[May 23, 2022] Fortinet NSE4_FGT-7.0 Real Exam Questions and Answers FREE [Q64-Q88]

May 23, 2022 admin 0

Categories : NSE4_FGT-7.0 , Fortinet

4.6/5 - (7 votes)

[May 23, 2022] Fortinet NSE4_FGT-7.0 Real Exam Questions and Answers FREE

Pass Fortinet NSE4_FGT-7.0 Exam Info and Free Practice Test

Fortinet NSE4_FGT-7.0 Exam Syllabus Topics:

Topic	Details
Topic 1	Explain and configure antivirus scanning modes to neutralize malware threats Identify FortiGate inspection modes and configure web and DNS filtering
Topic 2	Identify and configure different methods of firewall authentication Describe and inspect encrypted traffic using certificates
Topic 3	Configure and implement different SSL-VPN modes to provide secure access to the private network Implement the Fortinet Security Fabric
Topic 4	Implement a meshed or partially redundant IPsec VPN Explain FSSO deployment and configuration

NO.64 Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

The public key of the web server certificate must be installed on the browser.

The web-server certificate must be installed on the browser.

The CA certificate that signed the web-server certificate must be installed on the browser.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

NO.65 Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

FortiGate points the collector agent to use a remote LDAP server.

FortiGate uses the AD server as the collector agent.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

FortiGate queries AD by using the LDAP to retrieve user group information.

Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

NO.66 View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

port-VLAN1 is the native VLAN for the port1 physical interface.

port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

NO.67 Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check.
Which interface will be selected as an outgoing interface?

port2

port4

port3

port1

Port 1 shows the lowest latency.

NO.68 Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

Administrators can access FortiGate only through the console port.

FortiGate has entered conserve mode.

FortiGate will start sending all files to FortiSandbox for inspection.

Administrators cannot change the configuration.

NO.69 Which statement about video filtering on FortiGate is true?

Full SSL Inspection is not required.

It is available only on a proxy-based firewall policy.

It inspects video files hosted on file sharing services.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

NO.70 An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The interface has been configured for one-arm sniffer.

The interface is a member of a virtual wire pair.

The operation mode is transparent.

The interface is a member of a zone.

Captive portal is enabled in the interface.

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

NO.71 What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to the application category only.

NO.72 An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Interface name

Packet payload

Ethernet header

IP header

Application header

NO.73 Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Destination NAT is disabled in the firewall policy.

One-to-one NAT IP pool is used in the firewall policy.

Overload NAT IP pool is used in the firewall policy.

Port block allocation IP pool is used in the firewall policy.

FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.

NO.74 Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

ADVPN is only supported with IKEv2.

Tunnels are negotiated dynamically between spokes.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

NO.75 An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add the support of NTLM authentication.

Add user accounts to Active Directory (AD).

Add user accounts to the FortiGate group fitter.

Add user accounts to the Ignore User List.

NO.76 In an explicit proxy setup, where is the authentication method and database configured?

Proxy Policy

Authentication Rule

Firewall Policy

Authentication scheme

NO.77 Which three statements about a flow-based antivirus profile are correct? (Choose three.)

IPS engine handles the process as a standalone.

FortiGate buffers the whole file but transmits to the client simultaneously.

If the virus is detected, the last packet is delivered to the client.

Optimized performance compared to proxy-based inspection.

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

NO.78 Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http://www.fortinet.com? (Choose two.)

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

NO.79 Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

The firewall policy does not apply deep content inspection.

The firewall policy must be configured in proxy-based inspection mode.

The action on the firewall policy must be set to deny.

Web filter should be enabled on the firewall policy to complement the antivirus profile.

NO.80 Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

It is allowed, but with no inspection

It is allowed and inspected as long as the inspection is flow based

It is dropped.

It is allowed and inspected, as long as the only inspection required is antivirus.

NO.81 Which of the following statements about central NAT are true? (Choose two.)

IP tool references must be removed from existing firewall policies before enabling central NAT.

Central NAT can be enabled or disabled from the CLI only.

Source NAT, using central NAT, requires at least one central SNAT policy.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

NO.82 Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

On HQ-FortiGate, set IKE mode to Main (ID protection).

On both FortiGate devices, set Dead Peer Detection to On Demand.

On HQ-FortiGate, disable Diffie-Helman group 2.

On Remote-FortiGate, set port2 as Interface.

NO.83 Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

FortiGate will load balance all traffic across both routes.

FortiGate will use the port1 route as the primary candidate.

FortiGate will route twice as much traffic to the port2 route

FortiGate will only actuate the port1 route in the routing table

“If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.”

NO.84 Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

The debug flow is of ICMP traffic.

A firewall policy allowed the connection.

A new traffic session is created.

The default route is required to receive a reply.

NO.85 Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

hard-timeout

auth-on-demand

soft-timeout

new-session

Idle-timeout

https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

NO.86 Which two statements are true about the FGCP protocol? (Choose two.)

Not used when FortiGate is in Transparent mode

Elects the primary FortiGate device

Runs only over the heartbeat links

Is used to discover FortiGate devices in different HA groups

NO.87 Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

Apple FaceTime will be allowed, based on the Apple filter configuration.

Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn

Apple FaceTime will be allowed, based on the Categories configuration.

NO.88 Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?