AB
Fortinet nse4-fgt-7-2 practice test
Fortinet NSE 4 - FortiOS 7.2
Question 1
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)
- A. In the IP pool configuration, set type to overload.
- B. Configure 192.2.0.12/24 as the secondary IP address on port1.
- C. In the firewall policy configuration, disable ippool.
- D. In the IP pool configuration, set endip to 192.2.0.12.
- E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
Answer:
ade
Discussions
0
/ 1000
Question 2
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
- A. FortiGuard web filter cache
- B. FortiGate hostname
- C. DNS
- D. NTP
Answer:
cd
Discussions
0
/ 1000
1 week, 5 days ago
Question 3
Which two statements are true about the FGCP protocol? (Choose two.)
- A. FGCP elects the primary FortiGate device.
- B. FGCP is not used when FortiGate is in transparent mode.
- C. FGCP runs only over the heartbeat links.
- D. FGCP is used to discover FortiGate devices in different HA groups.
Answer:
ad
Discussions
0
/ 1000
2 months, 1 week ago
Question 4
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
- A. Intrusion prevention system engine
- B. Application control engine
- C. Antivirus engine
- D. Turbo engine
Answer:
b
Discussions
0
/ 1000
5 days, 6 hours ago
Correct answer is A, check FortiGate_Security_7.2_Study_Guide-Online.pdf, page 296, last paragraph.
Question 5
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- A. It limits the scanning of application traffic to the browser-based technology category only.
- B. It limits the scanning of application traffic to the DNS protocol only.
- C. It limits the scanning of application traffic to use parent signatures only.
- D. It limits the scanning of application traffic to the application category only.
Answer:
a
Discussions
0
/ 1000
Question 6
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
- A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
- B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
- C. Change the csf setting on both devices to set downstream-access enable.
- D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Answer:
d
Discussions
0
/ 1000
1 month, 2 weeks ago
I guess the correct answer should be: Change the csf setting on ISFW (downstream) to set fabric-object-unification default. Or am I wrong?
Question 7
Refer to the exhibit.
The exhibit shows the output of a diagnose command.
What does the output reveal about the policy route?
- A. It is an ISDB route in policy route.
- B. It is a regular policy route.
- C. It is an ISDB policy route with an SDWAN rule.
- D. It is an SDWAN rule in policy route.
Answer:
c
Discussions
0
/ 1000
5 days, 6 hours ago
The correct answer is D. As shown in FortiGate_Infrastructure_7.2_Study_Guide-Online.pdf, page 59. Can't be A,B or C, because neither regular policies or ISDB policies show the vw1_service field.
Question 8
Refer to the exhibit.
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
- A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
- B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
- C. Set the Freeware and Software Downloads category Action to Warning.
- D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
Answer:
ad
Discussions
0
/ 1000
Question 9
Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
- A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
- B. The traffic sourced from the client and destined to the server is sent to FGT-1.
- C. The cluster can load balance ICMP connections to the secondary.
- D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Answer:
ab
Discussions
0
/ 1000
Question 10
An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
- A. Device detection on all interfaces is enforced for 30 minutes.
- B. Denied users are blocked for 30 minutes.
- C. The number of logs generated by denied traffic is reduced.
- D. A session for denied traffic is created.
Answer:
ab
Discussions
0
/ 1000
i think the answer is ADE