN subinterface is created by adding a VLAN ID to a physical interface or an aggregate interface2. A VLAN ID is a numerical identifier that distinguishes one VLAN from another2. In this scenario, there are two requirements for the VLAN ID of the VLAN subinterfaces added to the same physical interface: The two VLAN subinterfaces must have different VLAN IDs. This is because the VLAN ID is used to tag the traffic with the appropriate VLAN information, and to separate the traffic into different VLANs2. If the two VLAN subinterfaces have the same VLAN ID, they will not be able to distinguish the traffic from each other, and they will not be able to forward the traffic to the correct destination. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. This is because VDOMs are virtual instances of FortiGate that can have their own interfaces, policies, and routing tables3. Each VDOM operates independently from other VDOMs, and can have its own VLAN subinterfaces with different or identical VLAN IDs3. However, this requires inter-VDOM links to allow traffic between different VDOMs3.

• Question 72:

  Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

  A. Proxy-based inspection

  B. Certificate inspection

  C. Flow-based inspection

  D. Full Content inspection

  Correct Answer: AC

• Question 73:

  If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

  A. A CRL

  B. A person

  C. A subordinate CA

  D. A root CA

  Correct Answer: D

• Question 74:

  Refer to the exhibit.

  The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

  

  Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

  A. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.

  B. FortiGate allocates port blocks on a first-come, first-served basis.

  C. FortiGate generates a system event log for every port block allocation made per user.

  D. FortiGate allocates 128 port blocks per user.

  Correct Answer: BC

  FortiGate Security 7.2 Study Guide (p.109): "FortiGate allocates port blocks on a first-come, first-served basis." "For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator."

• Question 75:

  Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

  A. The keyUsage extension must be set to keyCertSign.

  B. The common name on the subject field must use a wildcard name.

  C. The issuer must be a public CA.

  D. The CA extension must be set to TRUE.

  Correct Answer: AD

  "In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign." Reference: https://www.reddit.com/r/fortinet/comments/c7j6jg/recommended_ssl_cert/

• Question 76:

  Which statement about the policy ID number of a firewall policy is true?

  A. It is required to modify a firewall policy using the CLI.

  B. It represents the number of objects used in the firewall policy.

  C. It changes when firewall policies are reordered.

  D. It defines the order in which rules are processed.

  Correct Answer: A

• Question 77:

  An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

  A. The administrator can register the same FortiToken on more than one FortiGate.

  B. The administrator must use a FortiAuthenticator device

  C. The administrator can use a third-party radius OTP server.

  D. The administrator must use the user self-registration server.

  Correct Answer: B

• Question 78:

  Examine this output from a debug flow:

  

  Why did the FortiGate drop the packet?

  A. The next-hop IP address is unreachable.

  B. It failed the RPF check .

  C. It matched an explicitly configured firewall policy with the action DENY.

  D. It matched the default implicit firewall policy.

  Correct Answer: D

  https://kb.fortinet.com/kb/documentLink.do?externalID=13900 https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/

• Question 79:

  Which two statements are correct about NGFW Policy-based mode? (Choose two.)

  A. NGFW policy-based mode does not require the use of central source NAT policy

  B. NGFW policy-based mode can only be applied globally and not on individual VDOMs

  C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

  D. NGFW policy-based mode policies support only flow inspection

  Correct Answer: CD

• Question 80:

  What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  A. FortiGate automatically negotiates different local and remote addresses with the remote peer.

  B. FortiGate automatically negotiates a new security association after the existing security association expires.

  C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

  D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

  Correct Answer: D

  https://kb.fortinet.com/kb/documentLink.do?externalID=12069

  FortiGate Infrastructure 7.2 Study Guide (p.264): "...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto- negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away." "Another benefit of enabling Auto- negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled."