ExamGecko
Home / Fortinet / NSE4_FGT-7.2 / List of questions
Ask Question

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 10

Add to Whishlist

List of questions

Question 91

Report Export Collapse

Refer to the exhibit.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

Fortinet NSE4_FGT-7.2 image Question 91 26164 09182024185939000000

What is the impact of using the Include in every user group option in a RADIUS configuration?

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
Suggested answer: A
asked 18/09/2024
ce temp2
51 questions

Question 92

Report Export Collapse

Refer to the exhibit.

Fortinet NSE4_FGT-7.2 image Question 92 26165 09182024185939000000

Fortinet NSE4_FGT-7.2 image Question 92 26165 09182024185939000000

Fortinet NSE4_FGT-7.2 image Question 92 26165 09182024185939000000

Fortinet NSE4_FGT-7.2 image Question 92 26165 09182024185939000000

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10.0. 1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10) pings the IP address of Remote-FortiGate (10.200.3. 1)?

10.200. 1. 149
10.200. 1. 149
10.200. 1. 1
10.200. 1. 1
10.200. 1.49
10.200. 1.49
10.200. 1.99
10.200. 1.99
Suggested answer: D
asked 18/09/2024
Ida Aasvistad
38 questions

Question 93

Report Export Collapse

Refer to the exhibit.

Fortinet NSE4_FGT-7.2 image Question 93 26166 09182024185939000000

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

Custom permission for Network
Custom permission for Network
Read/Write permission for Log & Report
Read/Write permission for Log & Report
CLI diagnostics commands permission
CLI diagnostics commands permission
Read/Write permission for Firewall
Read/Write permission for Firewall
Suggested answer: C
Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220

asked 18/09/2024
Bipindra Shrestha
45 questions

Question 94

Report Export Collapse

Refer to the exhibits.

The exhibits show a network diagram and firewall configurations.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.

Fortinet NSE4_FGT-7.2 image Question 94 26167 09182024185939000000

Fortinet NSE4_FGT-7.2 image Question 94 26167 09182024185939000000

In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Disable match-vip in the Deny policy.
Disable match-vip in the Deny policy.
Set the Destination address as Deny_IP in the Allow-access policy.
Set the Destination address as Deny_IP in the Allow-access policy.
Enable match vip in the Deny policy.
Enable match vip in the Deny policy.
Set the Destination address as Web_server in the Deny policy.
Set the Destination address as Web_server in the Deny policy.
Suggested answer: B, C
Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641

The exhibits show a network diagram and firewall configurations for a FortiGate unit that has two policies: Allow_access and Deny. The Allow_access policy allows traffic from the WAN (port1) interface to the LAN (port3) interface with the destination address of VIP and the service of HTTPS. The VIP object maps the external IP address 10.200.1.10 and port 10443 to the internal IP address 10.0.1.10 and port 443 of the Webserver. The Deny policy denies traffic from the WAN (port1) interface to the LAN (port3) interface with the source address of Deny_IP and the destination address of All.

In this scenario, the administrator wants to deny Webserver access for Remote-User2, who has the IP address 10.200.3.2, which is included in the Deny_IP address object. Remote-User1, who has the IP address 10.200.3.1, must be able to access the Webserver.

To achieve this goal, the administrator can make two changes to deny Webserver access for Remote-User2:

Set the Destination address as Webserver in the Deny policy. This will make the Deny policy more specific and match only the traffic that is destined for the Webserver's internal IP address, instead of any destination address.

Enable match-vip in the Deny policy. This will make the Deny policy apply to traffic that matches a VIP object, instead of ignoring it1. This way, the Deny policy will block Remote-User2's traffic that uses the VIP object's external IP address and port.

asked 18/09/2024
Rene Claassen
44 questions

Question 95

Report Export Collapse

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Interface name
Interface name
Packet payload
Packet payload
Ethernet header
Ethernet header
IP header
IP header
Application header
Application header
Suggested answer: A, B, D
asked 18/09/2024
Anthony Agbale
51 questions

Question 96

Report Export Collapse

Refer to the exhibit.

Refer to the FortiGuard connection debug output.

Fortinet NSE4_FGT-7.2 image Question 96 26169 09182024185939000000

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

A local FortiManager is one of the servers FortiGate communicates with.
A local FortiManager is one of the servers FortiGate communicates with.
One server was contacted to retrieve the contract information.
One server was contacted to retrieve the contract information.
There is at least one server that lost packets consecutively.
There is at least one server that lost packets consecutively.
FortiGate is using default FortiGuard communication settings.
FortiGate is using default FortiGuard communication settings.
Suggested answer: B, D
Explanation:

FortiGate Security 7.2 Study Guide (p.287-288): 'Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)' 'By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with FortiGuard or FortiManager. Other ports and protocols are available by disabling the FortiGuard anycast setting on the CLI.'

asked 18/09/2024
Areeluck Parnsoonthorn
42 questions

Question 97

Report Export Collapse

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
The two VLAN subinterfaces must have different VLAN IDs.
The two VLAN subinterfaces must have different VLAN IDs.
The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
Suggested answer: B, C
Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VLAN/ta-p/192843?externalID=FD43883

When FortiGate is operating in NAT mode, it means that it uses network address translation (NAT) to modify the source or destination IP addresses of the traffic passing through it1. NAT mode allows FortiGate to hide the IP addresses of the internal network from the external network, and to conserve IP addresses by using a single public IP address for multiple private IP addresses1.

A virtual LAN (VLAN) subinterface is a logical interface that allows traffic from different VLANs to enter and exit the FortiGate unit2. A VLAN subinterface is created by adding a VLAN ID to a physical interface or an aggregate interface2. A VLAN ID is a numerical identifier that distinguishes one VLAN from another2.

In this scenario, there are two requirements for the VLAN ID of the VLAN subinterfaces added to the same physical interface:

The two VLAN subinterfaces must have different VLAN IDs. This is because the VLAN ID is used to tag the traffic with the appropriate VLAN information, and to separate the traffic into different VLANs2. If the two VLAN subinterfaces have the same VLAN ID, they will not be able to distinguish the traffic from each other, and they will not be able to forward the traffic to the correct destination.

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. This is because VDOMs are virtual instances of FortiGate that can have their own interfaces, policies, and routing tables3. Each VDOM operates independently from other VDOMs, and can have its own VLAN subinterfaces with different or identical VLAN IDs3. However, this requires inter-VDOM links to allow traffic between different VDOMs3.

asked 18/09/2024
Avtandili Tsagareishvili
48 questions

Question 98

Report Export Collapse

Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)

Source IP
Source IP
Spillover
Spillover
Volume
Volume
Session
Session
Suggested answer: C, D
Explanation:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing

asked 18/09/2024
Johnny Tien
56 questions

Question 99

Report Export Collapse

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates different local and remote addresses with the remote peer.
FortiGate automatically negotiates different local and remote addresses with the remote peer.
FortiGate automatically negotiates a new security association after the existing security association expires.
FortiGate automatically negotiates a new security association after the existing security association expires.
FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
Suggested answer: D
Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=12069

FortiGate Infrastructure 7.2 Study Guide (p.264): '...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away.' 'Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled.'

asked 18/09/2024
Filippo Bertuzzi
37 questions

Question 100

Report Export Collapse

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field prevents SNAT and DNAT from being combined in the same policy.
The Services field prevents SNAT and DNAT from being combined in the same policy.
The Services field is used when you need to bundle several VIPs into VIP groups.
The Services field is used when you need to bundle several VIPs into VIP groups.
The Services field removes the requirement to create multiple VIPs for different services.
The Services field removes the requirement to create multiple VIPs for different services.
The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.
The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.
Suggested answer: C
asked 18/09/2024
Adugna Mehari
43 questions
Total 184 questions
Go to page: of 19
Search