Exam:NSE4 _ FGT-7.2
Title:
FortinetNSE4-FortiOS7.2
https://www.passcert.com/NSE4_FGT-7.2.html
1.Refertotheexhibit.
Basedontherawlog,whichtwostatementsarecorrect?(Choosetwo)
ATrafficisblockedbecauseActionissettoDENYinthefirewallpolicy
BTrafficbelongstotherootVDOM
C.Thisisasecuritylog.
DLogseverityissettoerroronFortiGate
Answer:A,C
2.WhichstatementsbestdescribeautodiscoveryVPN(ADVPN).(Choosetwo.)
AItrequirestheuseofdynamicroutingprotocolssothatspokescanlearntheroutestootherspokes B.ADVPNisonlysupportedwithIKEv2.
CTunnelsarenegotiateddynamicallybetweenspokes
DEveryspokerequiresastatictunneltobeconfiguredtootherspokessothatphase1andphase2 proposalsaredefinedinadvance
Answer:A,C
3Refertotheexhibit
TheexhibitdisplaystheoutputoftheCLIcommand:diagnosesyshadump-byvcluster Whichtwostatementsaretrue?(Choosetwo.)
AFortiGateSNFGVM010000065036HAuptimehasbeenreset
B.FortiGatedevicesarenotinsyncbecauseonedeviceisdown.
CFortiGateSNFGVM010000064692istheprimarybecauseofhigherHAuptime
DFortiGateSNFGVM010000064692hasthehigherHApriority
Answer:A,D
Explanation:
1Overrideisdisablebydefault-OK
2"IftheHAuptimeofadeviceisATLEASTFIVEMINUTES(300seconds)MOREthantheHAUptimeof theotherFortiGatedevices,itbecomestheprimary"TheQUESTIONNO:hereis:HAUptimeof FGVM01000006492>5minutes?NO-198seconds<300seconds(5minutes)Page314InfraStudy Guide
Thesafer,easierwaytohelpyoupassanyITexams
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-overridedisab
4Refertotheexhibit
Examinetheintrusionpreventionsystem(IPS)diagnosticcommand. WhichstatementiscorrectIfoption5wasusedwiththeIPSdiagnosticcommandandtheoutcomewasa decreaseintheCPUusage?
ATheIPSenginewasinspectinghighvolumeoftraffic
B.TheIPSenginewasunabletopreventanintrusionattack. CTheIPSenginewasblockingalltraffic
D.TheIPSenginewillcontinuetoruninanormalstate.
Answer:A
Explanation:
Reference:
https://docsfortinetcom/document/fortigate/623/cookbook/232929/troubleshooting-high-cpu-usage
5Refertotheexhibit
Theexhibitcontainsanetworkdiagram,virtualIP,IPpool,andfirewallpoliciesconfiguration TheWAN(port1)interfacehastheIPaddress10.200.1.1/24.
TheLAN(port3)interfacehastheIPaddress1001254/24
ThefirstfirewallpolicyhasNATenabledusingIPPool. ThesecondfirewallpolicyisconfiguredwithaVIPasthedestinationaddress WhichIPaddresswillbeusedtosourceNATtheinternettrafficcomingfromaworkstationwiththeIP address100110?
A1020011
B1020031
C102001100
D10200110
Answer:C
Explanation:
Thesafer,easierwaytohelpyoupassanyITexams
Policy1isappliedonoutbound(LAN-WAN)andpolicy2isappliedoninbound(WAN-LAN).questionis askingSNATforoutboundtrafficsopolicy1willtakeplaceandNAToverloadisineffect
6InwhichtwowayscanRPFcheckingbedisabled?(Choosetwo)
AEnableanti-replayinfirewallpolicy
BDisabletheRPFcheckattheFortiGateinterfacelevelforthesourcecheck
CEnableasymmetricrouting
DDisablestrict-arc-checkundersystemsettings
Answer:C,D
Explanation:
Reference:https://kbfortinetcom/kb/documentLinkdo?externalID=FD33955
7Refertotheexhibit
AnadministratorhasconfiguredaperformanceSLAonFortiGate,whichfailedtogenerateanytraffic WhyisFortiGatenotsendingprobesto4222and4221servers?(Choosetwo)
A.TheDetectionModesettingisnotsettoPassive.
BAdministratordidn'tconfigureagatewayfortheSD-WANmembers,orconfiguredgatewayisnotvalid C.TheconfiguredparticipantsarenotSD-WANmembers.
DTheEnableprobepacketssettingisnotenabled
Answer:B,D
8.WhichtwoattributesarerequiredonacertificatesoitcanbeusedasaCAcertificateonSSLInspection? (Choosetwo)
AThekeyUsageextensionmustbesettokeyCertSign
BThecommonnameonthesubjectfieldmustuseawildcardname
CTheissuermustbeapublicCA
DTheCAextensionmustbesettoTRUE
Answer:A,D
Explanation:
"InorderforFortiGatetoactintheseroles,itsCAcertificatemusthavethebasicconstraintsextensionset tocA=TrueandthevalueofthekeyUsageextensionsettokeyCertSign"
Thesafer,easierwaytohelpyoupassanyITexams
Reference:https://www.reddit.com/r/fortinet/comments/c7j6jg/recommendedsslcert/
9.WhichCLIcommandallowsadministratorstotroubleshootLayer2issues,suchasanIPaddress conflict?
Agetsystemstatus
Bgetsystemperformancestatus
Cdiagnosesystop
Dgetsystemarp
Answer:D
Explanation:
"IfyoususpectthatthereisanIPaddressconflict,orthatanIPhasbeenassignedtothewrongdevice, youmayneedtolookattheARPtable."
10.WhatisthelimitationofusingaURLlistandapplicationcontrolonthesamefirewallpolicy,inNGFW policy-basedmode?
A.Itlimitsthescopeofapplicationcontroltothebrowser-basedtechnologycategoryonly.
BItlimitsthescopeofapplicationcontroltoscanapplicationtrafficbasedonapplicationcategoryonly
C.Itlimitsthescopeofapplicationcontroltoscanapplicationtrafficusingparentsignaturesonly
DItlimitsthescopeofapplicationcontroltoscanapplicationtrafficonDNSprotocolonly
Answer:B
11AnetworkadministratorisconfiguringanewIPsecVPNtunnelonFortiGateTheremotepeerIP addressisdynamicInaddition,theremotepeerdoesnotsupportadynamicDNSupdateservice WhattypeofremotegatewayshouldtheadministratorconfigureonFortiGateforthenewIPsecVPN tunneltowork?
AStaticIPAddress
BDialupUser
CDynamicDNS
D.Pre-sharedKey
Answer:B
Explanation:
Dialupuserisusedwhentheremotepeer'sIPaddressisunknownTheremotepeerwhoseIPaddressis unknownactsasthedialupclienandthisisoftenthecaseforbranchofficesandmobileVPNclientsthat usedynamicIPaddressandnodynamicDNS
12ExaminethisPACfileconfiguration
Whichofthefollowingstatementsaretrue?(Choosetwo)
ABrowserscanbeconfiguredtoretrievethisPACfilefromtheFortiGate
BAnywebrequesttothe172251200/24subnetisallowedtobypasstheproxy
CAllrequestsnotmadetoFortinetcomorthe172251200/24subnet,havetogothrough altproxycorpcom:8060
DAnywebrequestfortinetcomisallowedtobypasstheproxy
Answer:A,D
13.Refertotheexhibits.
TheexhibitsshowtheSSLandauthenticationpolicy(ExhibitA)andthesecuritypolicy(ExhibitB)for Facebook
UsersaregivenaccesstotheFacebookwebapplicationTheycanplayvideocontenthostedon Facebookbuttheyareunabletoleavereactionsonvideosorothertypesofposts Whichpartofthepolicyconfigurationmustyouchangetoresolvetheissue?
Thesafer,easierwaytohelpyoupassanyITexams
A.MakeSSLinspectionneedstobeadeepcontentinspection.
BForceaccesstoFacebookusingtheHTTPservice
C.Gettheadditionalapplicationsignaturesarerequiredtoaddtothesecuritypolicy.
DAddFacebookintheURLcategoryinthesecuritypolicy
Answer:A
Explanation:
Theycanplayvideo(tick)contenthostedonFacebook,buttheyareunabletoleavereactionsonvideos orothertypesofpostsThisindicatethattherulearepartiallyworkingastheycanwatchvideobutcant react,ielikingthecontentSomustbeanissuewiththeSSLinspectionratherthenaddinganapprule
14Viewtheexhibit
Whichofthefollowingstatementsarecorrect?(Choosetwo)
AThissetuprequiresatleasttwofirewallpolicieswiththeactionsettoIPsec
BDeadpeerdetectionmustbedisabledtosupportthistypeofIPsecsetup
CTheTunnelBrouteistheprimaryrouteforreachingtheremotesiteTheTunnelArouteisusedonlyif theTunnelBVPNisdown
DThisisaredundantIPsecsetup
Answer:C,D
Explanation:
https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/632796/ospf-with-ipsec-vpn-for-network-red undancy
15WhichtwostatementsaretruewhenFortiGateisintransparentmode?(Choosetwo)
A.Bydefault,allinterfacesarepartofthesamebroadcastdomain.
BTheexistingnetworkIPschemamustbechangedwheninstallingatransparentmode
C.Staticroutesarerequiredtoallowtraffictothenexthop.
DFortiGateforwardsframeswithoutchangingtheMACaddress
Answer:A,D
Explanation:
Reference:
https://kbfortinetcom/kb/viewAttachmentdo?attachID=FortigateTransparentModeTechnicalGuide FortiOS40version12pdf&documentID=FD33113
16Refertotheexhibit
Giventheinterfacesshownintheexhibitwhichtwostatementsaretrue?(Choosetwo)
A.Trafficbetweenport2andport2-vlan1isallowedbydefault.
Bport1-vlan10andport2-vlan10arepartofthesamebroadcastdomain
C.port1isanativeVLAN.
Dport1-vlanandport2-vlan1canbeassignedinthesameVDOMortodifferentVDOMs
Answer:C,D
Explanation:
https://communityfortinetcom/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-int erf
https://kbfortinetcom/kb/viewContentdo?externalId=FD30883
17WhichCLIcommandwilldisplaysessionsbothfromclienttotheproxyandfromtheproxytothe servers?
Adiagnosewadsessionlist
B.diagnosewadsessionlist|grephook-pre&&hook-out
Cdiagnosewadsessionlist|grephook=pre&&hook=out
D.diagnosewadsessionlist|grep"hook=pre"&"hook=out"
Answer:A
18Anadministratorisrunningthefollowingsniffercommand:
WhichthreepiecesofInformationwillbeIncludedinmesnifferoutput?{Choosethree.)
AInterfacename
BPacketpayload
CEthernetheader
DIPheader
EApplicationheader
Answer:A,B,D
19AnadministratordoesnotwanttoreportthelogoneventsofserviceaccountstoFortiGate Whatsettingonthecollectoragentisrequiredtoachievethis?
Thesafer,easierwaytohelpyoupassanyITexams
A.AddthesupportofNTLMauthentication.
BAdduseraccountstoActiveDirectory(AD)
C.AdduseraccountstotheFortiGategroupfitter.
DAdduseraccountstotheIgnoreUserList
Answer:D
Explanation:
Reference:
https://communityfortinetcom/t5/Support-Forum/Collector-Agent-and-problem-getting-login-info/m-p/954 81
20ExaminethisFortiGateconfiguration:
HowdoestheFortiGatehandlewebproxytrafficcomingfromtheIPaddress1021200thatrequires authorization?
AItalwaysauthorizesthetrafficwithoutrequiringauthentication
BItdropsthetraffic
CItauthenticatesthetrafficusingtheauthenticationschemeSCHEME2
DItauthenticatesthetrafficusingtheauthenticationschemeSCHEME1
Answer:D
Explanation:
"Whathappenstotrafficthatrequiresauthorization,butdoesnotmatchanyauthenticationrule?The activeandpassiveSSOschemestouseforthosecasesisdefinedunderconfigauthenticationsetting"
21.WhichthreeoptionsaretheremotelogstorageoptionsyoucanconfigureonFortiGate?(Choose three)
A.FortiCache
BFortiSIEM
C.FortiAnalyzer
DFortiSandbox
EFortiCloud
Answer:B,C,E
Explanation:
Reference:
https://docsfortinetcom/document/fortigate/600/handbook/265052/logging-and-reporting-overview