Labour Day Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

  1. Home
  2. Fortinet
  3. NSE4
  4. NSE4_FGT-6.4
  5. Fortinet NSE 4 - FortiOS 6.4 Questions and Answers
Note! The NSE4_FGT-6.4 Exam is no longer available. Get in touch with our Live Chat or email us for more information about the NSE4_FGT-7.2 Exam.

NSE4_FGT-6.4 Fortinet NSE 4 - FortiOS 6.4 Questions and Answers

Questions 4

Which two statements are correct about SLA targets? (Choose two.)

Options:

A.

You can configure only two SLA targets per one Performance SLA.

B.

SLA targets are optional.

C.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

D.

SLA targets are used only when referenced by an SD-WAN rule.

Buy Now
Questions 5

Which three statements are true regarding session-based authentication? (Choose three.)

Options:

A.

HTTP sessions are treated as a single user.

B.

IP sessions from the same source IP address are treated as a single user.

C.

It can differentiate among multiple clients behind the same source IP address.

D.

It requires more resources.

E.

It is not recommended if multiple users are behind the source NAT

Buy Now
Questions 6

Refer to the exhibit.

NSE4_FGT-6.4 Question 6

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

Options:

A.

The session is in SYN_SENT state.

B.

The session is in FIN_ACK state.

C.

The session is in FTN_WAIT state.

D.

The session is in ESTABLISHED state.

Buy Now
Questions 7

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Options:

A.

It limits the scope of application control to the browser-based technology category only.

B.

It limits the scope of application control to scan application traffic based on application category only.

C.

It limits the scope of application control to scan application traffic using parent signatures only

D.

It limits the scope of application control to scan application traffic on DNS protocol only.

Buy Now
Questions 8

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Options:

A.

Implement a web filter category override for the specified website

B.

Implement a DNS filter for the specified website.

C.

Implement web filter quotas for the specified website

D.

Implement web filter authentication for the specified website.

Buy Now
Questions 9

Refer to the exhibit.

NSE4_FGT-6.4 Question 9

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.

What should the administrator do next to troubleshoot the problem?

Options:

A.

Run a sniffer on the web server.

B.

Capture the traffic using an external sniffer connected to port1.

C.

Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

D.

Execute a debug flow.

Buy Now
Questions 10

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

Options:

A.

The interface has been configured for one-arm sniffer.

B.

The interface is a member of a virtual wire pair.

C.

The operation mode is transparent.

D.

The interface is a member of a zone.

E.

Captive portal is enabled in the interface.

Buy Now
Questions 11

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Buy Now
Questions 12

Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

Options:

A.

Source IP

B.

Spillover

C.

Volume

D.

Session

Buy Now
Questions 13

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

Options:

A.

Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

B.

An SA never expires.

C.

A phase 1 SA is bidirectional, while a phase 2 SA is directional.

D.

Phase 2 SA expiration can be time-based, volume-based, or both.

E.

Both the phase 1 SA and phase 2 SA are bidirectional.

Buy Now
Questions 14

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Options:

A.

By default, all interfaces are part of the same broadcast domain.

B.

The existing network IP schema must be changed when installing a transparent mode.

C.

Static routes are required to allow traffic to the next hop.

D.

FortiGate forwards frames without changing the MAC address.

Buy Now
Questions 15

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Buy Now
Questions 16

Refer to the exhibit.

NSE4_FGT-6.4 Question 16

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

Options:

A.

Traffic between port2 and port2-vlan1 is allowed by default.

B.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

C.

port1 is a native VLAN.

D.

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Buy Now
Questions 17

Refer to the exhibit.

NSE4_FGT-6.4 Question 17

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.

An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.

The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http://www.fortinet.c om? (Choose two.)

Options:

A.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

B.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

C.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

D.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

Buy Now
Questions 18

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Options:

A.

Source defined as Internet Services in the firewall policy.

B.

Destination defined as Internet Services in the firewall policy.

C.

Highest to lowest priority defined in the firewall policy.

D.

Services defined in the firewall policy.

E.

Lowest to highest policy ID number.

Buy Now
Questions 19

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

Options:

A.

Disabled

B.

On Demand

C.

Enabled

D.

On Idle

Buy Now
Questions 20

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

Options:

A.

A phase 2 configuration is not required.

B.

This VPN cannot be used as part of a hub-and-spoke topology.

C.

A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

D.

The IPsec firewall policies must be placed at the top of the list.

Buy Now
Questions 21

Refer to the exhibit.

NSE4_FGT-6.4 Question 21

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

The port3 default route has the highest distance.

B.

The port3 default route has the lowest metric.

C.

There will be eight routes active in the routing table.

D.

The port1 and port2 default routes are active in the routing table.

Buy Now
Questions 22

Refer to the exhibit, which contains a static route configuration.

NSE4_FGT-6.4 Question 22

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

Options:

A.

get router info routing-table all

B.

get internet service route list

C.

get router info routing-table database

D.

diagnose firewall proute list

Buy Now
Questions 23

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

Options:

A.

FortiGuard web filter cache

B.

FortiGate hostname

C.

NTP

D.

DNS

Buy Now
Questions 24

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Options:

A.

Configure Source IP Pools.

B.

Configure split tunneling in tunnel mode.

C.

Configure different SSL VPN realms.

D.

Configure host check.

Buy Now
Exam Code: NSE4_FGT-6.4
Exam Name: Fortinet NSE 4 - FortiOS 6.4
Last Update: Dec 11, 2023
Questions: 165