Fortinet nse4-fgt-7-2 practice test

Fortinet NSE 4 - FortiOS 7.2

Last exam update: Oct 07 ,2024
Page 1 out of 11. Viewing questions 1-10 out of 104

Question 1

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.



Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)

  • A. In the IP pool configuration, set type to overload. Most Votes
  • B. Configure 192.2.0.12/24 as the secondary IP address on port1.
  • C. In the firewall policy configuration, disable ippool.
  • D. In the IP pool configuration, set endip to 192.2.0.12. Most Votes
  • E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
Mark Question:
Answer:

ade

User Votes:
A 28 votes
50%
B 4 votes
50%
C 16 votes
50%
D 32 votes
50%
E 18 votes
50%
Discussions
vote your answer:
A
B
C
D
E
0 / 1000
ansari
7 months, 2 weeks ago

i think the answer is ADE

semartinez
4 months, 4 weeks ago

Debe tener mas ip pool para poder navegar

sureyya.ayce
3 months, 1 week ago

a d and e are the answer

Ozzy_98
3 months, 1 week ago

The problem is the IP pool is set to 1 to 1, but there's only 2 IPs in the pool. So when a third connects, there is no more IPs in the pool. The rule itself is fine. Expand the pool, or switch to overload instead of 1 to 1.

evantoday
1 week ago

In the IP pool configuration, set endip to 192.2.0.12.


Question 2

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

  • A. FortiGuard web filter cache
  • B. FortiGate hostname
  • C. DNS Most Votes
  • D. NTP Most Votes
Mark Question:
Answer:

cd

User Votes:
A 4 votes
50%
B 5 votes
50%
C 17 votes
50%
D 17 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
meer
5 months, 3 weeks ago

AB

semartinez
4 months, 4 weeks ago

TOMA EL NOMBRE

semartinez
3 months, 3 weeks ago

dns y ntp ok

lordgosub2
3 months, 2 weeks ago

CD

ale7633
1 month ago

C and d.


Question 3

Which two statements are true about the FGCP protocol? (Choose two.)

  • A. FGCP elects the primary FortiGate device. Most Votes
  • B. FGCP is not used when FortiGate is in transparent mode.
  • C. FGCP runs only over the heartbeat links. Most Votes
  • D. FGCP is used to discover FortiGate devices in different HA groups.
Mark Question:
Answer:

ad

User Votes:
A 18 votes
50%
B 2 votes
50%
C 13 votes
50%
D 10 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
eliatonello
7 months, 3 weeks ago

semartinez
3 months, 3 weeks ago

Elige el primario y descubre


Question 4

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

  • A. Intrusion prevention system engine Most Votes
  • B. Application control engine
  • C. Antivirus engine
  • D. Turbo engine
Mark Question:
Answer:

b

User Votes:
A 13 votes
50%
B 6 votes
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
javalcasan
5 months, 2 weeks ago

Correct answer is A, check FortiGate_Security_7.2_Study_Guide-Online.pdf, page 296, last paragraph.

deepz142
2 months, 2 weeks ago

A is correct


Question 5

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  • A. It limits the scanning of application traffic to the browser-based technology category only. Most Votes
  • B. It limits the scanning of application traffic to the DNS protocol only.
  • C. It limits the scanning of application traffic to use parent signatures only.
  • D. It limits the scanning of application traffic to the application category only.
Mark Question:
Answer:

a

User Votes:
A 14 votes
50%
B 2 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
semartinez
4 months, 4 weeks ago

Busca de acuerdo a la firmas que tenga en el firewall.

semartinez
4 months, 4 weeks ago

Busca las base de las firmas en el firewall.


Question 6

Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).


What must the administrator do to synchronize the address object?

  • A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
  • B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
  • C. Change the csf setting on both devices to set downstream-access enable.
  • D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Mark Question:
Answer:

d

User Votes:
A
50%
B
50%
C 7 votes
50%
D 7 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
rbo69
7 months ago

I guess the correct answer should be: Change the csf setting on ISFW (downstream) to set fabric-object-unification default. Or am I wrong?

semartinez
4 months, 4 weeks ago

Configuracion


Question 7

Refer to the exhibit.
The exhibit shows the output of a diagnose command.

What does the output reveal about the policy route?

  • A. It is an ISDB route in policy route.
  • B. It is a regular policy route.
  • C. It is an ISDB policy route with an SDWAN rule.
  • D. It is an SDWAN rule in policy route.
Mark Question:
Answer:

c

User Votes:
A 3 votes
50%
B
50%
C 5 votes
50%
D 7 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
javalcasan
5 months, 2 weeks ago

The correct answer is D. As shown in FortiGate_Infrastructure_7.2_Study_Guide-Online.pdf, page 59. Can't be A,B or C, because neither regular policies or ISDB policies show the vw1_service field.

semartinez
4 months, 4 weeks ago

POLICY ROUTER C


Question 8

Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.



What are two solutions for satisfying the requirement? (Choose two.)

  • A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
  • B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
  • C. Set the Freeware and Software Downloads category Action to Warning.
  • D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
Mark Question:
Answer:

ad

User Votes:
A 2 votes
50%
B 7 votes
50%
C
50%
D 8 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.


Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

  • A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
  • B. The traffic sourced from the client and destined to the server is sent to FGT-1.
  • C. The cluster can load balance ICMP connections to the secondary.
  • D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Mark Question:
Answer:

ab

User Votes:
A 9 votes
50%
B 3 votes
50%
C 2 votes
50%
D 9 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)

  • A. Device detection on all interfaces is enforced for 30 minutes.
  • B. Denied users are blocked for 30 minutes.
  • C. The number of logs generated by denied traffic is reduced.
  • D. A session for denied traffic is created.
Mark Question:
Answer:

ab

User Votes:
A 4 votes
50%
B 4 votes
50%
C 6 votes
50%
D 7 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
deepz142
2 months, 2 weeks ago

C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.

FortiGate Security 7.2 Study Guide (p.69):
"During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds."

Reference and download study guide:

To page 2