ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 16

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which two statements are correct about SLA targets? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 151

Report
Export
Collapse

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

A.
Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
A.
Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
Answers
B.
Extended authentication (XAuth) to request the remote peer to provide a username and password
B.
Extended authentication (XAuth) to request the remote peer to provide a username and password
Answers
C.
No certificate is required on the remote peer when you set the certificate signature as the authentication method
C.
No certificate is required on the remote peer when you set the certificate signature as the authentication method
Answers
D.
Pre-shared key and certificate signature as authentication methods
D.
Pre-shared key and certificate signature as authentication methods
Answers
Suggested answer: B, D

Explanation:

B) Extended authentication (XAuth) to request the remote peer to provide a username and password

This is true because extended authentication (XAuth) is a feature that allows FortiGate to request the remote peer to provide a username and password during the IPsec IKEv1 authentication process. XAuth is an extension of the IKEv1 protocol that adds an additional authentication step after the main mode or aggressive mode exchange. XAuth can be used with either pre-shared key or certificate signature as the primary authentication method, and it can provide stronger security and granular access control for IPsec VPNs12

D) Pre-shared key and certificate signature as authentication methods

This is true because pre-shared key and certificate signature are two authentication methods that are supported by FortiGate for IPsec IKEv1 VPNs. Pre-shared key is a method where both peers share a secret key that is used to authenticate each other during the IKEv1 exchange. Certificate signature is a method where both peers have digital certificates that are used to verify each other's identity and public key during the IKEv1 exchange. Both methods can be combined with XAuth for additional authentication

Question 152

Report
Export
Collapse

You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

A.
No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.
A.
No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.
Answers
B.
No new log is recorded until you manually clear logs from the local disk.
B.
No new log is recorded until you manually clear logs from the local disk.
Answers
C.
Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.
C.
Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.
Answers
D.
Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.
D.
Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.
Answers
Suggested answer: C

Explanation:

config log disk setting

set diskfull [ overwrite | nolog ]

Action to take when disk is full. The system can overwrite the oldest log messages or stop logging when the disk is full. (default --> overwrite)

config log memory global-setting

set full-first-warning-threshold {integer}

Log full first warning threshold as a percent. (default --> 75)

https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/421620/config-log-disk-setting

https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/418620/config-log-memory-global-setting

C) Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.

This is true because this is the default behavior of FortiGate when logging to the local disk. The local disk is the internal storage of FortiGate that can be used to store event logs and security logs. When the local disk is full, FortiGate will overwrite the oldest logs with the newest ones, and issue warnings at different thresholds of disk usage. The first warning is issued when log disk use reaches 75%, the second warning is issued when log disk use reaches 85%, and the final warning is issued when log disk use reaches 95%. The administrator can configure these thresholds and the action to take when the disk is full using the CLI commandconfig log disk setting1

Question 153

Report
Export
Collapse

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

A.
Antivirus scanning
A.
Antivirus scanning
Answers
B.
File filter
B.
File filter
Answers
C.
DNS filter
C.
DNS filter
Answers
D.
Intrusion prevention
D.
Intrusion prevention
Answers
Suggested answer: A, D

Question 154

Report
Export
Collapse

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

A.
Traffic is blocked because Action is set to DENY in the firewall policy.
A.
Traffic is blocked because Action is set to DENY in the firewall policy.
Answers
B.
Traffic belongs to the root VDOM.
B.
Traffic belongs to the root VDOM.
Answers
C.
This is a security log.
C.
This is a security log.
Answers
D.
Log severity is set to error on FortiGate.
D.
Log severity is set to error on FortiGate.
Answers
Suggested answer: B, C

Question 155

Report
Export
Collapse

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on

which device?

A.
FortiManager
A.
FortiManager
Answers
B.
Root FortiGate
B.
Root FortiGate
Answers
C.
FortiAnalyzer
C.
FortiAnalyzer
Answers
D.
Downstream FortiGate
D.
Downstream FortiGate
Answers
Suggested answer: B

Question 156

Report
Export
Collapse

View the exhibit.

Which of the following statements are correct? (Choose two.)

A.
This setup requires at least two firewall policies with the action set to IPsec.
A.
This setup requires at least two firewall policies with the action set to IPsec.
Answers
B.
Dead peer detection must be disabled to support this type of IPsec setup.
B.
Dead peer detection must be disabled to support this type of IPsec setup.
Answers
C.
The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
C.
The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
Answers
D.
This is a redundant IPsec setup.
D.
This is a redundant IPsec setup.
Answers
Suggested answer: C, D

Explanation:

https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/632796/ospf-with-ipsec-vpn-for-network-redundancy

Question 157

Report
Export
Collapse

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

A.
10.200. 1. 10
A.
10.200. 1. 10
Answers
B.
Any available IP address in the WAN (port1) subnet 10.200. 1.0/24 66 of 108
B.
Any available IP address in the WAN (port1) subnet 10.200. 1.0/24 66 of 108
Answers
C.
10.200. 1. 1
C.
10.200. 1. 1
Answers
D.
10.0. 1.254
D.
10.0. 1.254
Answers
Suggested answer: A

Explanation:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

Question 158

Report
Export
Collapse

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

A.
Shut down/reboot a downstream FortiGate device.
A.
Shut down/reboot a downstream FortiGate device.
Answers
B.
Disable FortiAnalyzer logging for a downstream FortiGate device.
B.
Disable FortiAnalyzer logging for a downstream FortiGate device.
Answers
C.
Log in to a downstream FortiSwitch device.
C.
Log in to a downstream FortiSwitch device.
Answers
D.
Ban or unban compromised hosts.
D.
Ban or unban compromised hosts.
Answers
Suggested answer: A, B

Question 159

Report
Export
Collapse

The IPS engine is used by which three security features? (Choose three.)

A.
Antivirus in flow-based inspection
A.
Antivirus in flow-based inspection
Answers
B.
Web filter in flow-based inspection
B.
Web filter in flow-based inspection
Answers
C.
Application control
C.
Application control
Answers
D.
DNS filter
D.
DNS filter
Answers
E.
Web application firewall
E.
Web application firewall
Answers
Suggested answer: A, B, C

Explanation:

FortiGate Security 7.2 Study Guide (p.385): 'The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It's also responsible for application control, flow-based antivirus protection, web filtering, and email filtering.'

Question 160

Report
Export
Collapse

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.

Which FortiGate configuration can achieve this goal?

A.
SSL VPN bookmark
A.
SSL VPN bookmark
Answers
B.
SSL VPN tunnel
B.
SSL VPN tunnel
Answers
C.
Zero trust network access
C.
Zero trust network access
Answers
D.
SSL VPN quick connection
D.
SSL VPN quick connection
Answers
Suggested answer: B

Explanation:

FortiGate Infrastructure 7.2 Study Guide (p.198): 'Tunnel mode requires FortiClient to connect to FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user's PC. This virtual adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is SSL/TLS encapsulated. The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send traffic through the tunnel.'

An SSL VPN tunnel allows remote users to establish a secure and encrypted Virtual Private Network (VPN) connection to the private network using the SSL/TLS protocol1. An SSL VPN tunnel can provide access to network resources such as FTP servers, as well as external applications running on the user's PC1.

An SSL VPN bookmark is a web link that provides access to network resources through the SSL VPN web portal1. It does not support external applications running on the user's PC.

Zero trust network access (ZTNA) is a security model that provides role-based application access to remote users without exposing the private network to the internet2. It does not use SSL/TLS protocol, but rather a proprietary ZTNA protocol.

SSL VPN quick connection is a feature that allows users to connect to an SSL VPN tunnel without installing FortiClient or any other software on their PC3. It requires a web browser that supports Java or ActiveX. It does not support external applications running on the user's PC.

Total 184 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms