Fortinet NSE4_FGT-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE4_FGT-7.2 Online Questions & Answers

• Question 81:

  An administrator has configured the following settings:

  

  What are the two results of this configuration? (Choose two.)

  A. Device detection on all interfaces is enforced for 30 minutes.
  B. Denied users are blocked for 30 minutes.
  C. A session for denied traffic is created.
  D. The number of logs generated by denied traffic is reduced.
  C. A session for denied traffic is created.
  D. The number of logs generated by denied traffic is reduced.

  ---

  Explanation/Reference:

  ses-denied-traffic Enable/disable including denied session in the session table. https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/20620/config-system-settings

  block-session-timer Duration in seconds for blocked sessions . integer Minimum value: 1 Maximum value: 300 https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/1620/config-system-global

  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

• Question 82:

  Refer to the exhibits.

  The exhibits contain a network diagram, virtual IP, IP pool, and firewall policies configuration.

  

  The WAN (port1) interface has the IP address 10.200.1.1/24.

  The LAN (port3) interface has the IP address 10.0.1.254/24.

  The first firewall policy has NAT enabled using IP Pool.

  The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

  A. 10.200.1.100
  B. 10.200.1.10
  C. 10.200.1.1
  D. 10.200.3.1
  A. 10.200.1.100

  ---

  Explanation/Reference:

  Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN-LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

• Question 83:

  Refer to the exhibit.

  

  Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

  A. Destination NAT is disabled in the firewall policy.
  B. One-to-one NAT IP pool is used in the firewall policy.
  C. Overload NAT IP pool is used in the firewall policy.
  D. Port block allocation IP pool is used in the firewall policy.
  B. One-to-one NAT IP pool is used in the firewall policy.

  ---

  Explanation/Reference:

  FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.

• Question 84:

  Refer to the exhibit.

  

  Based on the ZTNA tag, the security posture of the remote endpoint has changed. What will happen to endpoint active ZTNA sessions?

  A. They will be re-evaluated to match the endpoint policy.
  B. They will be re-evaluated to match the firewall policy.
  C. They will be re-evaluated to match the ZTNA policy.
  D. They will be re-evaluated to match the security policy.
  C. They will be re-evaluated to match the ZTNA policy.

  ---

  Explanation/Reference:

  https://docs.fortinet.com/document/fortigate/7.0.0/new-features/580880/posture-check-verification-for-active-ztna-proxy-session-7-0-2

  FortiGate Infrastructure 7.2 Study Guide (p.182): "Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy."

• Question 85:

  Refer to the exhibit.

  

  Based on the raw log, which two statements are correct? (Choose two.)

  A. Traffic is blocked because Action is set to DENY in the firewall policy.
  B. Traffic belongs to the root VDOM.
  C. This is a security log.
  D. Log severity is set to error on FortiGate.
  B. Traffic belongs to the root VDOM.
  C. This is a security log.

  ---

  Explanation/Reference:

• Question 86:

  Which two statements are correct about SLA targets? (Choose two.)

  A. You can configure only two SLA targets per one Performance SLA.
  B. SLA targets are optional.
  C. SLA targets are required for SD-WAN rules with a Best Quality strategy.
  D. SLA targets are used only when referenced by an SD-WAN rule.
  B. SLA targets are optional.
  D. SLA targets are used only when referenced by an SD-WAN rule.

  ---

  Explanation/Reference:

  Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/382233/performance-sla-sla-targets

• Question 87:

  Which two statements explain antivirus scanning modes? (Choose two.)

  A. In proxy-based inspection mode, files bigger than the buffer size are scanned.
  B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
  C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
  D. In flow-based inspection mode, files bigger than the buffer size are scanned.
  B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
  C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

  ---

  Explanation/Reference:

  An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM-- something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

  FortiGate Security 7.2 Study Guide (p.350 and 352): "In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. Because the file is ransmitted simultaneously, flow-based mode consumes more CPU cycles than proxy-based." "Each protocol's proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is reached) before scanning. The client must wait for the scanning to finish."

• Question 88:

  Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

  A. diagnose sys top
  B. execute ping
  C. execute traceroute
  D. diagnose sniffer packet any
  E. get system arp
  B. execute ping
  C. execute traceroute
  D. diagnose sniffer packet any

• Question 89:

  What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

  A. FortiGate uses fewer resources.
  B. FortiGate performs a more exhaustive inspection on traffic.
  C. FortiGate adds less latency to traffic.
  D. FortiGate allocates two sessions per connection.
  A. FortiGate uses fewer resources.
  C. FortiGate adds less latency to traffic.

  ---

  Explanation/Reference:

  Reference: https://community.fortinet.com/t5/Support-Forum/Proxy-based-vs-Flow-based- Inspection-Mode-for-Web-Filter/m-p/19204

  Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than proxy-based inspection, and it offers

  several benefits over this approach.

  Two benefits of flow-based inspection compared to proxy-based inspection are:

  FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy- based inspection, which can help to improve the performance of the firewall device and reduce the impact on overall system performance.

  FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for real-time applications or other types of traffic that require low latency.

• Question 90:

  Which of the following statements about central NAT are true? (Choose two.)

  A. IP tool references must be removed from existing firewall policies before enabling central NAT .
  B. Central NAT can be enabled or disabled from the CLI only.
  C. Source NAT, using central NAT, requires at least one central SNAT policy.
  D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
  A. IP tool references must be removed from existing firewall policies before enabling central NAT .
  B. Central NAT can be enabled or disabled from the CLI only.