ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2

Fortinet NSE4_FGT-7.2 Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Which two statements are correct about SLA targets? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 51

Report
Export
Collapse

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

A.
Change the SSL VPN port on the client.
A.
Change the SSL VPN port on the client.
Answers
B.
Change the Server IP address.
B.
Change the Server IP address.
Answers
C.
Change the idle-timeout.
C.
Change the idle-timeout.
Answers
D.
Change the SSL VPN portal to the tunnel.
D.
Change the SSL VPN portal to the tunnel.
Answers
Suggested answer: A

Question 52

Report
Export
Collapse

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

A.
The strict RPF check is run on the first sent and reply packet of any new session.
A.
The strict RPF check is run on the first sent and reply packet of any new session.
Answers
B.
Strict RPF checks the best route back to the source using the incoming interface.
B.
Strict RPF checks the best route back to the source using the incoming interface.
Answers
C.
Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
C.
Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
Answers
D.
Strict RPF allows packets back to sources with all active routes.
D.
Strict RPF allows packets back to sources with all active routes.
Answers
Suggested answer: B

Explanation:

Strict Reverse Path Forwarding (RPF) is a security feature that is used to detect and prevent IP spoofing attacks on a network. It works by checking the routing information for incoming packets to ensure that they are coming from the source address that is indicated in the packet's header. In strict RPF mode, the firewall will check the best route back to the source of the incoming packet using the incoming interface. If the packet's source address does not match the route back to the source, the packet is dropped. This helps to prevent attackers from spoofing their IP address and attempting to access the network.

Question 53

Report
Export
Collapse

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

A.
Make SSL inspection needs to be a deep content inspection.
A.
Make SSL inspection needs to be a deep content inspection.
Answers
B.
Force access to Facebook using the HTTP service.
B.
Force access to Facebook using the HTTP service.
Answers
C.
Get the additional application signatures are required to add to the security policy.
C.
Get the additional application signatures are required to add to the security policy.
Answers
D.
Add Facebook in the URL category in the security policy.
D.
Add Facebook in the URL category in the security policy.
Answers
Suggested answer: A

Explanation:

They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts. This indicate that the rule are partially working as they can watch video but cant react, i.e. liking the content. So must be an issue with the SSL inspection rather then adding an app rule.

Question 54

Report
Export
Collapse

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

A.
FortiGate uses the AD server as the collector agent.
A.
FortiGate uses the AD server as the collector agent.
Answers
B.
FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
B.
FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
Answers
C.
FortiGate does not support workstation check .
C.
FortiGate does not support workstation check .
Answers
D.
FortiGate directs the collector agent to use a remote LDAP server.
D.
FortiGate directs the collector agent to use a remote LDAP server.
Answers
Suggested answer: B, C

Explanation:

You can deploy FSSO w/o installing an agent. FG polls the DCs directly, instead of receiving logon info indirectly from a collector agent.

Because FG collects all of the data itself, agentless polling mode requires greater system resources, and it doesn't scale as easily.

Agentless polling mode operates in a similar way to WinSecLog, but with only two event IDs: 4768 and 4769. Because there's no collector agent, FG uses the SMB protocol to read the event viewer logs from the DCs.

FG acts as a collector. It 's responsible for polling on top of its normal FSSO tasks but does not have all the extra features, such as workstation checks, that are available with the external collector agent.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

Question 55

Report
Export
Collapse

Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

A.
port2
A.
port2
Answers
B.
port4
B.
port4
Answers
C.
port3
C.
port3
Answers
D.
port1
D.
port1
Answers
Suggested answer: D

Explanation:

Port 1 shows the lowest latency.

Question 56

Report
Export
Collapse

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

A.
The signature setting uses a custom rating threshold.
A.
The signature setting uses a custom rating threshold.
Answers
B.
The signature setting includes a group of other signatures.
B.
The signature setting includes a group of other signatures.
Answers
C.
Traffic matching the signature will be allowed and logged.
C.
Traffic matching the signature will be allowed and logged.
Answers
D.
Traffic matching the signature will be silently dropped and logged.
D.
Traffic matching the signature will be silently dropped and logged.
Answers
Suggested answer: D

Explanation:

Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.

Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.

Question 57

Report
Export
Collapse

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

A.
10.200. 1. 1
A.
10.200. 1. 1
Answers
B.
10.200.3. 1
B.
10.200.3. 1
Answers
C.
10.200. 1. 100
C.
10.200. 1. 100
Answers
D.
10.200. 1. 10
D.
10.200. 1. 10
Answers
Suggested answer: C

Explanation:

Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN-LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

Question 58

Report
Export
Collapse

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

A.
The Detection Mode setting is not set to Passive.
A.
The Detection Mode setting is not set to Passive.
Answers
B.
Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
B.
Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
Answers
C.
The configured participants are not SD-WAN members.
C.
The configured participants are not SD-WAN members.
Answers
D.
The Enable probe packets setting is not enabled.
D.
The Enable probe packets setting is not enabled.
Answers
Suggested answer: B, D

Question 59

Report
Export
Collapse

Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

A.
Destination NAT is disabled in the firewall policy.
A.
Destination NAT is disabled in the firewall policy.
Answers
B.
One-to-one NAT IP pool is used in the firewall policy.
B.
One-to-one NAT IP pool is used in the firewall policy.
Answers
C.
Overload NAT IP pool is used in the firewall policy.
C.
Overload NAT IP pool is used in the firewall policy.
Answers
D.
Port block allocation IP pool is used in the firewall policy.
D.
Port block allocation IP pool is used in the firewall policy.
Answers
Suggested answer: B

Explanation:

FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.

Question 60

Report
Export
Collapse

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

A.
www.example.com:443
A.
www.example.com:443
Answers
B.
www.example.com
B.
www.example.com
Answers
C.
example.com
C.
example.com
Answers
D.
www.example.com/index.html
D.
www.example.com/index.html
Answers
Suggested answer: B, C

Explanation:

When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names - no URLs or wildcard characters are allowed.

OK: google.com or www.google.com

NO OK: www.google.com/index.html or google.*

FortiGate_Security_6.4 page 384

When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names-- 'no URLs or wildcard characters are allowed'.

Total 184 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms