Special Summer Discounts Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 63r59951

NSE4_FGT-7.0 Fortinet NSE 4 - FortiOS 7.0 Questions and Answers

Questions 4

Which scanning technique on FortiGate can be enabled only on the CLI?

Options:

A.

Heuristics scan

B.

Trojan scan

C.

Antivirus scan

D.

Ransomware scan

Buy Now
Questions 5

Refer to the exhibit.

NSE4_FGT-7.0 Question 5

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.

How does FortiGate process the traffic sent to http://www.fortinet.com?

Options:

A.

Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.

B.

Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.

C.

Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.

D.

Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Buy Now
Questions 6

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Options:

A.

Shut down/reboot a downstream FortiGate device.

B.

Disable FortiAnalyzer logging for a downstream FortiGate device.

C.

Log in to a downstream FortiSwitch device.

D.

Ban or unban compromised hosts.

Buy Now
Questions 7

Which two statements ate true about the Security Fabric rating? (Choose two.)

Options:

A.

It provides executive summaries of the four largest areas of security focus.

B.

Many of the security issues can be fixed immediately by clicking Apply where available.

C.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

D.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Buy Now
Questions 8

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

Options:

A.

hard-timeout

B.

auth-on-demand

C.

soft-timeout

D.

new-session

E.

Idle-timeout

Buy Now
Questions 9

Refer to the FortiGuard connection debug output.

NSE4_FGT-7.0 Question 9

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

Options:

A.

A local FortiManager is one of the servers FortiGate communicates with.

B.

One server was contacted to retrieve the contract information.

C.

There is at least one server that lost packets consecutively.

D.

FortiGate is using default FortiGuard communication settings.

Buy Now
Questions 10

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

Options:

A.

192.168.3.0/24

B.

192.168.2.0/24

C.

192.168.1.0/24

D.

192.168.0.0/8

Buy Now
Questions 11

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

Which two other security profiles can you apply to the security policy? (Choose two.)

Options:

A.

Antivirus scanning

B.

File filter

C.

DNS filter

D.

Intrusion prevention

Buy Now
Questions 12

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Options:

A.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.

Virtual IP addresses are used to distinguish between cluster members.

D.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Buy Now
Questions 13

Which statement regarding the firewall policy authentication timeout is true?

Options:

A.

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.

B.

It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.

C.

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.

D.

It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

Buy Now
Questions 14

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

NSE4_FGT-7.0 Question 14

NSE4_FGT-7.0 Question 14

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.

The firewall policy performs the full content inspection on the file.

B.

The flow-based inspection is used, which resets the last packet to the user.

C.

The volume of traffic being inspected is too high for this model of FortiGate.

D.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Buy Now
Questions 15

Refer to the exhibit showing a debug flow output.

NSE4_FGT-7.0 Question 15

Which two statements about the debug flow output are correct? (Choose two.)

Options:

A.

The debug flow is of ICMP traffic.

B.

A firewall policy allowed the connection.

C.

A new traffic session is created.

D.

The default route is required to receive a reply.

Buy Now
Questions 16

Refer to the exhibit.

NSE4_FGT-7.0 Question 16

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

Options:

A.

FortiGate SN FGVM010000065036 HA uptime has been reset.

B.

FortiGate devices are not in sync because one device is down.

C.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

D.

FortiGate SN FGVM010000064692 has the higher HA priority.

Buy Now
Questions 17

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

Options:

A.

NGFW policy-based mode does not require the use of central source NAT policy

B.

NGFW policy-based mode can only be applied globally and not on individual VDOMs

C.

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

D.

NGFW policy-based mode policies support only flow inspection

Buy Now
Questions 18

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

Options:

A.

The keyUsage extension must be set to keyCertSign.

B.

The common name on the subject field must use a wildcard name.

C.

The issuer must be a public CA.

D.

The CA extension must be set to TRUE.

Buy Now
Questions 19

Refer to the exhibit.

NSE4_FGT-7.0 Question 19

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

Options:

A.

The Detection Mode setting is not set to Passive.

B.

Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C.

The configured participants are not SD-WAN members.

D.

The Enable probe packets setting is not enabled.

Buy Now
Questions 20

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Options:

A.

The collector agent uses a Windows API to query DCs for user logins.

B.

NetAPI polling can increase bandwidth usage in large networks.

C.

The collector agent must search security event logs.

D.

The NetSession Enum function is used to track user logouts.

Buy Now
Questions 21

How does FortiGate act when using SSL VPN in web mode?

Options:

A.

FortiGate acts as an FDS server.

B.

FortiGate acts as an HTTP reverse proxy.

C.

FortiGate acts as DNS server.

D.

FortiGate acts as router.

Buy Now
Questions 22

Refer to the exhibit.

NSE4_FGT-7.0 Question 22

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Options:

A.

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

B.

The sensor will block all attacks aimed at Windows servers.

C.

The sensor will reset all connections that match these signatures.

D.

The sensor will gather a packet log for all matched traffic.

Buy Now
Questions 23

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

Options:

A.

Application control is not enabled

B.

SSL/SSH Inspection profile is incorrect

C.

Antivirus profile configuration is incorrect

D.

Antivirus definitions are not up to date

Buy Now
Questions 24

Which two statements about antivirus scanning mode are true? (Choose two.)

Options:

A.

In proxy-based inspection mode, files bigger than the buffer size are scanned.

B.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

C.

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

D.

In flow-based inspection mode, files bigger than the buffer size are scanned.

Buy Now
Questions 25

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

Options:

A.

get system status

B.

get system performance status

C.

diagnose sys top

D.

get system arp

Buy Now
Exam Code: NSE4_FGT-7.0
Exam Name: Fortinet NSE 4 - FortiOS 7.0
Last Update: Aug 17, 2022
Questions: 172

PDF + Testing Engine

$79.2  $175.99

Testing Engine

$59.4  $131.99
buy now NSE4_FGT-7.0 testing engine

PDF (Q&A)

$49.5  $109.99
buy now NSE4_FGT-7.0 pdf