ExamGecko
Home / Fortinet / NSE4_FGT-7.2 / List of questions
Ask Question

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 11

Add to Whishlist

List of questions

Question 101

Report Export Collapse

In which two ways can RPF checking be disabled? (Choose two )

Enable anti-replay in firewall policy.
Enable anti-replay in firewall policy.
Disable the RPF check at the FortiGate interface level for the source check
Disable the RPF check at the FortiGate interface level for the source check
Enable asymmetric routing.
Enable asymmetric routing.
Disable strict-arc-check under system settings.
Disable strict-arc-check under system settings.
Suggested answer: C, D
asked 18/09/2024
Simon Merlin AGHOKENG
48 questions

Question 102

Report Export Collapse

Which feature in the Security Fabric takes one or more actions based on event triggers?

Fabric Connectors
Fabric Connectors
Automation Stitches
Automation Stitches
Security Rating
Security Rating
Logical Topology
Logical Topology
Suggested answer: B
asked 18/09/2024
Gaurav Nayak
49 questions

Question 103

Report Export Collapse

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Set the maximum session TTL value for the TELNET service object.
Set the maximum session TTL value for the TELNET service object.
Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
Create a new service object for TELNET and set the maximum session TTL.
Create a new service object for TELNET and set the maximum session TTL.
Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
Suggested answer: C, D
asked 18/09/2024
Oky ramadhani
49 questions

Question 104

Report Export Collapse

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
ADVPN is only supported with IKEv2.
ADVPN is only supported with IKEv2.
Tunnels are negotiated dynamically between spokes.
Tunnels are negotiated dynamically between spokes.
Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
Suggested answer: A, C
asked 18/09/2024
Khaled Mohamed Abdraboh Metwalli
37 questions

Question 105

Report Export Collapse

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the DNS protocol only.
It limits the scanning of application traffic to the DNS protocol only.
It limits the scanning of application traffic to use parent signatures only.
It limits the scanning of application traffic to use parent signatures only.
It limits the scanning of application traffic to the browser-based technology category only.
It limits the scanning of application traffic to the browser-based technology category only.
It limits the scanning of application traffic to the application category only.
It limits the scanning of application traffic to the application category only.
Suggested answer: C
Explanation:

FortiGate Security 7.2 Study Guide (p.317): 'You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website.'

asked 18/09/2024
Padmavathi Jawaharlal
41 questions

Question 106

Report Export Collapse

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides

(client and server) have terminated the session?

To remove the NAT operation.
To remove the NAT operation.
To generate logs
To generate logs
To finish any inspection operations.
To finish any inspection operations.
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
Suggested answer: D
asked 18/09/2024
Camille Rudio
40 questions

Question 107

Report Export Collapse

Refer to the exhibit, which contains a session diagnostic output.

Fortinet NSE4_FGT-7.2 image Question 107 26180 09182024185939000000

Which statement is true about the session diagnostic output?

The session is a UDP unidirectional state.
The session is a UDP unidirectional state.
The session is in TCP ESTABLISHED state.
The session is in TCP ESTABLISHED state.
The session is a bidirectional UDP connection.
The session is a bidirectional UDP connection.
The session is a bidirectional TCP connection.
The session is a bidirectional TCP connection.
Suggested answer: C
Explanation:

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

asked 18/09/2024
Mr. Michael Mettam
33 questions

Question 108

Report Export Collapse

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Fortinet NSE4_FGT-7.2 image Question 108 26181 09182024185939000000

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

On HQ-FortiGate, set IKE mode to Main (ID protection).
On HQ-FortiGate, set IKE mode to Main (ID protection).
On both FortiGate devices, set Dead Peer Detection to On Demand.
On both FortiGate devices, set Dead Peer Detection to On Demand.
On HQ-FortiGate, disable Diffie-Helman group 2.
On HQ-FortiGate, disable Diffie-Helman group 2.
On Remote-FortiGate, set port2 as Interface.
On Remote-FortiGate, set port2 as Interface.
Suggested answer: A, D
Explanation:

'In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.'

asked 18/09/2024
Ilya Shadrin
44 questions

Question 109

Report Export Collapse

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To detect intermediary NAT devices in the tunnel path.
To detect intermediary NAT devices in the tunnel path.
To dynamically change phase 1 negotiation mode aggressive mode.
To dynamically change phase 1 negotiation mode aggressive mode.
To encapsulation ESP packets in UDP packets using port 4500.
To encapsulation ESP packets in UDP packets using port 4500.
To force a new DH exchange with each phase 2 rekey.
To force a new DH exchange with each phase 2 rekey.
Suggested answer: A, C
asked 18/09/2024
Alejandro Yepez
51 questions

Question 110

Report Export Collapse

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Become a Premium Member for full access
  Unlock Premium Member
Total 184 questions
Go to page: of 19