ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 14

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Which two statements are correct about SLA targets? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 131

Report
Export
Collapse

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

A.
Policy with ID 4.
A.
Policy with ID 4.
Answers
B.
Policy with ID 5.
B.
Policy with ID 5.
Answers
C.
Policies with ID 2 and 3.
C.
Policies with ID 2 and 3.
Answers
D.
Policy with ID 4.
D.
Policy with ID 4.
Answers
Suggested answer: B

Explanation:

We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted

Question 132

Report
Export
Collapse

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, which statement about VLAN IDs is true?

A.
The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.
A.
The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.
Answers
B.
The two VLAN subinterfaces must have different VLAN IDs.
B.
The two VLAN subinterfaces must have different VLAN IDs.
Answers
C.
The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
C.
The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
Answers
D.
The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.
D.
The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.
Answers
Suggested answer: C, D

Question 133

Report
Export
Collapse

Which statement correctly describes the use of reliable logging on FortiGate?

A.
Reliable logging is enabled by default in all configuration scenarios.
A.
Reliable logging is enabled by default in all configuration scenarios.
Answers
B.
Reliable logging is required to encrypt the transmission of logs.
B.
Reliable logging is required to encrypt the transmission of logs.
Answers
C.
Reliable logging can be configured only using the CLI.
C.
Reliable logging can be configured only using the CLI.
Answers
D.
Reliable logging prevents the loss of logs when the local disk is full.
D.
Reliable logging prevents the loss of logs when the local disk is full.
Answers
Suggested answer: B

Explanation:

FortiGate Security 7.2 Study Guide (p.192): 'if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI.'

Question 134

Report
Export
Collapse

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

A.
Configure a loopback interface with address 203.0.113.2/32.
A.
Configure a loopback interface with address 203.0.113.2/32.
Answers
B.
In the VIP configuration, enable arp-reply.
B.
In the VIP configuration, enable arp-reply.
Answers
C.
Enable port forwarding on the server to map the external service port to the internal service port.
C.
Enable port forwarding on the server to map the external service port to the internal service port.
Answers
D.
In the firewall policy configuration, enable match-vip.
D.
In the firewall policy configuration, enable match-vip.
Answers
Suggested answer: B

Explanation:

FortiGate Security 7.2 Study Guide (p.115): 'Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it's a best practice to keep ARP reply enabled.'

Question 135

Report
Export
Collapse

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A.
FortiGate uses fewer resources.
A.
FortiGate uses fewer resources.
Answers
B.
FortiGate performs a more exhaustive inspection on traffic.
B.
FortiGate performs a more exhaustive inspection on traffic.
Answers
C.
FortiGate adds less latency to traffic.
C.
FortiGate adds less latency to traffic.
Answers
D.
FortiGate allocates two sessions per connection.
D.
FortiGate allocates two sessions per connection.
Answers
Suggested answer: A, C

Explanation:

Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than proxy-based inspection, and it offers several benefits over this approach.

Two benefits of flow-based inspection compared to proxy-based inspection are:

FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to improve the performance of the firewall device and reduce the impact on overall system performance.

FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for real-time applications or other types of traffic that require low latency.

Question 136

Report
Export
Collapse

Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

A.
On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking
A.
On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking
Answers
B.
On the Static URL Filter configuration, set Type to Simple
B.
On the Static URL Filter configuration, set Type to Simple
Answers
C.
On the Static URL Filter configuration, set Action to Exempt.
C.
On the Static URL Filter configuration, set Action to Exempt.
Answers
D.
On the Static URL Filter configuration, set Action to Monitor.
D.
On the Static URL Filter configuration, set Action to Monitor.
Answers
Suggested answer: C

Explanation:

Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com. To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration change: On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking sites will still be blocked.

Question 137

Report
Export
Collapse

What are two functions of ZTNA? (Choose two.)

A.
ZTNA manages access through the client only.
A.
ZTNA manages access through the client only.
Answers
B.
ZTNA manages access for remote users only.
B.
ZTNA manages access for remote users only.
Answers
C.
ZTNA provides a security posture check.
C.
ZTNA provides a security posture check.
Answers
D.
ZTNA provides role-based access.
D.
ZTNA provides role-based access.
Answers
Suggested answer: C, D

Explanation:

ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of 'never trust, always verify,' which means that all access to network resources is subject to strict verification and authentication.

Two functions of ZTNA are:

ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources. This can include checks on the device's software and hardware configurations, security settings, and the presence of malware.

ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access and minimize the risk of data breaches.

Question 138

Report
Export
Collapse

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

A.
SSL VPN idle-timeout
A.
SSL VPN idle-timeout
Answers
B.
SSL VPN http-request-body-timeout
B.
SSL VPN http-request-body-timeout
Answers
C.
SSL VPN login-timeout
C.
SSL VPN login-timeout
Answers
D.
SSL VPN dtls-hello-timeout
D.
SSL VPN dtls-hello-timeout
Answers
Suggested answer: A

Explanation:

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Question 139

Report
Export
Collapse

Which statement is correct regarding the use of application control for inspecting web applications?

A.
Application control can identity child and parent applications, and perform different actions on them.
A.
Application control can identity child and parent applications, and perform different actions on them.
Answers
B.
Application control signatures are organized in a nonhierarchical structure.
B.
Application control signatures are organized in a nonhierarchical structure.
Answers
C.
Application control does not require SSL inspection to identity web applications.
C.
Application control does not require SSL inspection to identity web applications.
Answers
D.
Application control does not display a replacement message for a blocked web application.
D.
Application control does not display a replacement message for a blocked web application.
Answers
Suggested answer: A

Explanation:

Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.

Question 140

Report
Export
Collapse

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

A.
For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
A.
For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
Answers
B.
The traffic sourced from the client and destined to the server is sent to FGT-1.
B.
The traffic sourced from the client and destined to the server is sent to FGT-1.
Answers
C.
The cluster can load balance ICMP connections to the secondary.
C.
The cluster can load balance ICMP connections to the secondary.
Answers
D.
For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
D.
For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Answers
Suggested answer: A, D

Explanation:

FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320): 'To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses.' 'The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic.'

Total 184 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms