ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 5

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which two statements are correct about SLA targets? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 41

Report
Export
Collapse

Which two statements are true about the FGCP protocol? (Choose two.)

A.
FGCP elects the primary FortiGate device.
A.
FGCP elects the primary FortiGate device.
Answers
B.
FGCP is not used when FortiGate is in transparent mode.
B.
FGCP is not used when FortiGate is in transparent mode.
Answers
C.
FGCP runs only over the heartbeat links.
C.
FGCP runs only over the heartbeat links.
Answers
D.
FGCP is used to discover FortiGate devices in different HA groups.
D.
FGCP is used to discover FortiGate devices in different HA groups.
Answers
Suggested answer: A, C

Explanation:

The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA) clusters of FortiGate devices. It performs several functions, including the following:

FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate device will be the primary device, responsible for handling traffic and making decisions about what to allow or block. FGCP uses a variety of factors, such as the device's priority, to determine which device should be the primary.

FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA cluster using the heartbeat links. These are dedicated links that are used to exchange status and control information between the devices. FGCP does not run over other types of links, such as data links.

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-clustering-protocol

FortiGate Infrastructure 7.2 Study Guide (p.292): 'FortiGate HA uses the Fortinet-proprietary FortiGate Clustering Protocol (FGCP) to discover members, elect the primary FortiGate, synchronize data among members, and monitor the health of members. To discover and monitor members, the members broadcast heartbeat packets over all configured heartbeat interfaces.'

Question 42

Report
Export
Collapse

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

A.
The keyUsage extension must be set to keyCertSign.
A.
The keyUsage extension must be set to keyCertSign.
Answers
B.
The common name on the subject field must use a wildcard name.
B.
The common name on the subject field must use a wildcard name.
Answers
C.
The issuer must be a public CA.
C.
The issuer must be a public CA.
Answers
D.
The CA extension must be set to TRUE.
D.
The CA extension must be set to TRUE.
Answers
Suggested answer: A, D

Explanation:

'In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.'

Question 43

Report
Export
Collapse

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A.
Proxy-based inspection
A.
Proxy-based inspection
Answers
B.
Certificate inspection
B.
Certificate inspection
Answers
C.
Flow-based inspection
C.
Flow-based inspection
Answers
D.
Full Content inspection
D.
Full Content inspection
Answers
Suggested answer: A, C

Question 44

Report
Export
Collapse

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .

With this configuration, which statement is true?

A.
Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
A.
Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Answers
B.
A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
B.
A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
Answers
C.
Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
C.
Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
Answers
D.
Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
D.
Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
Answers
Suggested answer: A

Question 45

Report
Export
Collapse

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A.
The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
A.
The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
Answers
B.
The sensor will block all attacks aimed at Windows servers.
B.
The sensor will block all attacks aimed at Windows servers.
Answers
C.
The sensor will reset all connections that match these signatures.
C.
The sensor will reset all connections that match these signatures.
Answers
D.
The sensor will gather a packet log for all matched traffic.
D.
The sensor will gather a packet log for all matched traffic.
Answers
Suggested answer: A, B

Question 46

Report
Export
Collapse

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

A.
get system status
A.
get system status
Answers
B.
get system performance status
B.
get system performance status
Answers
C.
diagnose sys top
C.
diagnose sys top
Answers
D.
get system arp
D.
get system arp
Answers
Suggested answer: D

Explanation:

'If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table.'

Question 47

Report
Export
Collapse

Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

A.
The debug flow is of ICMP traffic.
A.
The debug flow is of ICMP traffic.
Answers
B.
A firewall policy allowed the connection.
B.
A firewall policy allowed the connection.
Answers
C.
A new traffic session is created.
C.
A new traffic session is created.
Answers
D.
The default route is required to receive a reply.
D.
The default route is required to receive a reply.
Answers
Suggested answer: A, C

Question 48

Report
Export
Collapse

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A.
The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
A.
The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
Answers
B.
The client FortiGate requires a manually added route to remote subnets.
B.
The client FortiGate requires a manually added route to remote subnets.
Answers
C.
The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
C.
The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
Answers
D.
The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D.
The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Answers
Suggested answer: C, D

Explanation:

https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-ssl-vpn-client

To establish an SSL VPN connection between two FortiGate devices, the following two settings are required:

The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate will use a CA (Certificate Authority) certificate to verify the client FortiGate certificate, ensuring that the client device is trusted and allowed to establish an SSL VPN connection.

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: The client FortiGate must have an SSL VPN tunnel interface type configured in order to establish an SSL VPN connection. This interface type will be used to connect to the server FortiGate over the SSL VPN.

Question 49

Report
Export
Collapse

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

A.
System event logs
A.
System event logs
Answers
B.
Forward traffic logs
B.
Forward traffic logs
Answers
C.
Local traffic logs
C.
Local traffic logs
Answers
D.
Security logs
D.
Security logs
Answers
Suggested answer: C

Explanation:

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

FortiGate Security 7.2 Study Guide (p.176): 'Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries.'

Question 50

Report
Export
Collapse

Which statement about the policy ID number of a firewall policy is true?

A.
It is required to modify a firewall policy using the CLI.
A.
It is required to modify a firewall policy using the CLI.
Answers
B.
It represents the number of objects used in the firewall policy.
B.
It represents the number of objects used in the firewall policy.
Answers
C.
It changes when firewall policies are reordered.
C.
It changes when firewall policies are reordered.
Answers
D.
It defines the order in which rules are processed.
D.
It defines the order in which rules are processed.
Answers
Suggested answer: A
Total 184 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms