Up To The Immediate Present NSE4_FGT-7.0 Questions Pool For Fortinet NSE 4 - FortiOS 7.0 Certification

NEW QUESTION 1

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 2

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

• A. The session is in SYN_SENT state.
• B. The session is in FIN_ACK state.
• C. The session is in FTN_WAIT state.
• D. The session is in ESTABLISHED state.

Answer: A

Explanation:
Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NEW QUESTION 3

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

• A. NGFW policy-based mode does not require the use of central source NAT policy
• B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
• C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
• D. NGFW policy-based mode policies support only flow inspection

Answer: CD

NEW QUESTION 4

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

• A. www.example.com:443
• B. www.example.com
• C. example.com
• D. www.example.com/index.html

Answer: BC

Explanation:
FortiGate_Security_6.4 page 384
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names— "no URLs or wildcard characters are allowed".

NEW QUESTION 5

Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

• A. Change password
• B. Enable restrict access to trusted hosts
• C. Change Administrator profile
• D. Enable two-factor authentication

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34502

NEW QUESTION 6

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

• A. Static IP Address
• B. Dialup User
• C. Dynamic DNS
• D. Pre-shared Key

Answer: B

Explanation:
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

NEW QUESTION 7

Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

• A. It always authorizes the traffic without requiring authentication.
• B. It drops the traffic.
• C. It authenticates the traffic using the authentication scheme SCHEME2.
• D. It authenticates the traffic using the authentication scheme SCHEME1.

Answer: D

Explanation:
“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”

NEW QUESTION 8

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

• A. FG-traffic
• B. Mgmt
• C. FG-Mgmt
• D. Root

Answer: AD

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-mode

NEW QUESTION 9

In which two ways can RPF checking be disabled? (Choose two )

• A. Enable anti-replay in firewall policy.
• B. Disable the RPF check at the FortiGate interface level for the source check
• C. Enable asymmetric routing.
• D. Disable strict-arc-check under system settings.

Answer: CD

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION 10

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

• A. To allow for out-of-order packets that could arrive after the FIN/ACK packets
• B. To finish any inspection operations
• C. To remove the NAT operation
• D. To generate logs

Answer: A

Explanation:
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

NEW QUESTION 11

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

• A. The IP version of the sources and destinations in a firewall policy must be different.
• B. The Incoming Interfac
• C. Outgoing Interfac
• D. Schedule, and Service fields can be shared with both IPv4 and IPv6.
• E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
• F. The IP version of the sources and destinations in a policy must match.
• G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer: BDE

NEW QUESTION 12

Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

• A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration
• B. Apple FaceTime will be allowed, based on the Apple filter configuration.
• C. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
• D. Apple FaceTime will be allowed, based on the Categories configuration.

Answer: A

NEW QUESTION 13

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

• A. The port3 default route has the highest distance.
• B. The port3 default route has the lowest metric.
• C. There will be eight routes active in the routing table.
• D. The port1 and port2 default routes are active in the routing table.

Answer: AD

NEW QUESTION 14

Which feature in the Security Fabric takes one or more actions based on event triggers?

• A. Fabric Connectors
• B. Automation Stitches
• C. Security Rating
• D. Logical Topology

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/286973/fortinet-security-fabric

NEW QUESTION 15

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

• A. Run a sniffer on the web server.
• B. Capture the traffic using an external sniffer connected to port1.
• C. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”
• D. Execute a debug flow.

Answer: D

NEW QUESTION 16

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

• A. Proxy-based inspection
• B. Certificate inspection
• C. Flow-based inspection
• D. Full Content inspection

Answer: AC

NEW QUESTION 17

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

• A. Implement a web filter category override for the specified website
• B. Implement a DNS filter for the specified website.
• C. Implement web filter quotas for the specified website
• D. Implement web filter authentication for the specified website.

Answer: D

NEW QUESTION 18

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

• A. Log ID
• B. Universally Unique Identifier
• C. Policy ID
• D. Sequence ID

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies

NEW QUESTION 19

Which of the following statements about central NAT are true? (Choose two.)

• A. IP tool references must be removed from existing firewall policies before enabling central NAT.
• B. Central NAT can be enabled or disabled from the CLI only.
• C. Source NAT, using central NAT, requires at least one central SNAT policy.
• D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Answer: AB

NEW QUESTION 20
......