DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Prepare Efficiently with Latest Fortinet NSE4_FGT-7.2 Exam Study Materials

Achieving success in the Fortinet NSE4_FGT-7.2 exam requires thorough preparation and access to reliable exam resources. SPOTO offers a comprehensive suite of study materials, including exam questions and answers, test questions, and mock exams, specifically designed to help you prepare effectively for this challenging certification. Their exam preparation resources are meticulously crafted by industry experts, ensuring you have access to the most up-to-date and relevant information. With SPOTO's exam questions, you can identify your strengths and weaknesses, allowing you to focus your efforts on areas that require more attention. Additionally, their mock exams simulate the real exam environment, providing a valuable opportunity to practice and gain confidence. By leveraging SPOTO's exam resources, study materials, and practice tests, you can equip yourself with the knowledge and skills necessary to pass the NSE4_FGT-7.2 exam successfully and validate your expertise in configuring and managing Fortinet's FortiGate Next-Generation Firewall.
Take other online exams
Question #1
Refer to the exhibit.An administrator is running a sniffer command as shown in the exhibit.Which three pieces of information are included in the sniffer output? (Choose three.)
A. ort2
B. ort3
C. ort4
D. ort1
View answer
Correct Answer: ABD
Question #2
Refer to the exhibit. The exhibit shows the IPS sensor configuration.If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
A. ntivirus definitions are not up to date
B. SL/SSH Inspection profile is incorrect
C. ntivirus profile configuration is incorrect
D. pplication control is not enabled
View answer
Correct Answer: AC
Question #3
An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to SSL VPN. How can this be achieved?
A. onfigure the virtual IP addresses to be assigned to the SSL VPN users
B. nstall FortiClient SSL VPN client
C. reate a SSL VPN realm reserved for clients using port forward mode
D. onfigure the client application to forward IP traffic to a Java applet proxy
View answer
Correct Answer: A
Question #4
Refer to the exhibit. The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.With this configuration, which statement is true?
A. hange the csf setting on Local-FortiGate (root) to set configuration-sync local
B. hange the csf setting on ISFW (downstream) to set configuration-sync local
C. hange the csf setting on Local-FortiGate (root) to set fabric-object-unification default
D. hange the csf setting on ISFW (downstream) to set fabric-object-unification default
View answer
Correct Answer: A
Question #5
Refer to the exhibits.Exhibit
A. xhibit B
A. hange the SSL VPN port on the client
B. hange the Server IP address
C. hange the idle-timeout
D. hange the Server IP address
View answer
Correct Answer: A
Question #6
What step is required to configure an SSL VPN to access to an internal server using port forward mode?
A. firewall policy in VDOM1 to allow the traffic from 10
B. static route in VDOM1 for the destination subnet of 10
C. static route in VDOM2 with the destination subnet matching the subnet assigned to the inter- VDOM link
D. static route in VDOM2 for the destination subnet 10
View answer
Correct Answer: D
Question #7
Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?
A. ne-to-one NAT IP pool is used in the firewall policy
B. estination NAT is disabled in the firewall policy
C. ort block allocation IP pool is used in the firewall policy
D. verload NAT IP pool is used in the firewall policy
View answer
Correct Answer: A
Question #8
Refer to the exhibit.
A. FortiGate will only activate the port1 route in the routing table
B. FortiGate will use the port1 route as the primary candidate
C. FortiGate will load balance all traffic across both routes
D. FortiGate will route twice as much traffic to the port2 route
View answer
Correct Answer: B
Question #9
Refer to the exhibit showing a FortiGuard connection debug output.Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)
A. One server was contacted to retrieve the contract information
B. There is at least one server that lost packets consecutively
C. A local FortiManager is one of the servers FortiGate communicates with
D. FortiGate is using default FortiGuard communication settings
View answer
Correct Answer: AD
Question #10
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?
A. Static IP Address
B. Dialup User
C. Dynamic DNS
D. Pre-shared Key
View answer
Correct Answer: C
Question #11
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
A. The subject field in the server certificate
B. The subject alternative name (SAN) field in the server certificate
C. The serial number in the server certificate
D. The server name indication (SNI) extension in the client hello message
E. The host field in the HTTP header
View answer
Correct Answer: ABD
Question #12
View the exhibit.What does the log message indicate?(Choose two.)
A. pplication Overrides > Filter Overrides > Categories
B. ilter Overrides > Application Overrides > Categories > Traffic Shaping Override
C. ilter Overrides > Application Overrides > Categories
D. ategories > Application Overrides > Filter Overrides
View answer
Correct Answer: AC
Question #13
What are two functions of the ZTNA rule? (Choose two.)
A. t redirects the client request to the access proxy
B. t applies security profiles to protect traffic
C. t defines the access proxy
D. t enforces access control
View answer
Correct Answer: BD
Question #14
An administrator is investigating a report of users having intermittent issues with browsing the web. The administrator ran diagnostics and received the output shown in the exhibit.Examine the diagnostic output shown exhibit. Which of the following options is the most likely cause of this issue?
A. AT port exhaustion
B. igh CPU usage
C. igh memory usage
D. igh session timeout value
View answer
Correct Answer: A
Question #15
Which statements about application control are true?(Choose two.)
A. hen using IKE version 2 (IKEv2)
B. hen NAT-T detects there is a device between both IPsec peers doing NAT over the IPsec traffic
C. hen the IPsec VPN is configured as dial up
D. hen the phase 1 is configured to use aggressive mode
View answer
Correct Answer: CD
Question #16
View the exhibit.Which statement is true regarding Quick Connection?
A. o remove the NAT operation
B. o generate logs
C. o finish any inspection operations
D. o allow for out-of-order packets that could arrive after the FIN/ACK packets
View answer
Correct Answer: B
Question #17
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
A. t is an idle timeout
B. t is a hard timeout
C. t is an idle timeout
D. t is a hard timeout
View answer
Correct Answer: CD
Question #18
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?
A. phase 2 configuration is not required
B. his VPN cannot be used as part of a hub-and-spoke topology
C. virtual IPsec interface is automatically created after the phase 1 configuration is completed
D. he IPsec firewall policies must be placed at the top of the list
View answer
Correct Answer: C
Question #19
An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?
A. 92
B. 92
C. 92
D. 92
View answer
Correct Answer: D
Question #20
Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)
A. euristics scan
B. rojan scan
C. ntivirus scan
D. ansomware scan
View answer
Correct Answer: ABD
Question #21
When does the FortiGate enter into fail-open session mode? Response:
A. hen CPU usage goes above the red threshold
B. hen a proxy (for proxy-based inspection) runs out of connections
C. hen memory usage goes above the red threshold
D. hen memory usage goes above the extreme threshold
View answer
Correct Answer: B
Question #22
Which statement is true regarding account permissions for an administrator that is assigned the default prof_admin profile?
A. t can create new administrator accounts with the super_admin profile
B. t can reset the password for the admin account
C. t can create administrator accounts with access to the same virtual domain (VDOM)
D. t has access to the global settings of the FortiGate
View answer
Correct Answer: C
Question #23
Which of the following are valid actions for static URL filtering? (Choose three.)
A. he length of time FortiGate waits for the user to enter their authentication credentials
B. he length of time an authenticated user is allowed to send and receive traffic before they are timed out
C. he length of time an authenticated user is allowed to remain authenticated without any packets being generated by the host device
D. he length of time an authenticated user is allowed to send and receive traffic without a new session being created through the firewall to the host device
View answer
Correct Answer: ABC
Question #24
Which scanning technique on FortiGate can be enabled only on the CLI?
A. Antivirus scan
B. Machine learning scan
C. Trojan scan
D. Ransomware scan
View answer
Correct Answer: B
Question #25
Refer to the exhibit.The exhibits show a network diagram and the explicit web proxy configuration.In the commanddiagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?
A. host 192
B. host 10
C. host 192
D. host 10
View answer
Correct Answer: A
Question #26
An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?
A. nable asymmetric routing, so the RPF check will be bypassed
B. isable the RPF check at the FortiGate interface level for the source check
C. isable the RPF check at the FortiGate interface level for the reply check
D. nable asymmetric routing at the interface level
View answer
Correct Answer: B
Question #27
Which three statements about a flow-based antivirus profile are correct? (Choose three.)
A. he strict RPF check is run on the first sent and reply packet of any new session
B. trict RPF checks the best route back to the source using the incoming interface
C. trict RPF checks only for the existence of at least one active route back to the source using the incoming interface
D. trict RPF allows packets back to sources with all active routes
View answer
Correct Answer: BDE
Question #28
Examine the network diagram shown in the exhibit, and then answer the following question:A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes will satisfy this requirement on FGT1? (Choose two.)
A. t is allowed, but with no inspection
B. t is allowed and inspected as long as the inspection is flow based
C. t is dropped
D. t is allowed and inspected, as long as the only inspection required is antivirus
View answer
Correct Answer: AB
Question #29
When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster?
A. onnected monitored ports > HA uptime > priority > serial number
B. riority > Connected monitored ports > HA uptime > serial number
C. onnected monitored ports > priority > HA uptime > serial number
D. A uptime > priority > Connected monitored ports > serial number
View answer
Correct Answer: C
Question #30
During the digital verification process, comparing the original and fresh hash results satisfies which security requirement?
A. uthentication
B. ata integrity
C. on-repudiation
D. ignature verification
View answer
Correct Answer: D
Question #31
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
A. CRL
B. person
C. subordinate CA
D. root CA
View answer
Correct Answer: D
Question #32
What FortiGate configuration is required to actively prompt users for credentials?
A. ou must enable one or more protocols that support active authentication on a firewall policy
B. ou must position the firewall policy for active authentication before a firewall policy foe passive authentication
C. ou must assign users to a group for active authentication
D. ou must enable the Authentication setting on the firewall policy
View answer
Correct Answer: C
Question #33
The FSSO Collector Agent set to advanced access mode for the Windows Active Directory uses which of the following?
A. DAP convention
B. TLM convention
C. indows convention - NetBios: Domain\\Usemame
D. SSO convention
View answer
Correct Answer: C
Question #34
View the exhibit.Which of the following statements are correct? (Choose two.)
A. ortiGate IPS update requests are sent using UDP port 443
B. rotocol decoder update requests are sent to service
C. PS signature update requests are sent to update
D. PS engine updates can only be obtained using push updates
View answer
Correct Answer: CD
Question #35
When using WPAD DNS method, winch FQDN format do browsers use to query the DNS server?
A. ption A
B. ption B
C. ption C
D. ption D
View answer
Correct Answer: C
Question #36
Refer to the exhibit.Which contains a session diagnostic output. Which statement is true about the session diagnostic output?
A. ocial networking web filter category is configured with the action set to authenticate
B. he action on firewall policy ID 1 is set to warning
C. ccess to the social networking web filter category was explicitly blocked to all users
D. he name of the firewall policy is all_users_web
View answer
Correct Answer: A
Question #37
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?
A. iagnose wad session list
B. iagnose wad session list | grep hook-pre&&hook-out
C. iagnose wad session list | grep hook=pre&&hook=out
D. iagnose wad session list | grep "hook=pre"&"hook=out"
View answer
Correct Answer: A
Question #38
Which two types of traffic are managed only by the management VDOM? (Choose two.)
A. PKI
B. FortiGuard web filter queries
C. DNS
D. Traffic shaping
View answer
Correct Answer: BC
Question #39
FortiGate is integrated with FortiAnalyzer and FortiManager.When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?
A. Policy ID
B. Log ID
C. Sequence ID
D. Universally Unique Identifier
View answer
Correct Answer: D
Question #40
View the exhibit.A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting.Games).Based on this configuration, which statement is true?
A. ddicting
B. ddicting
C. ddicting
D. ddicting
View answer
Correct Answer: A
Question #41
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
A. Antivirus engine
B. Intrusion prevention system engine
C. Flow engine
D. Detection engine
View answer
Correct Answer: B
Question #42
Which of the following statements about the FSSO collector agent timers is true?
A. The workstation verify interval is used to periodically check of a workstation is still a domain member
B. The IP address change verify interval monitors the server IP address where the collector agent is installed, and the updates the collector agent configuration if it changes
C. The user group cache expiry is used to age out the monitored groups
D. The dead entry timeout interval is used to age out entries with an unverified status
View answer
Correct Answer: D
Question #43
Refer to the exhibit.Examine the intrusion prevention system (IPS) diagnostic command.Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
A. he IPS engine will continue to run in a normal state
B. he IPS engine was unable to prevent an intrusion attack
C. he IPS engine was blocking all traffic
D. he IPS engine was inspecting high volume of traffic
View answer
Correct Answer: D
Question #44
An administrator configured antivirus in flow-based inspection mode on the FortiGate.While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.What is causing this issue?
A. TTPS protocol is not enabled under Inspected Protocols
B. ull-content inspection for HTTPS is disabled
C. ardware acceleration is in use
D. he test file is larger than the oversize limit
View answer
Correct Answer: B
Question #45
Refer to the exhibit.The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.What are two solutions for satisfying the requirement? (Choose two.)
A. onfigure a separate firewall policy with action Deny and an FQDN address object for *
B. onfigure a web override rating for download
C. et the Freeware and Software Downloads category Action to Warning
D. onfigure a static URL filter entry for download
View answer
Correct Answer: BD
Question #46
How can a browser trust a web-server certificate signed by a third party CA? Response:
A. he browser must have the CA certificate that signed the web-server certificate installed
B. he browser must have the web-server certificate installed
C. he browser must have the private key of CA certificate that signed the web-browser certificate installed
D. he browser must have the public key of the web-server certificate installed
View answer
Correct Answer: A
Question #47
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)
A. eb filtering
B. ntivirus
C. eb proxy
D. pplication control
View answer
Correct Answer: AB
Question #48
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?
A. ddicting
B. ddicting
C. ddicting
D. ddcting
View answer
Correct Answer: C
Question #49
Refer to the exhibits.Exhibit
A. xhibit B
A. dd user accounts to the Ignore User List
B. dd the support of NTLM authentication
C. dd user accounts to the FortiGate group filter
D. dd user accounts to Active Directory (AD)
View answer
Correct Answer: D
Question #50
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
A. mplement a web filter category override for the specified website
B. mplement web filter authentication for the specified website
C. mplement web filter quotas for the specified website
D. mplement DNS filter for the specified website
View answer
Correct Answer: BC
Question #51
How can you configure the explicit web proxy to block HTTP packets that request a specific HTTP method?
A. reate an explicit proxy address that matches the HTTP method and apply it to an explicit proxy policy with the action Deny
B. pply a web filter profile to an explicit proxy policy that blocks the HTTP method
C. reate a firewall service that matches the HTTP method and apply it to an explicit proxy policy with the action Deny
D. reate a DNS filter that matches the HTTP method and apply it to an explicit proxy policy with the action Deny
View answer
Correct Answer: A
Question #52
LDAP and RADIUS are both remote authentication servers that FortiGate can tie into for authentication.What is a key difference between these servers? Response:
A. nly LDAP can have a secure connection with FortiGate using a server certificate
B. nly LDAP can be configured to authenticate groups as defined on the LDAP server
C. nly LDAP provides authentication, authorization, and accounting (AAA) services
D. nly RADIUS requires a distinguished name (i h
View answer
Correct Answer: A
Question #53
Refer to the exhibits.
A. Any available IP address in the WAN (port1) subnet 10
B. 10
C. 10
D. 10
View answer
Correct Answer: A
Question #54
Which two SD-WAN load balancing methods use interface weight value to distribute traffic?
A. Spillover
B. Volume
C. Source IP
D. Sessions
View answer
Correct Answer: BD
Question #55
Which statement about the IP authentication header (AH) used by IPsec is true?
A. H does not provide any data integrity or encryption
B. H does not support perfect forward secrecy
C. H provides data integrity but no encryption
D. H provides strong data integrity but weak encryption
View answer
Correct Answer: C
Question #56
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)
A. he inspection mode of at least one VDOM must be proxy-based
B. t least one of the VDOMs must operate in NAT mode
C. he inspection mode of both VDOMs must match
D. oth VDOMs must operate in NAT mode
View answer
Correct Answer: CD
Question #57
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
A. 0
B. 0
C. 0
D. 0
View answer
Correct Answer: AD
Question #58
Refer to the exhibit, which contains a session diagnostic output.Which statement is true about the session diagnostic output?
A. The session is in TCP ESTABLISHED state
B. The session is a bidirectional UDP connection
C. The session is a UDP unidirectional state
D. The session is a bidirectional TCP connection
View answer
Correct Answer: B
Question #59
Which of the following statements about central NAT are true? (Choose two.)
A. he public key of the web server certificate must be installed on the browser
B. he web-server certificate must be installed on the browser
C. he CA certificate that signed the web-server certificate must be installed on the browser
D. he private key of the CA certificate that signed the browser certificate must be installed on the browser
View answer
Correct Answer: AB
Question #60
Examine this FortiGate configuration:How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?
A. t always authorizes the traffic without requiring authentication
B. t drops the traffic
C. t authenticates the traffic using the authentication scheme SCHEME2
D. t authenticates the traffic using the authentication scheme SCHEME1
View answer
Correct Answer: D
Question #61
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?
A. et system status
B. et system performance status
C. iagnose sys top
D. et system arp
View answer
Correct Answer: D
Question #62
Refer to the exhibits.The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?
A. hange the SSL VPN port on the client
B. hange the Server IP address
C. hange the idle-timeout
D. hange the SSL VPN portal to the tunnel
View answer
Correct Answer: D
Question #63
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?
A. ubject Key Identifiervalue
B. MMIE Capabilitiesvalue
C. ubjectvalue
D. ubject Alternative Namevalue
View answer
Correct Answer: C
Question #64
If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?
A. he Services field removes the requirement of creating multiple VIPs for different services
B. he Services field is used when several VIPs need to be bundled into VIP groups
C. he Services field does not allow source NAT and destination NAT to be combined in the same policy
D. he Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer
View answer
Correct Answer: A
Question #65
Which of the following statements about converse mode are true? (Choose two.)
A. he administrator must first enter the command edit global
B. he administrator admin does not have the privileges required to configure global settings
C. he global settings cannot be configured from the root VDOM context
D. he command config system global does not exist in FortiGate
View answer
Correct Answer: AC
Question #66
You are configuring the root FortiGate to implement the security fabric. You are configuring port10 to communicate with a downstream FortiGate. View the default Edit Interface in the exhibit below:When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are required to be configured? (Choose two.)
A. emote user’s public IP address
B. he public IP address of the FortiGate device
C. he remote user’s virtual IP address
D. he internal IP address of the FotiGate device
View answer
Correct Answer: BC
Question #67
What best describes the authentication idle time-out feature on FortiGate? Response:
A. sl
B. ort2
C. sl
D. ort1
View answer
Correct Answer: C
Question #68
What does the command diagnose debug fsso-polling refresh-user do? Response:
A. t refreshes user group information form any servers connected to the FortiGate using a collector agent
B. t refreshes all users learned through agentless polling
C. t displays status information and some statistics related with the polls done by FortiGate on eachD
D. t enables agentless polling mode real-time debug
View answer
Correct Answer: B
Question #69
View the exhibit. You are trying to go to http://www.clailymotion.com (Dailymotion) from the computer behind the FortiGate.Which statement is correct regarding this application control profile?
A. onverts DNS A record lookups to AAAA record lookups
B. ranslates the destination IPv6 address of the DNS traffic to an IPv4 address
C. ynthesizes DNS AAAA records from A records
D. ranslates the destination IPv4 address of the DNS traffic to an IPv6 address
View answer
Correct Answer: B
Question #70
Refer to the exhibit.The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access internet. TheTo_lnternet VDOM is the only VDOM with internet access and is directly connected to ISP modem.Which two statements are true? (Choose two.)
A. 72
B.
C. 0
D. 72
View answer
Correct Answer: AD
Question #71
Refer to the exhibit.The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check.Which interface will be selected as an outgoing interface?
A. ort2
B. ort4
C. ort3
D. ort1
View answer
Correct Answer: B
Question #72
How does FortiGate act when using SSL VPN in web mode?
A. ortiGate acts as an FDS server
B. ortiGate acts as an HTTP reverse proxy
C. ortiGate acts as DNS server
D. ortiGate acts as router
View answer
Correct Answer: B
Question #73
Refer to the exhibit.The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.Which two statements are true? (Choose two.)
A. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs
B. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs
C. A static route is required on the To_Internet VDOM to allow LAN users to access the Internet
D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM
View answer
Correct Answer: AD
Question #74
When using WPAD DNS method, what is the FQDN format that browsers use to query the DNS server?
A. pad
B. rv_tcp
C. rv_proxy
D. roxy
View answer
Correct Answer: A
Question #75
An administrator has configured a dialup IPsec VPN with XAuth.Which method statement best describes this scenario?
A. nly digital certificates will be accepted as an authentication method in phase 1
B. ialup clients must provide a username and password for authentication
C. hase 1 negotiations will skip pre-shared key exchange
D. ialup clients must provide their local ID during phase 2 negotiations
View answer
Correct Answer: B
Question #76
Examine the IPS sensor configuration and forward traffic logs shown in the exhibit; then, answer the question below.An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.What is a possible reason for this?
A. he IPS filter is missing the Protocol: HTTPS option
B. he HTTPS signatures have not been added to the sensor
C. DoS policy should be used, instead of an IPS sensor
D. DoS policy should be used, instead of an IPS sensor
E. he firewall policy is not using a full SSL inspection profile
View answer
Correct Answer: E
Question #77
An administrator needs to increase network bandwidth and provide redundancy.Which interface type must the administrator select to bind multiple FortiGate interfaces?
A. Redundant interface
B. Software switch interface
C. VLAN interface
D. Aggregate interface
View answer
Correct Answer: D
Question #78
Which of statement is true about SSL VPN web mode?
A. he tunnel is up while the client is connected
B. t supports a limited number of protocols
C. he external network application sends data through the VPN
D. t assigns a virtual IP address to the client
View answer
Correct Answer: B
Question #79
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
A. heServicesfield prevents SNAT and DNAT from being combined in the same policy
B. heServicesfield is used when you need to bundle several VIPs into VIP groups
C. heServicesfield removes the requirement to create multiple VIPs for different services
D. heServicesfield prevents multiple sources of traffic from using multiple services to connect to a single computer
View answer
Correct Answer: B
Question #80
You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.What is the default behavior when the local disk is full?
A. No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%
B. No new log is recorded until you manually clear logs from the local disk
C. Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%
D. Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%
View answer
Correct Answer: C
Question #81
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?
A. 92
B. 92
C. 92
D. 92
View answer
Correct Answer: B
Question #82
Refer to the exhibit.Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)
A. t changes when firewall policies are reordered
B. t defines the order in which rules are processed
C. t represents the number of objects used in the firewall policy
D. t is required to modify a firewall policy using the CLI
View answer
Correct Answer: CD
Question #83
Refer to the exhibit showing a debug flow output.Which two statements about the debug flow output are correct? (Choose two.)
A. ystem event logs
B. orward traffic logs
C. ocal traffic logs
D. ecurity logs
View answer
Correct Answer: AC
Question #84
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. he security actions applied on the web applications will also be explicitly applied on the third- party websites
B. he application signature database inspects traffic only from the original web application server
C. ortiGuard maintains only one signature of each web application that is unique
D. ortiGate can inspect sub-application traffic regardless where it was originated
View answer
Correct Answer: CD
Question #85
Examine the network diagram shown in the exhibit, then answer the following question:
A. 172
B. 0
C. 10
D. 172
View answer
Correct Answer: D
Question #86
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
A. he Services field prevents SNAT and DNAT from being combined in the same policy
B. he Services field is used when you need to bundle several VIPs into VIP groups
C. he Services field removes the requirement to create multiple VIPs for different services
D. he Services field prevents multiple sources of traffic from using multiple services to connect to a single computer
View answer
Correct Answer: D
Question #87
An administrator configures outgoing interface any in a firewall policy.What is the result of the policy list view?
A. earch option is disabled
B. olicy lookup is disabled
C. y Sequence view is disabled
D. nterface Pair view is disabled
View answer
Correct Answer: D
Question #88
An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy Options is not listed under Security Profiles on the GUI. What can cause this issue?
A. ortiGate needs to be switched to NGFW mode
B. roxy options section is hidden by default and needs to be enabled from the Feature Visibility menu
C. roxy options are no longer available starting in FortiOS 5
D. ortiGate is in flow-based inspection mode
View answer
Correct Answer: D
Question #89
Which two statements about antivirus scanning mode are true? (Choose two.)
A. he name of the firewall policy is all_users_web
B. ocial networking web filter category is configured with the action set to authenticate
C. he action on firewall policy ID 1 is set to warning
D. ccess to the social networking web filter category was explicitly blocked to all users
View answer
Correct Answer: CD
Question #90
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
A. CRL
B. person
C. subordinate CA
D. root CA
View answer
Correct Answer: D
Question #91
Which of the following IPsec parameters is a phase 2 configuration setting? Response:
A. eer ID
B. Xtended Authentication (XAuth)
C. uick mode selectors
D. uthentication method
View answer
Correct Answer: C
Question #92
View the exhibit.When Role is set to Undefined, which statement is true?
A. he GUI provides all the configuration options available for the port1 interface
B. ou cannot configure a static IP address for the port1 interface because it allows only DHCP addressing mode
C. irewall policies can be created from only the port1 interface to any interface
D. he port1 interface is reserved for management only
View answer
Correct Answer: A
Question #93
Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)
A. Highest to lowest priority defined in the firewall policy
B. Services defined in the firewall policy
C. Source defined as Internet Services in the firewall policy
D. Lowest to highest policy ID number
E. Destination defined as Internet Services in the firewall policy
View answer
Correct Answer: BCE
Question #94
Refer to the exhibit.An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.What is the impact of using the Include in every user group option in a RADIUS configuration?
A. his option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group
B. his option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator
C. his option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate
D. his option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group
View answer
Correct Answer: A
Question #95
Refer to the exhibit. The exhibits show a network diagram and the explicit web proxy configuration. In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?
A. host192
B. host10
C. host192
D. host10
View answer
Correct Answer: A
Question #96
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
A. etAPI polling can increase bandwidth usage in large networks
B. he NetSessionEnum function is used to track user logouts
C. he collector agent must search security event logs
D. he collector agent uses a Windows API to query DCs for user logins
View answer
Correct Answer: B
Question #97
View the exhibit:Which the FortiGate handle web proxy traffic rue? (Choose two.)
A. he firewall policy performs the full content inspection on the file
B. he flow-based inspection is used, which resets the last packet to the user
C. he volume of traffic being inspected is too high for this model of FortiGate
D. he intrusion prevention security profile needs to be enabled when using flow-based inspection mode
View answer
Correct Answer: AC
Question #98
Refer to the exhibit. Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?
A. ustom permission for Network
B. ead/Write permission for Log & Report
C. LI diagnostics commands permission
D. ead/Write permission for Firewall
View answer
Correct Answer: C
Question #99
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?
A. ntivirus
B. eb proxy
C. eb filtering
D. pplication control
View answer
Correct Answer: B
Question #100
Which statement is true about split tunneling in SSL VPN? Response:
A. t is supported in web-only mode
B. t can be enabled by the SSL VPN user, after connecting to the SSL VPN
C. f enabled, Internet traffic uses the local gateway of the connecting host
D. f disabled, SSL VPN users must authenticate using FortiToken
View answer
Correct Answer: C
Question #101
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
A. Log downloads from the GUI are limited to the current filter view
B. Log backups from the CLI cannot be restored to another FortiGate
C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
D. Log downloads from the GUI are stored as LZ4 compressed files
View answer
Correct Answer: BC
Question #102
Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two.)
A. If the DHCP method fails, browsers will try the DNS method
B. The browser needs to be preconfigured with the DHCP server"?s IP address
C. The browser sends a DHCPONFORM request to the DHCP server
D. The DHCP server provides the PAC file for download
View answer
Correct Answer: AC
Question #103
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
A. NGFW policy-based mode does not require the use of central source NAT policy
B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
D. NGFW policy-based mode policies support only flow inspection
View answer
Correct Answer: CD
Question #104
Examine this FortiGate configuration:Examine the output of the following debug command:Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?
A. t is allowed, but with no inspection
B. t is allowed and inspected as long as the inspection is flow based
C. t is dropped
D. t is allowed and inspected, as long as the only inspection required is antivirus
View answer
Correct Answer: C
Question #105
Refer to the exhibit.The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?
A. he signature setting uses a custom rating threshold
B. he signature setting includes a group of other signatures
C. raffic matching the signature will be allowed and logged
D. raffic matching the signature will be silently dropped and logged
View answer
Correct Answer: D
Question #106
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.* All traffic must be routed through the primary tunnel when both tunnels are up* The secondary tunnel must be used only if the primary tunnel goes down* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
A. ntivirus engine
B. ntrusion prevention system engine
C. low engine
D. etection engine
View answer
Correct Answer: BC
Question #107
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?
A. Subject Key Identifier value
B. SMMIE Capabilities value
C. Subject value
D. Subject Alternative Name value
View answer
Correct Answer: C
Question #108
Which statement regarding the firewall policy authentication timeout is true?
A. he two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets
B. he two VLAN sub interfaces must have different VLAN IDs
C. he two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs
D. he two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet
View answer
Correct Answer: A
Question #109
Refer to the exhibit.Examine the intrusion prevention system (IPS) diagnostic command.Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
A. he IPS engine was inspecting high volume of traffic
B. he IPS engine was unable to prevent an intrusion attack
C. he IPS engine was blocking all traffic
D. he IPS engine will continue to run in a normal state
View answer
Correct Answer: C
Question #110
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
A. The remote user"?s virtual IP address
B. The public IP address of the FortiGate device
C. The remote user"?s public IP address
D. The internal IP address of the FortiGate device
View answer
Correct Answer: D
Question #111
Which of the following statements about NTLM authentication are correct? (Choose two.)
A. o remove the NAT operation
B. o generate logs
C. o finish any inspection operations
D. o allow for out-of-order packets that could arrive after the FIN/ACK packets
View answer
Correct Answer: AD
Question #112
Which of the following statements about central NAT are true? (Choose two.)
A. eep-inspection must be enabled for FortiGate to fully scan FTP traffic
B. ortiGate needs to be operating in flow-based inspection mode in order to scan FTP traffic
C. he FortiSandbox signature database is required to successfully scan FTP traffic
D. he proxy options profile needs to scan FTP traffic on a non-standard port
View answer
Correct Answer: AB
Question #113
Which two statements are true about the RPF check? (Choose two.)
A. The RPF check is run on the first sent packet of any new session
B. The RPF check is run on the first reply packet of any new session
C. The RPF check is run on the first sent and reply packet of any new session
D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks
View answer
Correct Answer: AD
Question #114
Which statements about a One-to-One IP pool are true? (Choose two.)
A. ifferent SSL VPN realms for each group
B. wo separate SSL VPNs in different interfaces mapping the same ssl
C. wo firewall policies with different captive portals
D. ifferent virtual SSL VPN IP addresses for each group
View answer
Correct Answer: CD
Question #115
Which one of the following processes is involved in updating IPS from FortiGuard?
A. t selects the SNAT policy specified in the configuration of the outgoing interface
B. t selects the first matching central SNAT policy, reviewing from top to bottom
C. t selects the central SNAT policy with the lowest priority
D. t selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic
View answer
Correct Answer: C
Question #116
Examine this PAC file configuration.Which of the following statements are true? (Choose two.)
A. et system status
B. et system performance status
C. iagnose sys top
D. et system arp
View answer
Correct Answer: AD
Question #117
View the exhibit.Why is the administrator getting the error shown in the exhibit?
A. he new route's destination subnet overlaps an existing route
B. he new route's Distance value should be higher than 10
C. he Gateway IP address is not in the same subnet as port1
D. he Priority is 0, which means that this route will remain inactive
View answer
Correct Answer: C
Question #118
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?
A. he strict RPF check is run on the first sent and reply packet of any new session
B. trict RPF checks the best route back to the source using the incoming interface
C. trict RPF checks only for the existence of at least one active route back to the source using the incoming interface
D. trict RPF allows packets back to sources with all active routes
View answer
Correct Answer: B
Question #119
Firewall policies dictate whether a user or device can (or cannot) authenticate to a network.Which statements are true regarding firewall authentication? (Choose two.)
A. ailymotion will be blocked, as the Video/Audio category is blocked
B. ailymotion will be allowed, based on application overrides
C. ailymotion will be blocked, based on filter overrides
D. ailymotion will be allowed only if the action for Dailymotion is set to authenticate in application overrides
View answer
Correct Answer: AB
Question #120
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?
A. t limits the scope of application control to the browser-based technology category only
B. t limits the scope of application control to scan application traffic based on application category only
C. t limits the scope of application control to scan application traffic using parent signatures only
D. t limits the scope of application control to scan application traffic on DNS protocol only
View answer
Correct Answer: A
Question #121
Which statement about the policy ID number of a firewall policy is true?
A. dd Facebook in the URL category in the security policy
B. dditional application signatures are required to add to the security policy
C. orce access to Facebook using the HTTP service
D. he SSL inspection needs to be a deep content inspection
View answer
Correct Answer: D
Question #122
View the exhibit:Which statement about the exhibit is true? (Choose two.)
A. 72
B.
C. 0
D. 72
View answer
Correct Answer: CD
Question #123
An administrator has configured the following settings:What does the configuration do? (Choose two.)
A. he database for DLP document fingerprinting
B. he supported file types in the DLP filters
C. he archived files and messages
D. he file name patterns in the DLP filters
View answer
Correct Answer: AD
Question #124
By default, when logging to disk, when does FortiGate delete logs?
A. 30 days
B. 1 year
C. Never
D. 7 days
View answer
Correct Answer: D
Question #125
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
A. MTP
B. MAP
C. p_src_session
D. ocation: server Protocol: SMTP
View answer
Correct Answer: AC
Question #126
Refer to the exhibits.The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.Exhibit
A. xhibit B
A. Add Facebook in the URL category in the security policy
B. Force access to Facebook using the HTTP service
C. Additional application signatures are required to add to the security policy
D. The SSL inspection needs to be a deep content inspection
View answer
Correct Answer: D
Question #127
Which action can be applied to each filter in the application control profile?
A. lock, monitor, warning, and quarantine
B. llow, monitor, block and learn
C. llow, block, authenticate, and warning
D. llow, monitor, block, and quarantine
View answer
Correct Answer: D
Question #128
Which two statements are correct about a software switch on FortiGate? (Choose two.)
A. It can be configured only when FortiGate is operating in NAT mode
B. Can act as a Layer 2 switch as well as a Layer 3 router
C. All interfaces in the software switch share the same IP address
D. It can group only physical interfaces
View answer
Correct Answer: AC
Question #129
Which statement is correct regarding the security fabric?
A. FortiManager is one of the required member devices
B. FortiGate devices must be operating in NAT mode
C. A minimum of two Fortinet devices is required
D. FortiGate Cloud cannot be used for logging purposes
View answer
Correct Answer: C
Question #130
Refer to the exhibit.The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.Which two statements are true? (Choose two.)
A. n HQ-FortiGate, enable Auto-negotiate
B. n Remote-FortiGate, set Seconds to 43200
C. n HQ-FortiGate, enable Diffie-Hellman Group 2
D. n HQ-FortiGate, set Encryption to AES256
View answer
Correct Answer: AD
Question #131
Refer to the exhibit. Which contains a network diagram and routing table output. The Student is unable to access Webserver.What is the cause of the problem and what is the solution for the problem?
A. he first packet sent from Student failed the RPF check
B. he first reply packet for Student failed the RPF check
C. he first reply packet for Student failed the RPF check
D. he first packet sent from Student failed the RPF check
View answer
Correct Answer: D
Question #132
Refer to the exhibit. The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses. How does FortiGate process the traffic sent to http://www.fortinet.com?
A. raffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3
B. raffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1
C. raffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1
D. raffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.