AB
Fortinet nse4-fgt-7-2 practice test
Fortinet NSE 4 - FortiOS 7.2
Question 1
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)
- A. In the IP pool configuration, set type to overload. Most Votes
- B. Configure 192.2.0.12/24 as the secondary IP address on port1.
- C. In the firewall policy configuration, disable ippool.
- D. In the IP pool configuration, set endip to 192.2.0.12. Most Votes
- E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
Answer:
ade
Discussions
0
/ 1000
Question 2
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
- A. FortiGuard web filter cache
- B. FortiGate hostname
- C. DNS Most Votes
- D. NTP Most Votes
Answer:
cd
Discussions
0
/ 1000
7 months ago
6 months, 1 week ago
TOMA EL NOMBRE
5 months ago
dns y ntp ok
4 months, 3 weeks ago
CD
2 months, 1 week ago
C and d.
Question 3
Which two statements are true about the FGCP protocol? (Choose two.)
- A. FGCP elects the primary FortiGate device. Most Votes
- B. FGCP is not used when FortiGate is in transparent mode.
- C. FGCP runs only over the heartbeat links. Most Votes
- D. FGCP is used to discover FortiGate devices in different HA groups.
Answer:
ad
Discussions
0
/ 1000
9 months ago
5 months ago
Elige el primario y descubre
Question 4
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
- A. Intrusion prevention system engine Most Votes
- B. Application control engine
- C. Antivirus engine
- D. Turbo engine
Answer:
b
Discussions
0
/ 1000
6 months, 3 weeks ago
Correct answer is A, check FortiGate_Security_7.2_Study_Guide-Online.pdf, page 296, last paragraph.
3 months, 3 weeks ago
A is correct
Question 5
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- A. It limits the scanning of application traffic to the browser-based technology category only. Most Votes
- B. It limits the scanning of application traffic to the DNS protocol only.
- C. It limits the scanning of application traffic to use parent signatures only.
- D. It limits the scanning of application traffic to the application category only.
Answer:
a
Discussions
0
/ 1000
6 months, 1 week ago
Busca de acuerdo a la firmas que tenga en el firewall.
6 months, 1 week ago
Busca las base de las firmas en el firewall.
Question 6
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
- A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
- B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
- C. Change the csf setting on both devices to set downstream-access enable.
- D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Answer:
d
Discussions
0
/ 1000
8 months, 1 week ago
I guess the correct answer should be: Change the csf setting on ISFW (downstream) to set fabric-object-unification default. Or am I wrong?
6 months, 1 week ago
Configuracion
Question 7
Refer to the exhibit.
The exhibit shows the output of a diagnose command.
What does the output reveal about the policy route?
- A. It is an ISDB route in policy route.
- B. It is a regular policy route.
- C. It is an ISDB policy route with an SDWAN rule.
- D. It is an SDWAN rule in policy route.
Answer:
c
Discussions
0
/ 1000
6 months, 3 weeks ago
The correct answer is D. As shown in FortiGate_Infrastructure_7.2_Study_Guide-Online.pdf, page 59. Can't be A,B or C, because neither regular policies or ISDB policies show the vw1_service field.
6 months, 1 week ago
POLICY ROUTER C
Question 8
Refer to the exhibit.
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
- A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
- B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
- C. Set the Freeware and Software Downloads category Action to Warning.
- D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
Answer:
ad
Discussions
0
/ 1000
Question 9
Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
- A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
- B. The traffic sourced from the client and destined to the server is sent to FGT-1.
- C. The cluster can load balance ICMP connections to the secondary.
- D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Answer:
ab
Discussions
0
/ 1000
Question 10
An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
- A. Device detection on all interfaces is enforced for 30 minutes.
- B. Denied users are blocked for 30 minutes.
- C. The number of logs generated by denied traffic is reduced.
- D. A session for denied traffic is created.
Answer:
ab
Discussions
0
/ 1000
3 months, 3 weeks ago
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
FortiGate Security 7.2 Study Guide (p.69):
"During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds."
Reference and download study guide:
i think the answer is ADE
Debe tener mas ip pool para poder navegar
a d and e are the answer
The problem is the IP pool is set to 1 to 1, but there's only 2 IPs in the pool. So when a third connects, there is no more IPs in the pool. The rule itself is fine. Expand the pool, or switch to overload instead of 1 to 1.
In the IP pool configuration, set endip to 192.2.0.12.