Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Certensure Logo
  1. Home
  2. Fortinet
  3. NSE4
  4. NSE4_FGT-7.2 - Fortinet NSE 4 - FortiOS 7.2

Fortinet NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Exam Practice Test

Demo: 23 questions
Total 154 questions
Get NSE4_FGT-7.2 Full Access Download NSE4_FGT-7.2 PDF

Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Question 1

18

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

Options:

A.

A CRL

B.

A person

C.

A subordinate CA

D.

A root CA

Question 2

49

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Options:

A.

Static IP Address

B.

Dialup User

C.

Dynamic DNS

D.

Pre-shared Key

Question 3

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

Options:

A.

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.

The cluster can load balance ICMP connections to the secondary.

D.

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Question 4

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Question 5

Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Options:

A.

There are five devices that are part of the security fabric.

B.

Device detection is disabled on all FortiGate devices.

C.

This security fabric topology is a logical topology view.

D.

There are 19 security recommendations for the security fabric.

Question 6

94

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

Options:

A.

The interface has been configured for one-arm sniffer.

B.

The interface is a member of a virtual wire pair.

C.

The operation mode is transparent.

D.

The interface is a member of a zone.

E.

Captive portal is enabled in the interface.

Question 7

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

Options:

A.

The signature setting uses a custom rating threshold.

B.

The signature setting includes a group of other signatures.

C.

Traffic matching the signature will be allowed and logged.

D.

Traffic matching the signature will be silently dropped and logged.

Question 8

Which statement about video filtering on FortiGate is true?

Options:

A.

Full SSL Inspection is not required.

B.

It is available only on a proxy-based firewall policy.

C.

It inspects video files hosted on file sharing services.

D.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Question 9

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

Options:

A.

To allow for out-of-order packets that could arrive after the FIN/ACK packets

B.

To finish any inspection operations

C.

To remove the NAT operation

D.

To generate logs

Question 10

87

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

Options:

A.

Warning

B.

Exempt

C.

Allow

D.

Learn

Question 11

47

Refer to the exhibits.

Exhibit A.

Exhibit B.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

Options:

A.

Change the csf setting on Local-FortiGate (root) to set configuration-sync local.

B.

Change the csf setting on ISFW (downstream) to set configuration-sync local.

C.

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

D.

Change the csf setting on ISFW (downstream) to set fabric-object-unification default.

Question 12

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.

Make SSL inspection needs to be a deep content inspection.

B.

Force access to Facebook using the HTTP service.

C.

Get the additional application signatures are required to add to the security policy.

D.

Add Facebook in the URL category in the security policy.

Question 13

2

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Options:

A.

By default, all interfaces are part of the same broadcast domain.

B.

The existing network IP schema must be changed when installing a transparent mode.

C.

Static routes are required to allow traffic to the next hop.

D.

FortiGate forwards frames without changing the MAC address.

Question 14

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Options:

A.

The firmware image must be manually uploaded to each FortiGate.

B.

Only secondary FortiGate devices are rebooted.

C.

Uninterruptable upgrade is enabled by default.

D.

Traffic load balancing is temporally disabled while upgrading the firmware.

Question 15

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Options:

A.

It limits the scope of application control to the browser-based technology category only.

B.

It limits the scope of application control to scan application traffic based on application category only.

C.

It limits the scope of application control to scan application traffic using parent signatures only

D.

It limits the scope of application control to scan application traffic on DNS protocol only.

Question 16

21

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Options:

A.

Log ID

B.

Universally Unique Identifier

C.

Policy ID

D.

Sequence ID

Question 17

73

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

Options:

A.

IP address

B.

Once Internet Service is selected, no other object can be added

C.

User or User Group

D.

FQDN address

Question 18

74

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

Options:

A.

VLAN interface

B.

Software Switch interface

C.

Aggregate interface

D.

Redundant interface

Question 19

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.

IPS engine handles the process as a standalone.

B.

FortiGate buffers the whole file but transmits to the client simultaneously.

C.

If the virus is detected, the last packet is delivered to the client.

D.

Optimized performance compared to proxy-based inspection.

E.

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

Question 20

53

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Options:

A.

The public key of the web server certificate must be installed on the browser.

B.

The web-server certificate must be installed on the browser.

C.

The CA certificate that signed the web-server certificate must be installed on the browser.

D.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Question 21

17

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

Options:

A.

The Detection Mode setting is not set to Passive.

B.

Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C.

The configured participants are not SD-WAN members.

D.

The Enable probe packets setting is not enabled.

Question 22

Which statement describes a characteristic of automation stitches?

Options:

A.

They can have one or more triggers.

B.

They can be run only on devices in the Security Fabric.

C.

They can run multiple actions simultaneously.

D.

They can be created on any device in the fabric.

Question 23

87

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

Options:

A.

Warning

B.

Exempt

C.

Allow

D.

Learn

Load More NSE4_FGT-7.2 Questions
Demo: 23 questions
Total 154 questions
Get NSE4_FGT-7.2 Full Access Download NSE4_FGT-7.2 PDF