ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 17

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Which two statements are correct about SLA targets? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 161

Report
Export
Collapse

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

Which CLI command must the administrator use to view the route?

A.
get router info routing-table database
A.
get router info routing-table database
Answers
B.
diagnose firewall route list
B.
diagnose firewall route list
Answers
C.
get internet-service route list
C.
get internet-service route list
Answers
D.
get router info routing-table all
D.
get router info routing-table all
Answers
Suggested answer: B

Explanation:

ISDB static route will not create entry directly in routing-table.

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for-Predefined-Internet/ta-p/198756

and here https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-route/ta-p/190640

FortiGate Infrastructure 7.2 Study Guide (p.16 and p.59): 'Even though they are configured as static routes, ISDB routes are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table.' 'FortiOS maintains a policy route table that you can view by running the diagnose firewall proute list command.'

Question 162

Report
Export
Collapse

What are two functions of the ZTNA rule? (Choose two.)

A.
It redirects the client request to the access proxy.
A.
It redirects the client request to the access proxy.
Answers
B.
It applies security profiles to protect traffic.
B.
It applies security profiles to protect traffic.
Answers
C.
It defines the access proxy.
C.
It defines the access proxy.
Answers
D.
It enforces access control.
D.
It enforces access control.
Answers
Suggested answer: B, D

Explanation:

A ZTNA rule is a policy that enforces access control and applies security profiles to protect traffic between the client and the access proxy1. A ZTNA rule defines the following parameters1:

Incoming interface: The interface that receives the client request.

Source: The address and user group of the client.

ZTNA tag: The tag that identifies the domain that the client belongs to.

ZTNA server: The server that hosts the access proxy.

Destination: The address of the application that the client wants to access.

Action: The action to take for the traffic that matches the rule. It can be accept, deny, or redirect.

Security profiles: The security features to apply to the traffic, such as antivirus, web filter, application control, and so on.

A ZTNA rule does not redirect the client request to the access proxy. That is the function of a policy route that matches the ZTNA tag and sends the traffic to the ZTNA server2.

A ZTNA rule does not define the access proxy. That is done by creating a ZTNA server object that specifies the IP address, port, and certificate of the access proxy3.

FortiGate Infrastructure 7.2 Study Guide (p.177): 'A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust role-based access. To create a rule, type a rule name, and add IP addresses and ZTNA tags or tag groups that are allowed or blocked access. You also select the ZTNA server as the destination. You can also apply security profiles to protect this traffic.'

Question 163

Report
Export
Collapse

An administrator configures outgoing interface any in a firewall policy.

What is the result of the policy list view?

A.
Search option is disabled.
A.
Search option is disabled.
Answers
B.
Policy lookup is disabled.
B.
Policy lookup is disabled.
Answers
C.
By Sequence view is disabled.
C.
By Sequence view is disabled.
Answers
D.
Interface Pair view is disabled.
D.
Interface Pair view is disabled.
Answers
Suggested answer: D

Explanation:

'If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface pairs---some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence).'

Question 164

Report
Export
Collapse

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

A.
The debug flow is for ICMP traffic.
A.
The debug flow is for ICMP traffic.
Answers
B.
The default route is required to receive a reply.
B.
The default route is required to receive a reply.
Answers
C.
Anew traffic session was created.
C.
Anew traffic session was created.
Answers
D.
A firewall policy allowed the connection.
D.
A firewall policy allowed the connection.
Answers
Suggested answer: A, C

Explanation:

The debug flow output shows the result of a diagnose command that captures the traffic flow between the source and destination IP addresses1. The debug flow output reveals the following information about the traffic flow1:

The protocol is 1, which means that the traffic uses ICMP protocol2. ICMP is a protocol that is used to send error messages and test connectivity between devices2.

The session state is 0, which means that a new traffic session was created3. A session is a data structure that stores information about a connection between two devices3.

The policy ID is 1, which means that the traffic matched the firewall policy with ID 14. A firewall policy is a rule that defines how FortiGate processes traffic based on the source, destination, service, and action parameters4.

The action is 0, which means that the traffic was allowed by the firewall policy. An action is a parameter that specifies what FortiGate does with the traffic that matches a firewall policy.

Therefore, two conclusions that can be made from the debug flow output are:

The debug flow is for ICMP traffic.

A new traffic session was created.

Question 165

Report
Export
Collapse

Which three methods are used by the collector agent for AD polling? (Choose three.)

A.
FortiGate polling
A.
FortiGate polling
Answers
B.
NetAPI
B.
NetAPI
Answers
C.
Novell API
C.
Novell API
Answers
D.
WMI
D.
WMI
Answers
E.
WinSecLog
E.
WinSecLog
Answers
Suggested answer: B, D, E

Explanation:

FortiGate Infrastructure 7.2 Study Guide (p.127-128): 'As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide from left to right shows most recommend to least recommended: (WMI, WinSecLog, and NetAPI)'

Question 166

Report
Export
Collapse

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

A.
hard-timeout
A.
hard-timeout
Answers
B.
auth-on-demand
B.
auth-on-demand
Answers
C.
soft-timeout
C.
soft-timeout
Answers
D.
new-session
D.
new-session
Answers
E.
Idle-timeout
E.
Idle-timeout
Answers
Suggested answer: A, D, E

Question 167

Report
Export
Collapse

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

A.
FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
A.
FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
Answers
B.
FortiGate allocates port blocks on a first-come, first-served basis.
B.
FortiGate allocates port blocks on a first-come, first-served basis.
Answers
C.
FortiGate generates a system event log for every port block allocation made per user.
C.
FortiGate generates a system event log for every port block allocation made per user.
Answers
D.
FortiGate allocates 128 port blocks per user.
D.
FortiGate allocates 128 port blocks per user.
Answers
Suggested answer: B, C

Explanation:

FortiGate Security 7.2 Study Guide (p.109): 'FortiGate allocates port blocks on a first-come, first-served basis.' 'For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator.'

Question 168

Report
Export
Collapse

Which statement about video filtering on FortiGate is true?

A.
Video filtering FortiGuard categories are based on web filter FortiGuard categories.
A.
Video filtering FortiGuard categories are based on web filter FortiGuard categories.
Answers
B.
It does not require a separate FortiGuard license.
B.
It does not require a separate FortiGuard license.
Answers
C.
Full SSL inspection is not required.
C.
Full SSL inspection is not required.
Answers
D.
its available only on a proxy-based firewall policy.
D.
its available only on a proxy-based firewall policy.
Answers
Suggested answer: D

Explanation:

FortiGate Security 7.2 Study Guide (p.279): 'To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must enable full SSL inspection on the firewall policy.'

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/860867/filtering-based-on-fortiguard-categories

Question 169

Report
Export
Collapse

Which statement describes a characteristic of automation stitches?

A.
They can have one or more triggers.
A.
They can have one or more triggers.
Answers
B.
They can be run only on devices in the Security Fabric.
B.
They can be run only on devices in the Security Fabric.
Answers
C.
They can run multiple actions simultaneously.
C.
They can run multiple actions simultaneously.
Answers
D.
They can be created on any device in the fabric.
D.
They can be created on any device in the fabric.
Answers
Suggested answer: C

Explanation:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creating-automation-stitches

Question 170

Report
Export
Collapse

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

A.
10.0.1.254, 10.0.1.10, and 443, respectively
A.
10.0.1.254, 10.0.1.10, and 443, respectively
Answers
B.
10.0.1.254, 10.200.1.10, and 443, respectively
B.
10.0.1.254, 10.200.1.10, and 443, respectively
Answers
C.
10.200.3.1, 10.0.1.10, and 443, respectively
C.
10.200.3.1, 10.0.1.10, and 443, respectively
Answers
D.
10.0.1.254, 10.0.1.10, and 10443, respectively
D.
10.0.1.254, 10.0.1.10, and 10443, respectively
Answers
Suggested answer: C

Explanation:

The host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, which is the external IP address of the VIP object named VIP in Exhibit B1. The VIP object maps the external IP address and port to the internal IP address and port of the server 10.0.1.10 and 443, respectively1. The VIP object also enables NAT, which means that the source address of the packet will be translated to the IP address of the outgoing interface2.

The firewall policy ID 1 in Exhibit B allows traffic from WAN (port1) to LAN (port3) with the destination address of VIP and the service of HTTPS1. The policy also enables NAT, which means that the source address of the packet will be translated to the IP address of the outgoing interface2.

Therefore, after FortiGate forwards the packet to the destination, the source address, destination address, and destination port of the packet will be 10.200.3.1, 10.0.1.10, and 443, respectively.

You can find more information about VIP objects and firewall policies in the Fortinet Documentation

Total 184 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms