DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Efficient Fortinet Exam Preparation with Latest NSE4_FGT-7.2 Exam Questions

Preparing for the Fortinet NSE4_FGT-7.2 exam can be a daunting task, but with the right resources from SPOTO, you can increase your chances of passing successfully. SPOTO offers a comprehensive range of study materials, including exam questions and answers, test questions, and mock exams that closely resemble the real exam environment. Their exam preparation resources are meticulously crafted by industry experts, ensuring that you have access to the most up-to-date and relevant information. With SPOTO's exam resources, you can identify your strengths and weaknesses, and focus your efforts on areas that require more attention. By leveraging their exam questions, study materials, and practice tests, you can gain the confidence and knowledge necessary to ace the NSE4_FGT-7.2 exam and validate your expertise in configuring and managing Fortinet's FortiGate Next-Generation Firewall.
Take other online exams

Question #1
Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?
A. ystem event logs
B. ecurity logs
C. orward traffic logs
D. ocal traffic logs
View answer
Correct Answer: D
Question #2
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.*All traffic must be routed through the primary tunnel when both tunnels are up*The secondary tunnel must be used only if the primary tunnel goes down*In addition, FortiGate should be able to detect a dead tunnel to speed up tunnelfailoverWhich two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two, )
A. t is an idle timeout
B. t is a hard timeout
C. t is an idle timeout
D. t is a hard timeout
View answer
Correct Answer: A
Question #3
Examine the following web filtering log.Which statement about the log message is true?
A. he action for the category Games is set to block
B. he usage quota for the IP address 10
C. he name of the applied web filter profile is default
D. he web site miniclip
View answer
Correct Answer: D
Question #4
Examine the routing database shown in the exhibit, and then answer the following question:
A. The port3 default route has the highest distance
B. The port3 default route has the lowest metric
C. There will be eight routes active in the routing table
D. The port1 and port2 default routes are active in the routing table
View answer
Correct Answer: AD
Question #5
What are two features of the NGFW policy-based mode? (Choose two.)
A. GFW policy-based mode does not require the use of central source NAT policy
B. GFW policy-based mode can only be applied globally and not on individual VDOMs_
C. GFW policy-based mode policies support only flow inspection
D. GFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
View answer
Correct Answer: CD
Question #6
What statement is true regarding the Service setting in a firewall policy? Response:
A. t is optional to add a service in a firewall policy
B. t matches the traffic by port number
C. nly one service object can be added to the firewall policy
D. dministrators cannot create custom services objects
View answer
Correct Answer: B
Question #7
Refer to the exhibits.The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?
A. ake SSL inspection needs to be a deep content inspection
B. orce access to Facebook using the HTTP service
C. et the additional application signatures are required to add to the security policy
D. dd Facebook in the URL category in the security policy
View answer
Correct Answer: A
Question #8
Examine this explicit web proxy configuration:What filter can be used u, the command diagnose sniffer packet to capture the traffic between the client and the explicit web pray?
A. host 10
B. host 192
C. host 192
D. host 10
View answer
Correct Answer: B
Question #9
An administrator is configuring an IPsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?
A. 92
B. 92
C. 92
D. 92
View answer
Correct Answer: A
Question #10
Refer to the exhibits.Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)
A. 92
B. 92
C. 92
D. 92
View answer
Correct Answer: CD
Question #11
View the exhibit.Which users and user groups are allowed access to the network through captive portal?
A. sers and groups defined in the firewall policy
B. nly individual users \xad not groups \xad defined in the captive portal configuration
C. roups defined in the captive portal configuration
D. ll users
View answer
Correct Answer: A
Question #12
What happens to traffic that is routed through an IPsec tunnel, but does not match any of the phase 2 quick mode selectors?
A. t crosses the tunnel, but is not inspected
B. t is dropped
C. t crosses the tunnel, but is not encrypted
D. t is routed using the next route in the routing table
View answer
Correct Answer: B
Question #13
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
A. uth-on-demand
B. oft-timeout
C. dle-timeout
D. ew-session
E. ard-timeout
View answer
Correct Answer: CD
Question #14
Which of the following statements about the FSSO collector agent timers is true?
A. he workstation verify interval is used to periodically check of a workstation is still a domain member
B. he IP address change verify interval monitors the server IP address where the collector agent is installed, and the updates the collector agent configuration if it changes
C. he user group cache expiry is used to age out the monitored groups
D. he dead entry timeout interval is used to age out entries with an unverified status
View answer
Correct Answer: D
Question #15
View the exhibit:The client cannot connect to the HTTP web server. The administrator ran the FortiGate built-in sniffer and got the following output:What should be done next to troubleshoot the problem?
A. un a sniffer in the web server
B. xecute another sniffer in the FortiGate, this time with the filter "host 10
C. apture the traffic using an external sniffer connected to port1
D. xecute a debug flow
View answer
Correct Answer: D
Question #16
Which statement about SSL VPN settings for an SSL VPN portal is true?
A. By default, DNS split tunneling is enabled
B. By default, the admin GUI and the SSL VPN portal use the same HTTPS port
C. By default, the SSL VPN portal requires the installation of a client"?s certificate
D. By default, FortiGate uses WINS servers to resolve names
View answer
Correct Answer: B
Question #17
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.-All traffic must be routed through the primary tunnel when both tunnels are up-The secondary tunnel must be used only if the primary tunnel goes down-In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failoverWhich two key configuration changes are needed in FortiGate to meet the design requirements? (Choose two.)
A. 92
B. 92
C. 92
D. 92
View answer
Correct Answer: BD
Question #18
Examine the exhibit, which contains a virtual IP and firewall policy configuration.
A. 10
B. Any available IP address in the WAN (port1) subnet 10
C. 10
D. 10
View answer
Correct Answer: C
Question #19
View the exhibit.Which of the following statements are correct? (Choose two.)
A. CRL
B. person
C. subordinate CA
D. root CA
View answer
Correct Answer: CD
Question #20
Which of the following features is supported by web filter in flow-based inspection mode with NGFW mode set to profile-based?
A. ortiGuard Quotas
B. tatic URL
C. earch engines
D. ating option
View answer
Correct Answer: B
Question #21
View the exhibit.Which of the following statements are correct? (Choose two.)
A. ddicting
B. ddicting
C. ddicting
D. ddicting
View answer
Correct Answer: CD
Question #22
In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)
A. t always authorizes the traffic without requiring authentication
B. t drops the traffic
C. t authenticates the traffic using the authentication scheme SCHEME2
D. t authenticates the traffic using the authentication scheme SCHEME1
View answer
Correct Answer: BDE
Question #23
Examine this output from the diagnose sys top command:Which statements about the output are true?(Choose two.)
A. euristics -> grayware -> antivirus
B. ntivirus -> grayware -> heuristics
C. ntivirus -> heuristics -> grayware
D. rayware -> antivirus -> heuristics
View answer
Correct Answer: BC
Question #24
An administrator has configured the following settings:What are the two results of this configuration? (Choose two.)
A. et system performance status
B. et system status
C. et system arp
D. iagnose sys top
View answer
Correct Answer: AC
Question #25
An administrator is running the following sniffer command:diagnose sniffer packet any "host 10.0.2.10" 3Which three items will be included in the sniffer output? (Choose three.)
A. IP header
B. Interface name
C. Packet payload
D. Ethernet header
E. Application header
View answer
Correct Answer: ACD
Question #26
In firewall policy NAT, which of the following IP pool types can be used to explicitly associate an internal address range to an external address range for source NAT? Response:
A. ne-to-one
B. ixed port range
C. verload
D. ort block allocation
View answer
Correct Answer: B
Question #27
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
A. o remove the NAT operation
B. o generate logs
C. o finish any inspection operations
D. o allow for out-of-order packets that could arrive after the FIN/ACK packets
View answer
Correct Answer: CDE
Question #28
An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?
A. LAN interface
B. oftware Switch interface
C. ggregate interface
D. edundant interface
View answer
Correct Answer: C
Question #29
Which two statements are true about the Security Fabric rating? (Choose two.)
A. nterface Pair view will be disabled
B. earch option will be disabled
C. olicy lookup will be disabled
D. y Sequence view will be disabled
View answer
Correct Answer: BC
Question #30
Which two settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy called Full Access? (Choose two.)
A. Enable Event Logging
B. Enable disk logging
C. Enable a web filter security profile on the Full Access firewall policy
D. Enable Log Allowed Traffic on the Full Access firewall policy
View answer
Correct Answer: CD
Question #31
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?
A. Implement a web filter category override for the specified website
B. Implement web filter authentication for the specified website
C. Implement web filter quotas for the specified website
D. Implement DNS filter for the specified website
View answer
Correct Answer: A
Question #32
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?
A. ialup User
B. tatic IP Address
C. re-shared Key
D. ynamic DNS
View answer
Correct Answer: C
Question #33
Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)
A. execute ping
B. diagnose sys top
C. get system arp
D. execute traceroute
E. diagnose sniffer packet any
View answer
Correct Answer: ADE
Question #34
Examine the exhibit, which contains a virtual IP and firewall policy configuration.The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
A. 0
B. ny available IP address in the WAN (port1) subnet 10
C. 0
D. 0
View answer
Correct Answer: C
Question #35
An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best practices to do so? (Choose three.)
A. he web filtering database is downloaded locally on FortiGate
B. ntivirus signatures are downloaded locally on FortiGate
C. ortiGate downloads IPS updates using UDP port 53 or 8888
D. ortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates
View answer
Correct Answer: CDE
Question #36
Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)
A. ortiGate automatically negotiates different local and remote addresses with the remote peer
B. ortiGate automatically negotiates a new security association after the existing security association expires
C. ortiGate automatically negotiates different encryption and authentication algorithms with the remote peer
D. ortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel
View answer
Correct Answer: CD
Question #37
Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?
A. To generate logs
B. To finish any inspection operations
C. To remove the NAT operation
D. To allow for out-of-order packets that could arrive after the FIN/ACK packets
View answer
Correct Answer: D
Question #38
Which statement about firewall policy NAT is true?
A. NAT is not supported
B. NAT can automatically apply to multiple firewall policies, based on DNAT rules
C. ou must configure SNAT for each firewall policy
D. NAT can automatically apply to multiple firewall policies, based on SNAT rules
View answer
Correct Answer: C
Question #39
An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field?
A. VIP group
B. he mapped IP address object of the VIP object
C. VIP object
D. n IP pool
View answer
Correct Answer: C
Question #40
Refer to the exhibit.A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
A. tatic IP Address
B. ialup User
C. ynamic DNS
D. re-shared Key
View answer
Correct Answer: D
Question #41
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)
A. hange password
B. nable restrict access to trusted hosts
C. hange Administrator profile
D. nable two-factor authentication
View answer
Correct Answer: A
Question #42
Refer to the following exhibit.Why is FortiGate not blocking the test file over FTP download?
A. olicy with ID 1
B. olicies with ID 2 and 3
C. olicy with ID 5
D. olicy with ID 4
View answer
Correct Answer: D
Question #43
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?
A. olicy lookup will be disabled
B. y Sequence view will be disabled
C. earch option will be disabled
D. nterface Pair view will be disabled
View answer
Correct Answer: D
Question #44
Examine this output from a debug flow:Why did the FortiGate drop the packet?
A. he web site www
B. he user has not authenticated with the FortiGate yet
C. he web server IP address 204
D. he rating for the web site www
View answer
Correct Answer: D
Question #45
Which file names will match the *.tiff file name pattern configured in a DLP filter? (Choose two.)
A. isabling split tunneling
B. onfiguring web bookmarks
C. ssigning public IP addresses to SSL VPN clients
D. sing web-only mode
View answer
Correct Answer: BC
Question #46
Which two statements are correct about SLA targets? (Choose two.)
A. he session is in SYN_SENT state
B. he session is in FIN_WAIT state
C. he session is in ESTABLISHED state
D. he session is in FIN_ACK state
View answer
Correct Answer: BD
Question #47
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?
A. he Services field prevents SNAT and DNAT from being combined in the same policy
B. he Services field is used when you need to bundle several VIPs into VIP groups
C. he Services field removes the requirement to create multiple VIPs for different services
D. he Services field prevents multiple sources of traffic from using multiple services to connect to a single computer
View answer
Correct Answer: C
Question #48
Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)
A. he flow-based Inspection is used, which resets the last packet to the user
B. he volume of traffic being inspected is too high for this model of FortiGate
C. he firewall policy performs the full content inspection on the file
D. he intrusion prevention security profile needs to be enabled when using flow-based inspection mode
View answer
Correct Answer: BD
Question #49
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?
A. y default, FortiGate uses WINS servers to resolve names
B. y default, the SSL VPN portal requires the installation of a client’s certificate
C. y default, split tunneling is enabled
D. y default, the admin GUI and SSL VPN portal use the same HTTPS port
View answer
Correct Answer: A
Question #50
Which statements about DNS filter profiles are true? (Choose two.)
A. oth interfaces must belong to the same forward domain
B. he role of the VLAN10 interface must be set to server
C. oth interfaces must have the same VLAN ID
D. oth interfaces must be in different VDOMs
View answer
Correct Answer: BC
Question #51
Examine this FortiGate configuration: How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?
A. t always authorizes the traffic without requiring authentication
B. t drops the traffic
C. t authenticates the traffic using the authentication scheme SCHEME2
D. t authenticates the traffic using the authentication scheme SCHEME1
View answer
Correct Answer: D
Question #52
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?
A. olicy lookup will be disabled
B. y Sequence view will be disabled
C. earch option will be disabled
D. nterface Pair view will be disabled
View answer
Correct Answer: A
Question #53
Why must you use aggressive mode when a local FortiGate IPsec gateway hosts multiple dialup tunnels?
A. Main mode does not support XAuth for user authentication
B. In aggressive mode, the remote peers are able to provide their peer IDs in the first message
C. FortiGate is able to handle NATed connections only in aggressive mode
D. FortiClient supports only aggressive mode
View answer
Correct Answer: B
Question #54
Which statement regarding the firewall policy authentication timeout is true?
A. t is an idle timeout
B. t is a hard timeout
C. t is an idle timeout
D. t is a hard timeout
View answer
Correct Answer: A
Question #55
An administrator does not want to report the logon events of service accounts to FortiGate.What setting on the collector agent is required to achieve this?
A. Add the support of NTLM authentication
B. Add user accounts to the FortiGate group filter
C. Add user accounts to Active Directory (AD)
D. Add user accounts to the Ignore User List
View answer
Correct Answer: D
Question #56
Refer to the exhibit to view the application control profile.Based on the configuration, what will happen to Apple FaceTime?
A. pple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration
B. pple FaceTime will be allowed, based on the Apple filter configuration
C. pple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
D. pple FaceTime will be allowed, based on the Categories configuration
View answer
Correct Answer: A
Question #57
An administrator is running the following sniffer command:diagnose sniffer packet any "host 10.0.2.10" 3What information will be included in the sniffer output? (Choose three.)
A. IP header
B. Ethernet header
C. Packet payload
D. Application header
E. Interface name
View answer
Correct Answer: ABC
Question #58
An administrator has configured a strict RPF check on FortiGate.Which statement is true about the strict RPF check?
A. raffic matching the signature will be silently dropped and logged
B. he signature setting uses a custom rating threshold
C. he signature setting includes a group of other signatures
D. raffic matching the signature will be allowed and logged
View answer
Correct Answer: B
Question #59
An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection.Which FortiGate configuration can achieve this goal?
A. SSL VPN bookmark
B. SSL VPN tunnel
C. Zero trust network access
D. SSL VPN quick connection
View answer
Correct Answer: B
Question #60
Examine the exhibit, which shows the partial output of an IKE real-time debug.Which of the following statement about the output is true?
A. he VPN is configured to use pre-shared key authentication
B. xtended authentication (XAuth) was successful
C. emote is the host name of the remote IPsec peer
D. hase 1 went down
View answer
Correct Answer: A
Question #61
An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value.Which timeout option should be configured on FortiGate?
A. oft-timeout
B. ew-session
C. dle-timeout
D. ard-timeout
E. uth-on-demand
View answer
Correct Answer: D
Question #62
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)
A. nter-VDOM links are required to allow traffic between the Local and Root VDOMs
B. static route is required on the To_Internet VDOM to allow LAN users to access the internet
C. nter-VDOM links are required to allow traffic between the Local and DMZ VDOMs
D. nter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM
View answer
Correct Answer: AD
Question #63
Refer to the exhibit.
A. The HTTPS signatures have not been added to the sensor
B. The IPS filter is missing the Protocol:HTTPS option
C. The firewall policy is not using a full SSL inspection profile
D. A DoS policy should be used, instead of an IPS sensor
View answer
Correct Answer: C
Question #64
An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?
A. cp_port_scan
B. p_dst_session
C. dp_flood
D. p_src_session
View answer
Correct Answer: A
Question #65
View the exhibit.Which of the following statements are correct? (Choose two.)
A. onfigure Source IP Pools
B. onfigure split tunneling in tunnel mode
C. onfigure different SSL VPN realms
D. onfigure host check
View answer
Correct Answer: CD
Question #66
Refer to the exhibit, which contains a static route configuration.An administrator created a static route for Amazon Web Services.Which CLI command must the administrator use to view the route?
A. get router info routing-table database
B. diagnose firewall route list
C. get internet-service route list
D. get router info routing-table all
View answer
Correct Answer: B
Question #67
View the exhibit.What behavior results from this full (deep) SSL configuration? (Choose two.)
A. he user was authenticated using passive authentication
B. o matching user account exists for this user
C. he user is using a super admin account
D. he user is using a guest account profile
View answer
Correct Answer: AB
Question #68
Examine the partial output from the diagnose sys session list CLI command.What does this output state?
A. roto_state=05 is the TCP state
B. roto_state=05 is the U DP state
C. roto_state=05 is the ICMP state
D. imeout=3600 reflects the maximum length of time a session can be opened
View answer
Correct Answer: A
Question #69
View the exhibit.Which statement is true regarding Restrict Access in the SSL-VPN Settings?
A. SL VPN users will have access to only the REMOTE_ETH 1 subnet
B. nly users within the REMOTE_ETH1 subnet range will have access to the SSL VPN web portal login page
C. ortiGate will assign an IP address to the SSL VPN network adaptor from the REMOTE_ETH1 subnet
D. t enables client integrity check for the SSL VPN users in the REMOTE_ETH1 subnet
View answer
Correct Answer: B
Question #70
How can you format the FortiGate flash disk?
A. oad the hardware test (HQIP)
B. xecute the CLI command execute formatlogdisk
C. oad a debug FortiOS
D. elect the format boot device option from the BIOS menu
View answer
Correct Answer: D
Question #71
Examine the exhibit, which contains a session diagnostic output.
A. The session is in ESTABLISHED state
B. The session is in LISTEN state
C. The session is in TIME_WAIT state
D. The session is in CLOSE_WAIT state
View answer
Correct Answer: A
Question #72
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. FortiGuard update servers
B. System time
C. Operating mode
D. NGFW mode
View answer
Correct Answer: BD
Question #73
An administrator observes that the port1 inteface cannot be configured with an IP address.What are three possible reasons for this? (Choose three.)
A. The operation mode is transparent
B. The interface is a member of a virtual wire pair
C. The interface is a member of a zone
D. The interface has been configured for one-arm sniffer
E. Captive portal is enabled in the interface
View answer
Correct Answer: ABD
Question #74
A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true?
A. t can create administrator accounts with access to the same VDOM
B. t cannot have access to more than one VDOM
C. t can reset the password for the admin account
D. t can upgrade the firmware on the FortiGate device
View answer
Correct Answer: A
Question #75
Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple dialup tunnels?
A. n aggressive mode, the remote peers are able to provide their peer IDs in the first message
B. ortiGate is able to handle NATed connections only in aggressive mode
C. ortiClient only supports aggressive mode
D. ain mode does not support XAuth for user authentication
View answer
Correct Answer: A
Question #76
Refer to the exhibit.
A. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default
B. Broadcast traffic received on port1-VLAN10 will not be forwarded to port2-VLAN10
C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs
D. port1-VLAN1 is the native VLAN for the port1 physical interface
View answer
Correct Answer: BC
Question #77
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?
A. t must be configured in a static route using the sdwan virtual interface
B. t must be provided in the SD-WAN member interface configuration
C. t must be configured in a policy-route using the sdwan virtual interface
D. t must be learned automatically through a dynamic routing protocol
View answer
Correct Answer: C
Question #78
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
A. he session is in SYN_SENT state
B. he session is in FIN_ACK state
C. he session is in FTN_WAIT state
D. he session is in ESTABLISHED state
View answer
Correct Answer: CD
Question #79
Which two statements ate true about the Security Fabric rating? (Choose two.)
A. onfigure Source IP Pools
B. onfigure split tunneling in tunnel mode
C. onfigure different SSL VPN realms
D. onfigure host check
View answer
Correct Answer: BC
Question #80
Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)
A. ort2
B. ort4
C. ort3
D. ort1
View answer
Correct Answer: BC
Question #81
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?
A. o allow for out-of-order packets that could arrive after the FIN/ACK packets
B. o finish any inspection operations
C. o remove the NAT operation
D. o generate logs
View answer
Correct Answer: E
Question #82
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?
A. lient > primary FortiGate> secondary FortiGate> primary FortiGate> web server
B. lient > secondary FortiGate> web server
C. lient >secondary FortiGate> primary FortiGate> web server
D. lient> primary FortiGate> secondary FortiGate> web server
View answer
Correct Answer: D
Question #83
An employee needs to connect to the office through a high-latency internet connection.Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?
A. dle-timeout
B. ogin-timeout
C. dp-idle-timer
D. ession-ttl
View answer
Correct Answer: B
Question #84
Examine the exhibit, which contains a virtual IP and a firewall policy configuration.The WAN(port1) interface has the IP address 10.200.1.1/24. The LAN(port2) interface has the IP address 10.0.1.254/24. The top firewall policy has NAT enabled using outgoing interface address. The second firewall policy configured with a virtual IP (VIP) as the destination address.Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
A. 0
B. 0
C. ny available IP address in the WAN(port1) subnet 10
D. 0
View answer
Correct Answer: D
Question #85
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?
A. iagnose wad session list
B. iagnose wad session list | grep hook-pre&&hook-out
C. iagnose wad session list | grep hook=pre&&hook=out
D. iagnose wad session list | grep "hook=pre"&"hook=out"
View answer
Correct Answer: A
Question #86
Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two.)
A. t notifies the administrator by sending an email
B. t provides a DLP block replacement page with a link to download the file
C. t blocks all future traffic for that IP address for a configured interval
D. t archives the data for that IP address
View answer
Correct Answer: AC
Question #87
If antivirus, grayware, and heuristic scans are enabled on FortiGate, in which order does FortiGate apply the scanning?
A. onfiguring the HA override will reboot the FortiGate device
B. t synchronizes device priority on all cluster members
C. t is used to enable monitored ports
D. ou must configure override settings manually and separately for each cluster member
View answer
Correct Answer: B
Question #88
Refer to the exhibits.The exhibits contain a network diagram, central SNAT policy, and IP pool configuration.Exhibit
A. xhibit B
A. 10
B. 10
C. 10
D. 10
View answer
Correct Answer: A
Question #89
Refer to the exhibit.The exhibit contains a network diagram, central SNAT policy, and IP pool configuration. The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port3) interface has the IP address 10.0. 1.254/24. A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1). Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied. Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10
A. 0
B. 0
C. 0
D. 0
View answer
Correct Answer: D
Question #90
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
A. he next-hop IP address is unreachable
B. t failed the RPF check
C. t matched an explicitly configured firewall policy with the action DENY
D. t matched the default implicit firewall policy
View answer
Correct Answer: D
Question #91
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.Which statements about the VLAN sub interfaces can have the same VLAND ID, only if they have IP addresses in different subnets?
A. he two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets
B. he two VLAN sub interfaces must have different VLAN IDs
C. he two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs
D. he two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet
View answer
Correct Answer: B
Question #92
View the exhibit.Based on this output, which statements are correct? (Choose two.)
A. s the source in a firewall policy
B. s the source in a proxy policy
C. s the destination in a firewall policy
D. s the destination in a proxy policy
View answer
Correct Answer: BC
Question #93
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
A. t can archive files and messages
B. t can be applied to a firewall policy in a flow-based VDOM
C. raffic shaping can be applied to DLP sensors
D. iles can be sent to FortiSandbox for detecting DLP threats
View answer
Correct Answer: ACE
Question #94
An administrator has configured the following settings:What are the two results of this configuration? (Choose two.)
A. roxy Policy
B. uthentication Rule
C. irewall Policy
D. uthentication scheme
View answer
Correct Answer: CD
Question #95
Which two statements describe how the RPF check is used? (Choose two.)
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks
B. The RPF check is run on the first sent and reply packet of any new session
C. The RPF check is run on the first sent packet of any new session
D. The RPF check is run on the first reply packet of any new session
View answer
Correct Answer: AC
Question #96
Examine this output from a debug flow:Why did the FortiGate drop the packet?
A. he next-hop IP address is unreachable
B. t failed the RPF check
C. t matched an explicitly configured firewall policy with the action DENY
D. t matched the default implicit firewall policy
View answer
Correct Answer: D
Question #97
What settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy called Full Access? (Choose two.)
A. ortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server
B. ortiGate sends the user-entered credentials to the LDAP server for authentication
C. ortiGate queries the LDAP server for credentials
D. ortiGate queries its own database for credentials
View answer
Correct Answer: BC
Question #98
Which two statements are true when FortiGate is in transparent mode? (Choose two.)
A. By default, all interfaces are part of the same broadcast domain
B. FortiGate forwards frames without changing the MAC address
C. Static routes are required to allow traffic to the next hop
D. The existing network IP schema must be changed when installing a transparent mode FortiGate in the network
View answer
Correct Answer: AB
Question #99
Which of the following statements are true when using Web Proxy Auto-discovery Protocol (WPAD) with the DHCP discovery method?(Choose two.)
A. he dead entry timeout interval is used to age out entries with an unverified status
B. he workstation verify interval is used to periodically check if a workstation is still a domain member
C. he user group cache expiry is used to age out the monitored groups
D. he IP address change verify interval monitors the server IP address where the collector agent is installed, and updates the collector agent configuration if it changes
View answer
Correct Answer: AD
Question #100
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.Which DPD mode on FortiGate will meet the above requirement?
A. n Demand
B. isabled
C. n Idle
D. nabled
View answer
Correct Answer: C
Question #101
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
A. ortiManager
B. oot FortiGate
C. ortiAnalyzer
D. ownstream FortiGate
View answer
Correct Answer: AC
Question #102
Refer to the exhibits.Exhibit
A. xhibit B
A. port2
B. port3
C. port4
D. port1
View answer
Correct Answer: C
Question #103
Refer to the exhibit, which contains a static route configuration.An administrator created a static route for Amazon Web Services.Which CLI command must the administrator use to view the route?
A. et router info routing-table database
B. iagnose firewall proute list
C. et internet-service route list
D. et router info routing-table all
View answer
Correct Answer: B
Question #104
Examine the exhibit.A client workstation is connected to FortiGate port2. The Fortigate port1 is connected to an ISP router. Port2 and port3 are both configured as a software switch.What IP address must be configured in the workstation as the default gateway? Response:
A. he port2's IP address
B. he router's IP address
C. he FortiGate's management IP address
D. he software switch interface's IP address
View answer
Correct Answer: D
Question #105
How does FortiGate select the central SNAT policy that is applied to a TCP session? Response:
A. t selects the SNAT policy specified in the configuration of the outgoing interface
B. t selects the first matching central-SNAT policy from top to bottom
C. t selects the central-SNAT policy with the lowest priority
D. t selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic
View answer
Correct Answer: B
Question #106
Refer to the exhibit.An administrator is running a sniffer command as shown in the exhibit.Which three pieces of information are included in the sniffer output? (Choose three.)
A. Interface name
B. Ethernet header
C. IP header
D. Application header
E. Packet payload
View answer
Correct Answer: BCE
Question #107
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
A. t limits the scope of application control to the browser-based technology category only
B. t limits the scope of application control to scan application traffic based on application category only
C. t limits the scope of application control to scan application traffic using parent signatures only
D. t limits the scope of application control to scan application traffic on DNS protocol only
View answer
Correct Answer: D
Question #108
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
A. he collector agent uses a Windows API to query DCs for user logins
B. etAPI polling can increase bandwidth usage in large networks
C. he collector agent must search security event logs
D. he NetSession Enum function is used to track user logouts
View answer
Correct Answer: D
Question #109
Examine this output from a debug flow:Why did the FortiGate drop the packet?
A. he next-hop IP address is unreachable
B. t failed the RPF check
C. t matched an explicitly configured firewall policy with the action DENY
D. t matched the default implicit firewall policy
View answer
Correct Answer: D
Question #110
What information is flushed when the chunk-size value is changed in the config dlp settings? Response:
A. he database for DLP document fingerprinting
B. he supported file types in the DLP filters
C. he archived files and messages
D. he file name patterns in the DLP filters
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: