Weekend Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Questions 4

Refer to the exhibit showing a debug flow output.

NSE4_FGT-7.2 Question 4

Which two statements about the debug flow output are correct? (Choose two.)

Options:

A.

The debug flow is of ICMP traffic.

B.

A firewall policy allowed the connection.

C.

A new traffic session is created.

D.

The default route is required to receive a reply.

Buy Now
Questions 5

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Options:

A.

SSL VPN idle-timeout

B.

SSL VPN http-request-body-timeout

C.

SSL VPN login-timeout

D.

SSL VPN dtls-hello-timeout

Buy Now
Questions 6

Refer to the exhibits.

Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and Apple filter details.

NSE4_FGT-7.2 Question 6

NSE4_FGT-7.2 Question 6

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

Options:

A.

Apple FaceTime will be allowed, based on the Categories configuration.

B.

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

C.

Apple FaceTime will be allowed, based on the Apple filter configuration.

D.

Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

Buy Now
Questions 7

Refer to the exhibit.

NSE4_FGT-7.2 Question 7

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

Options:

A.

10.200. 1. 1

B.

10.200.3. 1

C.

10.200. 1. 100

D.

10.200. 1. 10

Buy Now
Questions 8

The IPS engine is used by which three security features? (Choose three.)

Options:

A.

Antivirus in flow-based inspection

B.

Web filter in flow-based inspection

C.

Application control

D.

DNS filter

E.

Web application firewall

Buy Now
Questions 9

Refer to the exhibit.

NSE4_FGT-7.2 Question 9

NSE4_FGT-7.2 Question 9

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Options:

A.

port2

B.

port4

C.

port3

D.

port1

Buy Now
Questions 10

Which statement about video filtering on FortiGate is true?

Options:

A.

Full SSL Inspection is not required.

B.

It is available only on a proxy-based firewall policy.

C.

It inspects video files hosted on file sharing services.

D.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Buy Now
Questions 11

84

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Buy Now
Questions 12

Refer to the exhibit.

NSE4_FGT-7.2 Question 12

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Options:

A.

There are five devices that are part of the security fabric.

B.

Device detection is disabled on all FortiGate devices.

C.

This security fabric topology is a logical topology view.

D.

There are 19 security recommendations for the security fabric.

Buy Now
Questions 13

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

Options:

A.

The matching firewall policy is set to proxy inspection mode.

B.

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

C.

The full SSL inspection feature does not have a valid license.

D.

The browser does not trust the certificate used by FortiGate for SSL inspection.

Buy Now
Questions 14

Refer to the exhibit showing a debug flow output.

NSE4_FGT-7.2 Question 14

What two conclusions can you make from the debug flow output? (Choose two.)

Options:

A.

The debug flow is for ICMP traffic.

B.

The default route is required to receive a reply.

C.

Anew traffic session was created.

D.

A firewall policy allowed the connection.

Buy Now
Questions 15

An administrator wants to simplify remote access without asking users to provide user credentials.

Which access control method provides this solution?

Options:

A.

ZTNA IP/MAC filtering mode

B.

ZTNA access proxy

C.

SSL VPN

D.

L2TP

Buy Now
Questions 16

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

NSE4_FGT-7.2 Question 16

Which CLI command must the administrator use to view the route?

Options:

A.

get router info routing-table database

B.

diagnose firewall route list

C.

get internet-service route list

D.

get router info routing-table all

Buy Now
Questions 17

95

Examine this output from a debug flow:

NSE4_FGT-7.2 Question 17

Why did the FortiGate drop the packet?

Options:

A.

The next-hop IP address is unreachable.

B.

It failed the RPF check .

C.

It matched an explicitly configured firewall policy with the action DENY.

D.

It matched the default implicit firewall policy.

Buy Now
Questions 18

40

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Buy Now
Questions 19

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Options:

A.

idle-timeout

B.

login-timeout

C.

udp-idle-timer

D.

session-ttl

Buy Now
Questions 20

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Options:

A.

Log ID

B.

Universally Unique Identifier

C.

Policy ID

D.

Sequence ID

Buy Now
Questions 21

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

NSE4_FGT-7.2 Question 21

NSE4_FGT-7.2 Question 21

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.

The firewall policy performs the full content inspection on the file.

B.

The flow-based inspection is used, which resets the last packet to the user.

C.

The volume of traffic being inspected is too high for this model of FortiGate.

D.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Buy Now
Questions 22

Which statement is correct regarding the security fabric?

Options:

A.

FortiManager is one of the required member devices.

B.

FortiGate devices must be operating in NAT mode.

C.

A minimum of two Fortinet devices is required.

D.

FortiGate Cloud cannot be used for logging purposes.

Buy Now
Questions 23

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

NSE4_FGT-7.2 Question 23

NSE4_FGT-7.2 Question 23

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?

Options:

A.

10.200. 1. 10

B.

Any available IP address in the WAN (port1) subnet 10.200. 1.0/24

66 of 108

C.

10.200. 1. 1

D.

10.0. 1.254

Buy Now
Questions 24

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Options:

A.

Source defined as Internet Services in the firewall policy.

B.

Destination defined as Internet Services in the firewall policy.

C.

Highest to lowest priority defined in the firewall policy.

D.

Services defined in the firewall policy.

E.

Lowest to highest policy ID number.

Buy Now
Questions 25

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

NSE4_FGT-7.2 Question 25

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

Options:

A.

On Remote-FortiGate, set Seconds to 43200.

B.

On HQ-FortiGate, set Encryption to AES256.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, enable Auto-negotiate.

Buy Now
Questions 26

29

Which two statements are correct about a software switch on FortiGate? (Choose two.)

Options:

A.

It can be configured only when FortiGate is operating in NAT mode

B.

Can act as a Layer 2 switch as well as a Layer 3 router

C.

All interfaces in the software switch share the same IP address

D.

It can group only physical interfaces

Buy Now
Questions 27

51

Which of the following statements about central NAT are true? (Choose two.)

Options:

A.

IP tool references must be removed from existing firewall policies before enabling central NAT .

B.

Central NAT can be enabled or disabled from the CLI only.

C.

Source NAT, using central NAT, requires at least one central SNAT policy.

D.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Buy Now
Questions 28

56

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

Options:

A.

DNS

B.

ping

C.

udp-echo

D.

TWAMP

Buy Now
Questions 29

Options:

A.

Log downloads from the GUI are limited to the current filter view B. Log backups from the CLI cannot be restored to another FortiGate. C. Log backups from the CLI can be configured to upload to FTP as a scheduled time D. Log downloads from the GUI are stored as LZ4 compressed files.

Buy Now
Questions 30

31

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

Options:

A.

get system status

B.

get system performance status

C.

diagnose sys top

D.

get system arp

Buy Now
Questions 31

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

NSE4_FGT-7.2 Question 31

NSE4_FGT-7.2 Question 31

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

Options:

A.

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B.

The traffic sourced from the client and destined to the server is sent to FGT-1.

C.

The cluster can load balance ICMP connections to the secondary.

D.

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Buy Now
Questions 32

Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)

Options:

A.

Source IP

B.

Spillover

C.

Volume

D.

Session

Buy Now
Questions 33

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up

* The secondary tunnel must be used only if the primary tunnel goes down

* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

Options:

A.

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

B.

Enable Dead Peer Detection.

C.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

D.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Buy Now
Questions 34

Which statement is correct regarding the use of application control for inspecting web applications?

Options:

A.

Application control can identity child and parent applications, and perform different actions on them.

B.

Application control signatures are organized in a nonhierarchical structure.

C.

Application control does not require SSL inspection to identity web applications.

D.

Application control does not display a replacement message for a blocked web application.

Buy Now
Questions 35

Refer to the exhibit.

NSE4_FGT-7.2 Question 35

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

Options:

A.

The session is in SYN_SENT state.

B.

The session is in FIN_ACK state.

C.

The session is in FTN_WAIT state.

D.

The session is in ESTABLISHED state.

Buy Now
Questions 36

Refer to the exhibits.

NSE4_FGT-7.2 Question 36

NSE4_FGT-7.2 Question 36

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

Options:

A.

Administrators can access FortiGate only through the console port.

B.

FortiGate has entered conserve mode.

C.

FortiGate will start sending all files to FortiSandbox for inspection.

D.

Administrators cannot change the configuration.

Buy Now
Questions 37

Which two statements ate true about the Security Fabric rating? (Choose two.)

Options:

A.

It provides executive summaries of the four largest areas of security focus.

B.

Many of the security issues can be fixed immediately by clicking Apply where available.

C.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

D.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Buy Now
Questions 38

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

Options:

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Buy Now
Questions 39

Which statement describes a characteristic of automation stitches?

Options:

A.

They can have one or more triggers.

B.

They can be run only on devices in the Security Fabric.

C.

They can run multiple actions simultaneously.

D.

They can be created on any device in the fabric.

Buy Now
Questions 40

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

Options:

A.

Policy lookup will be disabled.

B.

By Sequence view will be disabled.

C.

Search option will be disabled

D.

Interface Pair view will be disabled.

Buy Now
Questions 41

40

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

Options:

A.

diagnose wad session list

B.

diagnose wad session list | grep hook-pre&&hook-out

C.

diagnose wad session list | grep hook=pre&&hook=out

D.

diagnose wad session list | grep "hook=pre"&"hook=out"

Buy Now
Questions 42

55

In which two ways can RPF checking be disabled? (Choose two )

Options:

A.

Enable anti-replay in firewall policy.

B.

Disable the RPF check at the FortiGate interface level for the source check

C.

Enable asymmetric routing.

D.

Disable strict-arc-check under system settings.

Buy Now
Questions 43

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

Options:

A.

VLAN interface

B.

Software Switch interface

C.

Aggregate interface

D.

Redundant interface

Buy Now
Questions 44

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Buy Now
Questions 45

2

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Options:

A.

By default, all interfaces are part of the same broadcast domain.

B.

The existing network IP schema must be changed when installing a transparent mode.

C.

Static routes are required to allow traffic to the next hop.

D.

FortiGate forwards frames without changing the MAC address.

Buy Now
Questions 46

85

Which statement regarding the firewall policy authentication timeout is true?

Options:

A.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

B.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

C.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

D.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

Buy Now
Questions 47

49

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Options:

A.

Static IP Address

B.

Dialup User

C.

Dynamic DNS

D.

Pre-shared Key

Buy Now
Questions 48

46

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Options:

A.

FortiGuard web filter queries

B.

PKI

C.

Traffic shaping

D.

DNS

Buy Now
Questions 49

Refer to the exhibit.

NSE4_FGT-7.2 Question 49

Which contains a network diagram and routing table output.

The Student is unable to access Webserver.

What is the cause of the problem and what is the solution for the problem?

Options:

A.

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

B.

The first reply packet for Student failed the RPF check.

This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

C.

The first reply packet for Student failed the RPF check .

This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

D.

The first packet sent from Student failed the RPF check.

This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

Buy Now
Questions 50

Refer to the exhibit.

NSE4_FGT-7.2 Question 50

NSE4_FGT-7.2 Question 50

NSE4_FGT-7.2 Question 50

NSE4_FGT-7.2 Question 50

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10.0. 1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10) pings the IP address of Remote-FortiGate (10.200.3. 1)?

Options:

A.

10.200. 1. 149

B.

10.200. 1. 1

C.

10.200. 1.49

D.

10.200. 1.99

Buy Now
Questions 51

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

Options:

A.

It uses UDP 8888.

B.

It uses UDP 53.

C.

It uses DNS over HTTPS.

D.

It uses DNS overTLS.

Buy Now
Exam Code: NSE4_FGT-7.2
Exam Name: Fortinet NSE 4 - FortiOS 7.2
Last Update: Dec 11, 2024
Questions: 170

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now NSE4_FGT-7.2 testing engine

PDF (Q&A)

$36.75  $104.99
buy now NSE4_FGT-7.2 pdf