Most Recent NSE4_FGT-6.2 Answers 2021

NEW QUESTION 1
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

• A. To remove the NAT operation.
• B. To generate logs
• C. To finish any inspection operations.
• D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Answer: D

NEW QUESTION 2
Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then answer the following question:

An administrator has added the following static route on FGTI.

Since the change, the new static route is not showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?

• A. The new route’s destination subnet overlaps an existing route.
• B. The new route’s Distance value should be higher than 10.
• C. The Gateway IP address is not in the same subnet as port1.
• D. The Priority is 0, which means that this route will remain inactive.

Answer: C

NEW QUESTION 3
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check.
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

NEW QUESTION 4
An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?

• A. tcp_port_scan
• B. ip_dst_session
• C. udp_flood
• D. ip_src_session

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/DoS%20Pr

NEW QUESTION 5
View the exhibit.

Based on the configuration shown in the exhibit, what statements about application control behavior are true? (Choose two.)

• A. Access to all unknown applications will be allowed.
• B. Access to browser-based Social.Media applications will be blocked.
• C. Access to mobile social media applications will be blocked.
• D. Access to all applications in Social.Media category will be blocked.

Answer: AB

NEW QUESTION 6
Which statement best describes the role of a DC agent in an FSSO DC agent mode solution? Response:

• A. Captures the logon events and forwards them to FortiGate.
• B. Captures the logon events and forwards them to the collector agent.
• C. Captures the logon and logoff events and forwards them to the collector agent.
• D. Captures the user IP address and workstation name and forwards them to FortiGate.

Answer: B

NEW QUESTION 7
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could resolve this problem? (Choose two.)

• A. Enable Allow Invalid SSL Certificates for the relevant security profile.
• B. Change web browsers to one that does not support HPKP.
• C. Exempt those web sites that use HPKP from full SSL inspection.
• D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers.

Answer: BC

NEW QUESTION 8
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces must have different VLAN IDs.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Answer: B

Explanation:
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf –> page 147
“Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID”

NEW QUESTION 9
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

• A. This is known as many-to-one NAT.
• B. Source IP is translated to the outgoing interface IP.
• C. Connections are tracked using source port and source MAC address.
• D. Port address translation is not used.

Answer: AB

NEW QUESTION 10
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

• A. Web filtering
• B. Antivirus
• C. Web proxy
• D. Application control

Answer: B

NEW QUESTION 11
During the digital verification process, comparing the original and fresh hash results satisfies which security requirement?

• A. Authentication.
• B. Data integrity.
• C. Non-repudiation.
• D. Signature verification.

Answer: D

NEW QUESTION 12
View the exhibit.


What does this raw log indicate? (Choose two.)

• A. FortiGate blocked the traffic.
• B. type indicates that a security event was recorded.
• C. 10.0.1.20 is the IP address for lavito.tk.
• D. policyid indicates that traffic went through the IPS firewall policy.

Answer: AB

NEW QUESTION 13
An administrator wants to configure a FortiGate as a DNS server. FotiGate must use a DNS database first, and then relay all irresolvable queries to an external DNS server. Which of the following DNS methods must you use?

• A. Recursive
• B. Non-recursive
• C. Forward to primary and secondary DNS
• D. Forward to system DNS

Answer: A

NEW QUESTION 14
An administrator has configured the following settings:

What does the configuration do? (Choose two.)

• A. Reduces the amount of logs generated by denied traffic.
• B. Enforces device detection on all interfaces for 30 minutes.
• C. Blocks denied users for 30 minutes.
• D. Creates a session for traffic being denied.

Answer: AD

NEW QUESTION 15
Which statements about HA for FortiGate devices are true? (Choose two.)

• A. Sessions handled by proxy-based security profiles cannot be synchronized.
• B. Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs.
• C. HA management interface settings are synchronized between cluster members.
• D. Heartbeat interfaces are not required on the primary device.

Answer: AB

NEW QUESTION 16
Refer to the following exhibit.



Why is FortiGate not blocking the test file over FTP download?

• A. Deep-inspection must be enabled for FortiGate to fully scan FTP traffic.
• B. FortiGate needs to be operating in flow-based inspection mode in order to scan FTP traffic.
• C. The FortiSandbox signature database is required to successfully scan FTP traffic.
• D. The proxy options profile needs to scan FTP traffic on a non-standard port.

Answer: D

NEW QUESTION 17
View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

• A. Addicting.Games is allowed based on the Application Overrides configuration.
• B. Addicting.Games is blocked on the Filter Overrides configuration.
• C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
• D. Addcting.Games is allowed based on the Categories configuration.

Answer: A

NEW QUESTION 18
A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?

• A. Different SSL VPN realms for each group.
• B. Two separate SSL VPNs in different interfaces mapping the same ssl.root.
• C. Two firewall policies with different captive portals.
• D. Different virtual SSL VPN IP addresses for each group.

Answer: A

NEW QUESTION 19
Which statement is true regarding the policy ID number of a firewall policy?

• A. Defines the order in which rules are processed.
• B. Represents the number of objects used in the firewall policy.
• C. Required to modify a firewall policy using the CLI.
• D. Changes when firewall policies are reordered.

Answer: C

NEW QUESTION 20
Which one of the following processes is involved in updating IPS from FortiGuard?

• A. FortiGate IPS update requests are sent using UDP port 443.
• B. Protocol decoder update requests are sent to service.fortiguard.net.
• C. IPS signature update requests are sent to update.fortiguard.net.
• D. IPS engine updates can only be obtained using push updates.

Answer: C

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/07-FortiGuard.htm

NEW QUESTION 21
View the exhibit.

Which users and user groups are allowed access to the network through captive portal?

• A. Users and groups defined in the firewall policy.
• B. Only individual users – not groups – defined in the captive portal configuration
• C. Groups defined in the captive portal configuration
• D. All users

Answer: A

NEW QUESTION 22
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

• A. To delete intermediary NAT devices in the tunnel path.
• B. To dynamically change phase 1 negotiation mode aggressive mode.
• C. To encapsulation ESP packets in UDP packets using port 4500.
• D. To force a new DH exchange with each phase 2 rekey.

Answer: AC

NEW QUESTION 23
Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

• A. FortiGate will load balance all traffic across both routes.
• B. FortiGate will use the port1 route as the primary candidate.
• C. FortiGate will route twice as much traffic to the port2 route
• D. FortiGate will only actuate the port1 route in the routing table

Answer: B

Explanation:
“If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.”

NEW QUESTION 24
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log downloads from the GUI are limited to the current filter view
• B. Log backups from the CLI cannot be restored to another FortiGate.
• C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: BC

NEW QUESTION 25
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: BD

NEW QUESTION 26
......