DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass the Fortinet NSE4 Exam Easily with Updated NSE4_FGT-7.2 Practice Questions

Preparing for the Fortinet NSE4_FGT-7.2 exam requires a comprehensive strategy that includes practicing with authentic exam questions and answers. SPOTO offers a range of test questions designed to simulate the actual exam experience, allowing you to familiarize yourself with the format and types of questions you'll encounter. With SPOTO's exam questions, you can assess your readiness and identify areas that need more focus during your exam preparation. Their study materials are carefully curated to cover the exam syllabus thoroughly, ensuring you have a solid foundation of knowledge before attempting the exam. Additionally, SPOTO provides valuable exam resources to enhance your preparation, including tips, tricks, and strategies for tackling different question types effectively. By leveraging these resources and participating in mock exams, you can boost your confidence and increase your chances of passing the NSE4_FGT-7.2 exam successfully.
Take other online exams

Question #1
Examine the network diagram shown in the exhibit, then answer the following question:Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server?
A. 72
B.
C. 0
D. 72
View answer
Correct Answer: D
Question #2
An administrator has configured the following settings:What are the two results of this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30?minutes
B. Denied users are blocked for 30?minutes
C. A session for denied traffic is created
D. The number of logs generated by denied traffic is reduced
View answer
Correct Answer: CD
Question #3
An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices Winch configuration steps must be performed on both devices to support this scenario? (Choose three.)
A. root CA
B. person
C. bridge CA
D. subordinate CA
View answer
Correct Answer: CDE
Question #4
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)
A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
B. Extended authentication (XAuth) to request the remote peer to provide a username and password
C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
D. Pre-shared key and certificate signature as authentication methods
View answer
Correct Answer: BD
Question #5
View the routing table, then identify which route will be selected when trying to reach 10.20.30.254?
A. 0
B.
C. 0
D. 0
View answer
Correct Answer: D
Question #6
Which of the following features is supported by web filter in flow-based inspection mode with NGFW mode set to profile-based?
A. FortiGuard Quotas
B. Static URL
C. Search engines
D. Rating option
View answer
Correct Answer: D
Question #7
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?
A. et fortiguard-anycast disable
B. et webfilter-force-off disable
C. et webfilter-cache disable
D. et protocol tcp
View answer
Correct Answer: A
Question #8
Which statement is true regarding SSL VPN timers? (Choose two.)
A. he public key of the web server certificate must be installed on the browser
B. he web-server certificate must be installed on the browser
C. he CA certificate that signed the web-server certificate must be installed on the browser
D. he private key of the CA certificate that signed the browser certificate must be installed on the browser
View answer
Correct Answer: AD
Question #9
Refer to the exhibit.The global settings on a FortiGate device must be changed to align with company security policies.What does the Administrator account need to access the FortiGate global settings?
A. Enable restrict access to trusted hosts
B. Change password
C. Enable two-factor authentication
D. Change Administrator profile
View answer
Correct Answer: C
Question #10
Examine the exhibit, which shows the partial output of an IKE real-time debug.Which of the following statement about the output is true?
A. he VPN is configured to use pre-shared key authentication
B. xtended authentication (XAuth) was successful
C. emote is the host name of the remote IPsec peer
D. hase 1 went down
View answer
Correct Answer: A
Question #11
How does FortiGate act when using SSL VPN in web mode?
A. ortiGate acts as an HTTP reverse proxy
B. ortiGate acts as router
C. ortiGate acts as DNS server
D. ortiGate acts as an FDS server
View answer
Correct Answer: A
Question #12
Refer to the exhibit, which contains a session diagnostic output.Which statement is true about the session diagnostic output?
A. he security actions applied on the web applications will also be explicitly applied on the third-party websites
B. he application signature database inspects traffic only from the original web application server
C. ortiGuard maintains only one signature of each web application that is unique
D. ortiGate can inspect sub-application traffic regardless where it was originated
View answer
Correct Answer: A
Question #13
What FortiGate components are tested during the hardware test? (Choose three.)
A. oad a debug FortiOS image
B. oad the hardware test (HQIP) image
C. xecute the CLI command execute formatlogdisk
D. elect the format boot device option from the BIOS menu
View answer
Correct Answer: CDE
Question #14
Which statement about the policy ID number of a firewall policy is true?
A. t is required to modify a firewall policy using the CLI
B. t represents the number of objects used in the firewall policy
C. t changes when firewall policies are reordered
D. t defines the order in which rules are processed
View answer
Correct Answer: A
Question #15
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?
A. he firewall policy performs the full content inspection on the file
B. he flow-based inspection is used, which resets the last packet to the user
C. he volume of traffic being inspected is too high for this model of FortiGate
D. he intrusion prevention security profile needs to be enabled when using flow-based inspection mode
View answer
Correct Answer: B
Question #16
An administrator needs to increase network bandwidth and provide redundancy.What interface type must the administrator select to bind multiple FortiGate interfaces?
A. Aggregate interface
B. VLAN interface
C. Redundant interface
D. Software Switch interface
View answer
Correct Answer: A
Question #17
Which two statements are correct about SLA targets? (Choose two.)
A. ny number of virtual wire pairs can be included, as long as the policy traffic direction is the same
B. nly a single virtual wire pair can be included in each policy
C. ny number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings
D. xactly two virtual wire pairs need to be included in each policy
View answer
Correct Answer: BD
Question #18
Which protocols can be scanned by FortiGate antivirus scan? (Choose three.)
A. he SYN packet from the client always arrives at the primary device first
B. he ACK from the client is received on the physical MAC address of the primary device
C. he secondary device responds to the primary device with a SYN/ACK, then the primary device forwards the SYN/ACK to the client
D. ll FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions
View answer
Correct Answer: ABD
Question #19
How do you format the FortiGate flash disk?
A. oad a debug FortiOS image
B. oad the hardware test (HQIP) image
C. xecute the CLI command execute formatlogdisk
D. elect the format boot device option from the BIOS menu
View answer
Correct Answer: D
Question #20
Examine this output from a debug flow:
A. FortiGate received a TCP SYN/ACK packet
B. The source IP address of the packet was translated to 10
C. FortiGate routed the packet through port 3
D. The packet was allowed by the firewall policy with the ID 00007fc0
View answer
Correct Answer: AC
Question #21
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
A. ntrusion prevention system engine
B. etection engine
C. low engine
D. ntivirus engine
View answer
Correct Answer: A
Question #22
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
A. t limits the scope of application control to the browser-based technology category only
B. t limits the scope of application control to scan application traffic based on application category only
C. t limits the scope of application control to scan application traffic using parent signatures only
D. t limits the scope of application control to scan application traffic on DNS protocol only
View answer
Correct Answer: B
Question #23
Which feature in the Security Fabric takes one or more actions based on event triggers?
A. abric Connectors
B. utomation Stitches
C. ecurity Rating
D. ogical Topology
View answer
Correct Answer: B
Question #24
Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)
A. efines the order in which rules are processed
B. epresents the number of objects used in the firewall policy
C. equired to modify a firewall policy using the CLI
D. hanges when firewall policies are reordered
View answer
Correct Answer: AC
Question #25
Refer to the exhibit.
A. Capture the traffic using an external sniffer connected to port1
B. Run a sniffer on the web server
C. Execute another sniffer in the FortiGate, this time with the filter, "host 10
D. Execute a debug flow
View answer
Correct Answer: D
Question #26
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
A. articipants configured are not SD-WAN members
B. here may not be a static route to route the performance SLA traffic
C. he Ping protocol is not supported for the public servers that are configured
D. ou need to turn on the Enable probe packets switch
View answer
Correct Answer: CD
Question #27
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
A. hut down/reboot a downstream FortiGate device
B. isable FortiAnalyzer logging for a downstream FortiGate device
C. og in to a downstream FortiSwitch device
D. an or unban compromised hosts
View answer
Correct Answer: ACE
Question #28
Which type of scan will detect a file that has virus-like characteristics and log it as being infected by a suspicious virus?
A. andbox
B. rayware
C. euristic
D. ntivirus
View answer
Correct Answer: C
Question #29
What step is required to configure an SSL VPN to access to an internal server using port forward mode?
A. onfigure the virtual IP addresses to be assigned to the SSL VPN users
B. nstall FortiClient SSL VPN client
C. reate a SSL VPN realm reserved for clients using port forward mode
D. onfigure the client application to forward IP traffic to a Java applet proxy
View answer
Correct Answer: D
Question #30
What files are sent to FortiSandbox for inspection in flow-based inspection mode?
A. ll suspicious files that do not have their hash value in the FortiGuard antivirus signature database
B. ll suspicious files that are above the defined oversize limit value in the protocol options
C. ll suspicious files that match patterns defined in the antivirus profile
D. ll suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile
View answer
Correct Answer: C
Question #31
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?
A. lient > primary FortiGate> secondary FortiGate> primary FortiGate> web server
B. lient > secondary FortiGate> web server
C. lient >secondary FortiGate> primary FortiGate> web server
D. lient> primary FortiGate> secondary FortiGate> web server
View answer
Correct Answer: D
Question #32
Which of the following authentication methods can be used for SSL VPN authentication? (Choose two.)
A. edundant
B. ub-and-spoke
C. artial mesh
D. ully meshed
View answer
Correct Answer: AB
Question #33
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.In this scenario, which statement about the VLAN IDs is true?
A. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet
B. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets
C. The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs
D. The two VLAN subinterfaces must have different VLAN IDs
View answer
Correct Answer: D
Question #34
Refer to the exhibits.The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?
A. hange the SSL VPN port on the client
B. hange the Server IP address
C. hange the idle-timeout
D. hange the SSL VPN portal to the tunnel
View answer
Correct Answer: A
Question #35
A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true?
A. It can create administrator accounts with access to the same VDOM
B. It cannot have access to more than one VDOM
C. It can reset the password for the admin account
D. It can upgrade the firmware on the FortiGate device
View answer
Correct Answer: C
Question #36
Which statements about DNS filter profiles are true?(Choose two.)
A. t least one source user or user group object
B. t least one address object
C. t least one device object
D. t least one source user, one source device, and one source address object
View answer
Correct Answer: CD
Question #37
Refer to the exhibit.The global settings on a FortiGate device must be changed to align with company security policies.What does the Administrator account need to access the FortiGate global settings?
A. nable two-factor authentication
B. hange Administrator profile
C. hange password
D. nable restrict access to trusted hosts
View answer
Correct Answer: B
Question #38
Refer to the exhibits.An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).What must the administrator do to synchronize the address object?
A. hange the csf setting on ISFW (downstream) to set configuration-sync local
B. hange the csf setting on ISFW (downstream) to set authorization-request-type certificate
C. hange the csf setting on both devices to set downstream-access enable
D. hange the csf setting on Local-FortiGate (root) to set fabric-object-unification default
View answer
Correct Answer: C
Question #39
Examine the exhibit, which contains a screenshot of an explicit web proxy configuration.What does FortiGate do when the setting Default Firewall Policy Action is set to Deny?
A. enies web proxy access to guest users
B. locks any web proxy traffic that matches an explicit proxy policy without an action
C. locks any web proxy traffic that does not match any explicit proxy policy
D. locks any web proxy traffic that matches a firewall policy without a proxy profile
View answer
Correct Answer: C
Question #40
Which statements are true regarding the By Sequence view for firewall policies? (Choose two.)
A. ased on DNS request
B. ased on HTTP GET
C. ased on DNS response
D. ased on HTTP 200 response
View answer
Correct Answer: BC
Question #41
You mc tasked to design a new IPsec deployment with the following criteria:- There are two HQ sues that all satellite offices must connect to- The satellite offices do not need to communicate directly with other satellite offices- No dynamic routing will be used- The design should minimize the number of tannels being configured. Winch topology should be used to satisfy all of the requirements?
A. artial mesh
B. ub-and-spoke
C. ully meshed
D. edundant
View answer
Correct Answer: C
Question #42
Which of the following conditions roust be met in order for a web browser to trust a web server certificate signed by a third-party CA?
A. he web-server certificate DM be installed on the browser
B. he public key of the web server certificate must be installed on die browser
C. he CA certificate that signed the web-server certificate inutile installed on the browser
D. he private key of the CA certificate that signed the browser certificate must be installed on the browser
View answer
Correct Answer: C
Question #43
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
A. remote user"?s public IP address
B. The public IP address of the FortiGate device
C. The remote user"?s virtual IP address
D. The internal IP address of the FortiGate device
View answer
Correct Answer: D
Question #44
Refer to the exhibit.A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)
A. On both FortiGate devices, set Dead Peer Detection to On Demand
B. On HQ-FortiGate, set IKE mode to Main (ID protection)
C. On HO-FortiGate, disable Diffie-Helman group 2
D. On Remote-FortiGate, set port2 as Interface
View answer
Correct Answer: BD
Question #45
Which statement about the policy ID number of a firewall policy is true?
A. It is required to modify a firewall policy using the CLI
B. It represents the number of objects used in the firewall policy
C. It changes when firewall policies are reordered
D. It defines the order in which rules are processed
View answer
Correct Answer: A
Question #46
Refer to the exhibit, which contains a radius server configuration.An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.What will be the impact of using Include in every user group option in a RADIUS configuration?
A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group
B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator
C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate
D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group
View answer
Correct Answer: A
Question #47
Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
A. n HQ-FortiGate, enable Auto-negotiate
B. n HQ-FortiGate, enable Diffie-Hellman Group 2
C. n HQ-FortiGate, set Encryption to AES256
D. n Remote-FortiGate, set Seconds to 43200
View answer
Correct Answer: C
Question #48
An administrator has configured a route-based IPsec VPN between two FortiGates.Which statement about this IPsec VPN configuration is true?
A. H
B. KE
C. SAKMP
D. SP
View answer
Correct Answer: D
Question #49
Which of the following statements are true regarding the SD-WAN feature on FortiGate? (Choose two.)
A. phase 2 configuration is not required
B. his VPN cannot be used as part of a hub and spoke topology
C. he IPsec firewall policies must be placed at the top of the list
D. virtual IPsec interface is automatically created after the phase 1 configuration is completed
View answer
Correct Answer: AD
Question #50
Examine this PAC file configuration.Which of the following statements are true? (Choose two.)
A. onfigure an SSL VPN realm for clients to use the port forward bookmark
B. onfigure the client application to forward IP traffic through FortiClient
C. onfigure the virtual IP address to be assigned t the SSL VPN users
D. onfigure the client application to forward IP traffic to a Java applet proxy
View answer
Correct Answer: AD
Question #51
Which of the following statements describe WMI polling mode for the FSSO collector agent? (Choose two.)
A. hase 1 negotiations will skip preshared key exchange
B. nly digital certificates will be accepted as an authentication method in phase 1
C. ialup clients must provide a username and password for authentication
D. ialup clients must provide their local ID during phase 2 negotiations
View answer
Correct Answer: CD
Question #52
Refer to the exhibit.Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?
A. he signature setting uses a custom rating threshold
B. he signature setting includes a group of other signatures
C. raffic matching the signature will be allowed and logged
D. raffic matching the signature will be silently dropped and logged
View answer
Correct Answer: B
Question #53
Refer to the exhibit.Which contains a session list output. Based on the information shown in the exhibit, which statement is true?
A. estination NAT is disabled in the firewall policy
B. ne-to-one NAT IP pool is used in the firewall policy
C. verload NAT IP pool is used in the firewall policy
D. ort block allocation IP pool is used in the firewall policy
View answer
Correct Answer: A
Question #54
The IPS engine is used by which three security features? (Choose three.)
A. Antivirus in flow-based inspection
B. Web filter in flow-based inspection
C. Application control
D. DNS filter
E. Web application firewall
View answer
Correct Answer: ABC
Question #55
Refer to the exhibit.The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?
A. hange password
B. nable restrict access to trusted hosts
C. hange Administrator profile
D. nable two-factor authentication
View answer
Correct Answer: C
Question #56
Which of the following statements about antivirus scanning in proxy-based inspection mode are true?Choose two.)
A. t enables tunnel mode SSL VPN
B. t allows you to connect to resources, based on supported protocols
C. t enables split tunneling
D. t allows you to create user bookmarks
View answer
Correct Answer: BC
Question #57
How do you format the FortiGate flash disk?
A. oad a debug FortiOS image
B. oad the hardware test (HQIP) image
C. xecute the CLI command execute formatlogdisk
D. elect the format boot device option from the BIOS menu
View answer
Correct Answer: D
Question #58
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?
A. et fortiguard-anycast disable
B. et webfilter-force-off disable
C. et webfilter-cache disable
D. et protocol tcp
View answer
Correct Answer: A
Question #59
Refer to the exhibits.Exhibit
A. xhibit B
A. If there is a fall-through policy in place, users will not be prompted for authentication
B. Authentication is enforced at a policy level; all users will be prompted for authentication
C. All users will be prompted for authentication, users from the Sales group can authenticate successfully with the correct credentials
D. All users will be prompted for authentication, users from the HR group can authenticate successfully with the correct credentials
View answer
Correct Answer: B
Question #60
Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?
A. o allow for out-of-order packets that could arrive after the FIN/ACK packets
B. o finish any inspection operations
C. o generate logs
D. o remove the NAT operation
View answer
Correct Answer: A
Question #61
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)
A. unique value used to verify the input data
B. n output value that is used to identify the person or deuce that authored the input data
C. n obfuscation used to mask the input data
D. n encrypted output value used to safe-guard die input data
View answer
Correct Answer: ABC
Question #62
NGFW mode allows policy-based configuration for most inspection rules. Which security profile's configuration does not change when you enable policy-based inspection?
A. eb filtering
B. ntivirus
C. eb proxy
D. pplication control
View answer
Correct Answer: B
Question #63
Examine the exhibit, which shows the output of a web filtering real time debug.Why is the site www.bing.com being blocked?
A. he web site www
B. he user has not authenticated with the FortiGate yet
C. he web server IP address 204
D. he rating for the web site www
View answer
Correct Answer: D
Question #64
Refer to the exhibit.Which contains a PerformanceSLA configuration.An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?
A. nable Dead Peer Detection
B. onfigure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel
C. nable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels
D. onfigure a higher distance on the static route for the primary tunnel, and a lower distance on the state route for the secondary tunnel
View answer
Correct Answer: D
Question #65
Examine this output from a debug flow:Which statements about the output are correct? (Choose two.)
A. t always authorizes the traffic without requiring authentication
B. t drops the traffic
C. t authenticates the traffic using the authentication scheme SCHEME2
D. t authenticates the traffic using the authentication scheme SCHEME1
View answer
Correct Answer: AC
Question #66
Refer to the exhibit.Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?
A. 0
B. 0
C. 0
D. 0
View answer
Correct Answer: D
Question #67
An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?
A. dd the support of NTLM authentication
B. dd useraccounts to Active Directory (AD)
C. dd user accounts to the FortiGate group fitter
D. dd user accounts to the Ignore User List
View answer
Correct Answer: C
Question #68
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.What must an administrator do to achieve this objective?
A. The administrator must use the user self-registration server
B. The administrator must use a FortiAuthenticator device
C. The administrator can register the same FortiToken on more than one FortiGate
D. The administrator can use a third-party radius OTP server
View answer
Correct Answer: B
Question #69
Which statements correctly define Policy ID and policy Sequence number for firewall policies? (Choose two.)
A. t monitors a specific firewall policy and a report provides recommendations for that firewall policy
B. t creates learning logs on a global level
C. t compiles security feature activity from various security-related logs, such as virus and attack logs
D. t captures data across all traffic and security vectors and generates learning logs and a report with recommendations
View answer
Correct Answer: AB
Question #70
Refer to the exhibit showing a debug flow output.Which two statements about the debug flow output are correct? (Choose two.)
A. ull SSL Inspection is not required
B. t is available only on a proxy-based firewall policy
C. t inspects video files hosted on file sharing services
D. ideo filtering FortiGuard categories are based on web filter FortiGuard categories
View answer
Correct Answer: BD
Question #71
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)
A. nter-VDOM links are required to allow traffic between the Local and Root VDOMs
B. default static route is not required on the To_Internet VDOM to allow LAN users to access the internet
C. nter-VDOM links are required to allow traffic between the Local and DMZ VDOMs
D. nter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM
View answer
Correct Answer: CD
Question #72
Refer to the exhibit. Which contains a Performance SLA configuration.An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?
A. articipants configured are not SD-WAN members
B. here may not be a static route to route the performance SLA traffic
C. he Ping protocol is not supported for the public servers that are configured
D. ou need to turn on the Enable probe packets switch
View answer
Correct Answer: D
Question #73
Refer to the exhibit.In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.What should the administrator do next to troubleshoot the problem?
A. Execute a debug flow
B. Run a sniffer on the web server
C. Capture the traffic using an external sniffer connected to port1
D. Execute another sniffer in the FortiGate, this time with the filter "host 10
View answer
Correct Answer: A
Question #74
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.What are the expected actions if traffic matches this IPS sensor? (Choose two.)
A. onfigure the Destination field as Internet Service objects for Twitter
B. onfigure the Action field as Learn and select Twitter
C. onfigure the Service field as Internet Service objects for Twitter
D. onfigure the Source field as Internet Service objects for Twitter
View answer
Correct Answer: AC
Question #75
Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?
A. isabled
B. n Demand
C. nabled
D. n Idle
View answer
Correct Answer: D
Question #76
Refer to the exhibit.
A. It is allowed, but with no inspection
B. It is allowed and inspected, as long as the only inspection required is antivirus
C. It is dropped
D. It is allowed and inspected, as long as the inspection is flow based
View answer
Correct Answer: C
Question #77
Refer to the exhibit showing a debug flow output.Which two statements about the debug flow output are correct? (Choose two.)
A. The debug flow is of ICMP traffic
B. The default route is required to receive a reply
C. A firewall policy allowed the connection
D. A new traffic session is created
View answer
Correct Answer: AC
Question #78
Refer to the exhibit.Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?
A. ustom permission for Network
B. ead/Write permission for Log & Report
C. LI diagnostics commands permission
D. ead/Write permission for Firewall
View answer
Correct Answer: C
Question #79
View the exhibit.A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?
A. ddicting
B. ddicting
C. ddicting
D. ddcting
View answer
Correct Answer: A
Question #80
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?
A. t cannot be scanned for viruses
B. y default, a log is generated
C. y default, it is blocked
D. t is buffered for heuristic scanning
View answer
Correct Answer: D
Question #81
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)
A. CRL
B. person
C. subordinate CA
D. root CA
View answer
Correct Answer: BD
Question #82
Refer to the exhibit.Which contains a network diagram and routing table output.The Student is unable to access Webserver.What is the cause of the problem and what is the solution for the problem?
A. he first packet sent from Student failed the RPF check
B. he first reply packet for Student failed the RPF check
C. he first reply packet for Student failed the RPF check
D. he first packet sent from Student failed the RPF check
View answer
Correct Answer: D
Question #83
Refer to the exhibit, which contains a radius server configuration. An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.What will be the impact of using Include in every user group option in a RADIUS configuration?
A. his option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator
B. his option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate
C. his option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group
D. his option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group
View answer
Correct Answer: C
Question #84
Which statement about video filtering on FortiGate is true?
A. ull SSL Inspection is not required
B. t is available only on a proxy-based firewall policy
C. t inspects video files hosted on file sharing services
D. ideo filtering FortiGuard categories are based on web filter FortiGuard categories
View answer
Correct Answer: B
Question #85
Which statement about the IP authentication header (AH) used by IPsec is true?
A. H does not provide any data integrity or encryption
B. H does not support perfect forward secrecy
C. H provides data integrity bur no encryption
D. H provides strong data integrity but weak encryption
View answer
Correct Answer: C
Question #86
Refer to the exhibit.An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)
A. estination NAT is disabled in the firewall policy
B. ne-to-one NAT IP pool is used in the firewall policy
C. verload NAT IP pool is used in the firewall policy
D. ort block allocation IP pool is used in the firewall policy
View answer
Correct Answer: BD
Question #87
Which statement is true about SSL VPN web mode?
A. The external network application sends data through the VPN
B. It assigns a virtual IP address to the client
C. It supports a limited number of protocols
D. The tunnel is up while the client is connected
View answer
Correct Answer: A
Question #88
Refer to the exhibits.Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.The WAN (port1) interface has the IP address 10.200.1.1/24.The LAN (port3) interface has the IP address 10.0.1.254/24.If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?
A. 10
B. 10
C. 10
D. 10
View answer
Correct Answer: C
Question #89
An employee connects to the https://example.com on the Internet using a web browser. The web server's certificate was signed by a private internal C
A. he FortiGate that is inspecting this traffic is configured for full SSL inspection
B. he web server's certificate
C. he user's personal certificate signed by a private internal CA
D. certificate signed by Fortinet_CA_SSL
E. certificate signed by Fortinet_CA_Untrusted
View answer
Correct Answer: D
Question #90
If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate take?
A. It notifies the administrator by sending an email
B. It provides a DLP block replacement page with a link to download the file
C. It blocks all future traffic for that IP address for a configured interval
D. It archives the data for that IP address
View answer
Correct Answer: C
Question #91
Examine the two static routes shown in the exhibit, then answer title following question.Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?
A. ortiGate will load balance all traffic across both routes
B. ortiGate will use the port1 route as the primary candidate
C. ortiGate will route twice as much traffic to the port2 route
D. ortiGate will only actuate the portl route m tlie routing table
View answer
Correct Answer: C
Question #92
Which three methods are used by the collector agent for AD polling? (Choose three.)
A. FortiGate polling
B. FSSO REST API
C. WMI
D. NetAPI
E. WinSecLog
View answer
Correct Answer: CDE
Question #93
What are two functions of the ZTNA rule? (Choose two.)
A. It redirects the client request to the access proxy
B. It applies security profiles to protect traffic
C. It defines the access proxy
D. It enforces access control
View answer
Correct Answer: BC
Question #94
Which of the following configuration settings are global settings? (Choose two.)
A. he FortiGate is able to handle NATed connections only with aggressive mode
B. ortiClient supports aggressive mode
C. he remote peers are able to provide their peer IDs in the first message with aggressive mode
D. ain mode does not support XAuth for user authentication
View answer
Correct Answer: AB
Question #95
If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?
A. IP address
B. No other object can be added
C. FQDN address
D. User or User Group
View answer
Correct Answer: B
Question #96
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
A. emote user's public IP address
B. he public IP address of the FortiGate device
C. he remote user's virtual IP address
D. he internal IP address of the FortiGate device
View answer
Correct Answer: D
Question #97
When configuring a firewall virtual wire pair policy, which following statement is true?
A. ny number of virtual wire pairs can be included, as long as the policy traffic direction is the same
B. nly a single virtual wire pair can be included in each policy
C. ny number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings
D. xactly two virtual wire pairs need to be included in each policy
View answer
Correct Answer: A
Question #98
Refer to the exhibit.Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
A. he IPS engine was inspecting high volume of traffic
B. he IPS engine was unable to prevent an intrusion attack
C. he IPS engine was blocking all traffic
D. he IPS engine will continue to run in a normal state
View answer
Correct Answer: A
Question #99
Refer to the exhibit.An administrator is running a sniffer command as shown in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three.)
A. dd the support of NTLM authentication
B. dd user accounts to Active Directory (AD)
C. dd user accounts to the FortiGate group fitter
D. dd user accounts to the Ignore User List
View answer
Correct Answer: ACE
Question #100
Examine the exhibit, which contains a virtual IP and firewall policy configuration.The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
A. 0
B. ny available IP address in the WAN (port1) subnet 10
C. 0
D. 0
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: