ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 11

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which two statements are correct about SLA targets? (Choose two.)
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 101

Report
Export
Collapse

In which two ways can RPF checking be disabled? (Choose two )

A.
Enable anti-replay in firewall policy.
A.
Enable anti-replay in firewall policy.
Answers
B.
Disable the RPF check at the FortiGate interface level for the source check
B.
Disable the RPF check at the FortiGate interface level for the source check
Answers
C.
Enable asymmetric routing.
C.
Enable asymmetric routing.
Answers
D.
Disable strict-arc-check under system settings.
D.
Disable strict-arc-check under system settings.
Answers
Suggested answer: C, D

Question 102

Report
Export
Collapse

Which feature in the Security Fabric takes one or more actions based on event triggers?

A.
Fabric Connectors
A.
Fabric Connectors
Answers
B.
Automation Stitches
B.
Automation Stitches
Answers
C.
Security Rating
C.
Security Rating
Answers
D.
Logical Topology
D.
Logical Topology
Answers
Suggested answer: B

Question 103

Report
Export
Collapse

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

A.
Set the maximum session TTL value for the TELNET service object.
A.
Set the maximum session TTL value for the TELNET service object.
Answers
B.
Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
B.
Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
Answers
C.
Create a new service object for TELNET and set the maximum session TTL.
C.
Create a new service object for TELNET and set the maximum session TTL.
Answers
D.
Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
D.
Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
Answers
Suggested answer: C, D

Question 104

Report
Export
Collapse

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

A.
It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
A.
It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
Answers
B.
ADVPN is only supported with IKEv2.
B.
ADVPN is only supported with IKEv2.
Answers
C.
Tunnels are negotiated dynamically between spokes.
C.
Tunnels are negotiated dynamically between spokes.
Answers
D.
Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
D.
Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
Answers
Suggested answer: A, C

Question 105

Report
Export
Collapse

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A.
It limits the scanning of application traffic to the DNS protocol only.
A.
It limits the scanning of application traffic to the DNS protocol only.
Answers
B.
It limits the scanning of application traffic to use parent signatures only.
B.
It limits the scanning of application traffic to use parent signatures only.
Answers
C.
It limits the scanning of application traffic to the browser-based technology category only.
C.
It limits the scanning of application traffic to the browser-based technology category only.
Answers
D.
It limits the scanning of application traffic to the application category only.
D.
It limits the scanning of application traffic to the application category only.
Answers
Suggested answer: C

Explanation:

FortiGate Security 7.2 Study Guide (p.317): 'You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website.'

Question 106

Report
Export
Collapse

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides

(client and server) have terminated the session?

A.
To remove the NAT operation.
A.
To remove the NAT operation.
Answers
B.
To generate logs
B.
To generate logs
Answers
C.
To finish any inspection operations.
C.
To finish any inspection operations.
Answers
D.
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
D.
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
Answers
Suggested answer: D

Question 107

Report
Export
Collapse

Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

A.
The session is a UDP unidirectional state.
A.
The session is a UDP unidirectional state.
Answers
B.
The session is in TCP ESTABLISHED state.
B.
The session is in TCP ESTABLISHED state.
Answers
C.
The session is a bidirectional UDP connection.
C.
The session is a bidirectional UDP connection.
Answers
D.
The session is a bidirectional TCP connection.
D.
The session is a bidirectional TCP connection.
Answers
Suggested answer: C

Explanation:

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

Question 108

Report
Export
Collapse

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

A.
On HQ-FortiGate, set IKE mode to Main (ID protection).
A.
On HQ-FortiGate, set IKE mode to Main (ID protection).
Answers
B.
On both FortiGate devices, set Dead Peer Detection to On Demand.
B.
On both FortiGate devices, set Dead Peer Detection to On Demand.
Answers
C.
On HQ-FortiGate, disable Diffie-Helman group 2.
C.
On HQ-FortiGate, disable Diffie-Helman group 2.
Answers
D.
On Remote-FortiGate, set port2 as Interface.
D.
On Remote-FortiGate, set port2 as Interface.
Answers
Suggested answer: A, D

Explanation:

'In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.'

Question 109

Report
Export
Collapse

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

A.
To detect intermediary NAT devices in the tunnel path.
A.
To detect intermediary NAT devices in the tunnel path.
Answers
B.
To dynamically change phase 1 negotiation mode aggressive mode.
B.
To dynamically change phase 1 negotiation mode aggressive mode.
Answers
C.
To encapsulation ESP packets in UDP packets using port 4500.
C.
To encapsulation ESP packets in UDP packets using port 4500.
Answers
D.
To force a new DH exchange with each phase 2 rekey.
D.
To force a new DH exchange with each phase 2 rekey.
Answers
Suggested answer: A, C

Question 110

Report
Export
Collapse

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

A.
Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
A.
Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
Answers
B.
Create a new service object for HTTP service and set the session TTL to never
B.
Create a new service object for HTTP service and set the session TTL to never
Answers
C.
Set the TTL value to never under config system-ttl
C.
Set the TTL value to never under config system-ttl
Answers
D.
Set the session TTL on the HTTP policy to maximum
D.
Set the session TTL on the HTTP policy to maximum
Answers
Suggested answer: B, C
Total 184 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms