Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Fortinet NSE4_FGT-6.4 Fortinet NSE 4 - FortiOS 6.4 Exam Practice Test

Demo: 24 questions
Total 165 questions

Fortinet NSE 4 - FortiOS 6.4 Questions and Answers

Question 1

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

Options:

A.

The signature setting uses a custom rating threshold.

B.

The signature setting includes a group of other signatures.

C.

Traffic matching the signature will be allowed and logged.

D.

Traffic matching the signature will be silently dropped and logged.

Question 2

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Options:

A.

Fabric Coverage

B.

Automated Response

C.

Security Posture

D.

Optimization

Question 3

Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

A local FortiManager is one of the servers FortiGate communicates with.

B.

One server was contacted to retrieve the contract information.

C.

There is at least one server that lost packets consecutively.

D.

FortiGate is using default FortiGuard communication settings.

Question 4

Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

Options:

A.

The debug flow is of ICMP traffic.

B.

A firewall policy allowed the connection.

C.

A new traffic session is created.

D.

The default route is required to receive a reply.

Question 5

Examine the following web filtering log.

Which statement about the log message is true?

Options:

A.

The action for the category Games is set to block.

B.

The usage quota for the IP address 10.0.1.10 has expired

C.

The name of the applied web filter profile is default.

D.

The web site miniclip.com matches a static URL filter whose action is set to Warning.

Question 6

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Options:

A.

Firewall policy

B.

Policy rule

C.

Security policy

D.

SSL inspection and authentication policy

Question 7

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Options:

A.

Shut down/reboot a downstream FortiGate device.

B.

Disable FortiAnalyzer logging for a downstream FortiGate device.

C.

Log in to a downstream FortiSwitch device.

D.

Ban or unban compromised hosts.

Question 8

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides

(client and server) have terminated the session?

Options:

A.

To remove the NAT operation.

B.

To generate logs

C.

To finish any inspection operations.

D.

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Question 9

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

Options:

A.

On HQ-FortiGate, set IKE mode to Main (ID protection).

B.

On both FortiGate devices, set Dead Peer Detection to On Demand.

C.

On HQ-FortiGate, disable Diffie-Helman group 2.

D.

On Remote-FortiGate, set port2 as Interface.

Question 10

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Options:

A.

It limits the scanning of application traffic to the DNS protocol only.

B.

It limits the scanning of application traffic to use parent signatures only.

C.

It limits the scanning of application traffic to the browser-based technology category only.

D.

It limits the scanning of application traffic to the application category only.

Question 11

An organization’s employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Options:

A.

Change the session-ttl.

B.

Change the login timeout.

C.

Change the idle-timeout.

D.

Change the udp idle timer.

Question 12

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

Options:

A.

www.example.com:443

B.

www.example.com

C.

example.com

D.

www.example.com/index.html

Question 13

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

A User or User Group

B. IP address

C. No other object can be added

D. FQDN address

Options:

Question 14

Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.

How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Options:

A.

If there is a full-through policy in place, users will not be prompted for authentication.

B.

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

C.

Authentication is enforced at a policy level; all users will be prompted for authentication.

D.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Question 15

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.

Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

Options:

A.

set fortiguard anycast disable

B.

set protocol udp

C.

set webfilter-force-off disable

D.

set webfilter-cache disable

Question 16

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.

Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Options:

A.

The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

B.

The two VLAN sub interfaces must have different VLAN IDs.

C.

The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

D.

The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Question 17

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 18

Which two statements are true about the RPF check? (Choose two.)

Options:

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Question 19

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Options:

A.

Change the SSL VPN port on the client.

B.

Change the Server IP address.

C.

Change the idle-timeout.

D.

Change the SSL VPN portal to the tunnel.

Question 20

Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Options:

A.

Disable match-vip in the Deny policy.

B.

Set the Destination address as Deny_IP in the Allow-access policy.

C.

Enable match vip in the Deny policy.

D.

Set the Destination address as Web_server in the Deny policy.

Question 21

Which two statements ate true about the Security Fabric rating? (Choose two.)

Options:

A.

It provides executive summaries of the four largest areas of security focus.

B.

Many of the security issues can be fixed immediately by click ng Apply where available.

C.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

D.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Question 22

Exhibit:

Refer to the exhibit to view the authentication rule configuration In this scenario, which statement is true?

Options:

A.

IP-based authentication is enabled

B.

Route-based authentication is enabled

C.

Session-based authentication is enabled.

D.

Policy-based authentication is enabled

Question 23

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

Options:

A.

VLAN interface

B.

Software Switch interface

C.

Aggregate interface

D.

Redundant interface

Question 24

Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

Options:

A.

The firewall policy does not apply deep content inspection.

B.

The firewall policy must be configured in proxy-based inspection mode.

C.

The action on the firewall policy must be set to deny.

D.

Web filter should be enabled on the firewall policy to complement the antivirus profile.

Demo: 24 questions
Total 165 questions