Have an account?
Skip to Content
Build your own quiz
Suggestions for you
Computers
Professional Development
Exam Questions NSE4_FGT-7.0 Fortinet NSE 4 - FortiOS 7.0
22 questions
Show Answers
See Preview
- 1. Multiple Choice
An administrator wants to configure timeouts for users. Regardless of the user€™s behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?
auth-on-demand
soft-timeout
idle-timeout
new-session
hard-timeout
- 2. Multiple Choice
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)
FortiCache
FortiSIEM
FortiAnalyzer
FortiSandbox
FortiCloud
- 3. Multiple Choice
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
System time
FortiGuaid update servers
Operating mode
NGFW mode
- 4. Multiple Choice
Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?
The signature setting uses a custom rating threshold.
The signature setting includes a group of other signatures.
Traffic matching the signature will be allowed and logged.
Traffic matching the signature will be silently dropped and logged
- 5. Multiple Choice
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
The collector agent uses a Windows API to query DCs for user logins.
NetAPI polling can increase bandwidth usage in large networks.
The collector agent must search security event logs.
The NetSession Enum function is used to track user logouts
- 6. Multiple Choice
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?
Disabled
On Demand
Enabled
On Idle
- 7. Multiple Choice
An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)
The Detection Mode setting is not set to Passive.
Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
The configured participants are not SD-WAN members.
The Enable probe packets setting is not enabled.
- 8. Multiple Choice
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?
The strict RPF check is run on the first sent and reply packet of any new session.
Strict RPF checks the best route back to the source using the incoming interface
Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
Strict RPF allows packets back to sources with all active routes
- 9. Multiple Choice
The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?
Change password
Enable restrict access to trusted hosts
Change Administrator profile
Enable two-factor authentication
- 10. Multiple Choice
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
Antivirus engine
Intrusion prevention system engine
Flow engine
Detection engine
- 11. Multiple Choice
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?
Policy lookup will be disabled.
By Sequence view will be disabled
Search option will be disabled
Interface Pair view will be disabled.
- 12. Multiple Choice
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?
get system status
get system performance status
diagnose sys top
get system arp
- 13. Multiple Choice
An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?
Add the support of NTLM authentication
Add user accounts to Active Directory (AD).
Add user accounts to the FortiGate group fitter
Add user accounts to the Ignore User List.
- 14. Multiple Choice
Which contains a session list output. Based on the information shown in the exhibit, which statement is true?
Destination NAT is disabled in the firewall policy.
One-to-one NAT IP pool is used in the firewall policy.
Overload NAT IP pool is used in the firewall policy
Port block allocation IP pool is used in the firewall policy
- 15. Multiple Choice
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?
192.168.1.0/24
192.168.0.0/24
192.168.2.0/24
192.168.3.0/24
- 16. Multiple Choice
Which two statements are true about the FGCP protocol? (Choose two.)
Not used when FortiGate is in Transparent mode
Elects the primary FortiGate device
Runs only over the heartbeat links
Is used to discover FortiGate devices in different HA groups
- 17. Multiple Choice
How does FortiGate act when using SSL VPN in web mode?
FortiGate acts as an FDS server
FortiGate acts as an HTTP reverse proxy.
FortiGate acts as DNS server.
FortiGate acts as router.
- 18. Multiple Choice
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)
The client FortiGate requires a client certificate signed by the CA on the server FortiGate
The client FortiGate requires a manually added route to remote subnets.
The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
- 19. Multiple Choice
A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?
Application control is not enabled
SSL/SSH Inspection profile is incorrect
Antivirus profile configuration is incorrect
Antivirus definitions are not up to date
- 20. Multiple Choice
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?
192.168.3.0/24
192.168.2.0/24
192.168.1.0/24
192.168.0.0/8
- 21. Multiple Choice
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)
FortiGate points the collector agent to use a remote LDAP server.
FortiGate uses the AD server as the collector agent.
FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
FortiGate queries AD by using the LDAP to retrieve user group information.
- 22. Multiple Choice
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)
To detect intermediary NAT devices in the tunnel path.
To dynamically change phase 1 negotiation mode aggressive mode
To encapsulation ESP packets in UDP packets using port 4500.
To force a new DH exchange with each phase 2 rekey.
- Answer choicesTagsAnswer choicesTags