Exam Code: NSE4_FGT-6.4 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Fortinet NSE 4 - FortiOS 6.4
Certification Provider: Fortinet
Free Today! Guaranteed Training- Pass NSE4_FGT-6.4 Exam.

Fortinet NSE4_FGT-6.4 Free Dumps Questions Online, Read and Test Now.

NEW QUESTION 1
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

  • A. Source IP
  • B. Spillover
  • C. Volume
  • D. Session

Answer: CD

NEW QUESTION 2
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

  • A. remote user’s public IP address
  • B. The public IP address of the FortiGate device.
  • C. The remote user’s virtual IP address.
  • D. The internal IP address of the FortiGate device.

Answer: D

Explanation:
Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP address

NEW QUESTION 3
Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

  • A. 10.200.1.1
  • B. 10.200.3.1
  • C. 10.200.1.100
  • D. 10.200.1.10

Answer: A

NEW QUESTION 4
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

  • A. The strict RPF check is run on the first sent and reply packet of any new session.
  • B. Strict RPF checks the best route back to the sourceusingtheincoming interface.
  • C. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
  • D. Strict RPF allows packets back to sources with all active routes.

Answer: A

NEW QUESTION 5
Refer to theexhibits.
NSE4_FGT-6.4 dumps exhibit
NSE4_FGT-6.4 dumps exhibit
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but they areunableto leavereactions on videos or other types ofposts.
Which part ofthe policy configuration must you change to resolve the issue?

  • A. The SSL inspection needs tobe a deep content inspection.
  • B. Force access to Facebook using the HTTP service.
  • C. Additional application signatures arerequired to add to thesecurity policy.
  • D. Add Facebook in the URL category in the security policy.

Answer: A

NEW QUESTION 6
Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

  • A. The IPS engine was inspecting high volume of traffic.
  • B. The IPS engine was unable to prevent an intrusion attack.
  • C. The IPS engine was blocking all traffic.
  • D. The IPS engine will continue to run in a normal state.

Answer: C

NEW QUESTION 7
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

  • A. The keyUsage extension must be set to keyCertSign.
  • B. The common name on the subject field must use a wildcard name.
  • C. The issuer must be a public CA.
  • D. The CA extension must be set to TRUE.

Answer: BD

NEW QUESTION 8
Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

  • A. DNS
  • B. ping
  • C. udp-echo
  • D. TWAMP

Answer: AC

NEW QUESTION 9
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

  • A. By default, FortiGate uses WINS servers to resolve names.
  • B. By default, the SSL VPN portal requires the installation of a client’s certificate.
  • C. By default, split tunneling is enabled.
  • D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Answer: D

NEW QUESTION 10
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

  • A. Web filtering
  • B. Antivirus
  • C. Web proxy
  • D. Application control

Answer: B

NEW QUESTION 11
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  • A. FortiGate points the collector agent to use a remote LDAP server.
  • B. FortiGate uses the AD server as the collector agent.
  • C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  • D. FortiGate queries AD by using the LDAP to retrieve user group information.

Answer: CD

NEW QUESTION 12
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
*All traffic must be routed through the primary tunnel when both tunnels are up
*The secondary tunnel must be used only if the primary tunnel goes down
*In addition, FortiGate should be able to detect a dead tunnel to speed up tunnelfailover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

  • A. Enable Dead Peer Detection.
  • B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  • C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  • D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the state route for the secondary tunnel.

Answer: A

NEW QUESTION 13
Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

  • A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
  • B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
  • C. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
  • D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer: C

NEW QUESTION 14
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

  • A. The interface has been configured for one-arm sniffer.
  • B. The interface is a member of a virtual wire pair.
  • C. The operation mode is transparent.
  • D. The interface is a member of a zone.
  • E. Captive portal is enabled in the interface.

Answer: ABC

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

NEW QUESTION 15
An administrator Is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A. the local quick mode selector is 192.160.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

  • A. 192.168.1.0/24
  • B. 192.168.0.0/24
  • C. 192.168.2.0/24
  • D. 192.168.3.0/24

Answer: B

NEW QUESTION 16
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

  • A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
  • B. An SA never expires.
  • C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
  • D. Phase 2 SA expiration can be time-based, volume-based, or both.
  • E. Both the phase 1 SA and phase 2 SA are bidirectional.

Answer: BCD

NEW QUESTION 17
How do you format the FortiGate flash disk?

  • A. Load a debug FortiOS image.
  • B. Load the hardware test (HQIP) image.
  • C. Execute the CLI command execute formatlogdisk.
  • D. Select the format boot device option from the BIOS menu.

Answer: D

NEW QUESTION 18
Examine this PAC file configuration.
NSE4_FGT-6.4 dumps exhibit
Which of the following statements are true? (Choose two.)

  • A. Browsers can be configured to retrieve this PAC file from the FortiGate.
  • B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
  • C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
  • D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 19
Examine this FortiGate configuration:
NSE4_FGT-6.4 dumps exhibit
How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

  • A. It always authorizes the traffic without requiring authentication.
  • B. It drops the traffic.
  • C. It authenticates the traffic using the authentication scheme SCHEME2.
  • D. It authenticates the traffic using the authentication scheme SCHEME1.

Answer: D

Explanation:
“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”

NEW QUESTION 20
Which three statements about a flow-based antivirus profile are correct? (Choose three.)

  • A. IPS engine handles the process as a standalone.
  • B. FortiGate buffers the whole file but transmits to the client simultaneously.
  • C. If the virus is detected, the last packet is delivered to the client.
  • D. Optimized performance compared to proxy-based inspection.
  • E. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

Answer: CDE

NEW QUESTION 21
Which of statement is true about SSL VPN web mode?

  • A. The tunnel is up while the client is connected.
  • B. It supports a limited number of protocols.
  • C. The external network application sends data through the VPN.
  • D. It assigns a virtual IP address to the client.

Answer: C

NEW QUESTION 22
Which of the following statements about central NAT are true? (Choose two.)

  • A. IP tool references must be removed from existing firewall policies before enabling central NAT.
  • B. Central NAT can be enabled or disabled from the CLI only.
  • C. Source NAT, using central NAT, requires at least one central SNAT policy.
  • D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Answer: AB

NEW QUESTION 23
Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

  • A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
  • B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
  • C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
  • D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Answer: D

NEW QUESTION 24
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
NSE4_FGT-6.4 dumps exhibit
NSE4_FGT-6.4 dumps exhibit
An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

  • A. The IPS filter is missing the Protocol: HTTPS option.
  • B. The HTTPS signatures have not been added to the sensor.
  • C. A DoS policy should be used, instead of an IPS sensor.
  • D. A DoS policy should be used, instead of an IPS sensor.
  • E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 25
Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access internet. TheTo_lnternet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
Which two statements are true? (Choose two.)

  • A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
  • B. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
  • C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
  • D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Answer: AD

NEW QUESTION 26
......

100% Valid and Newest Version NSE4_FGT-6.4 Questions & Answers shared by Surepassexam, Get Full Dumps HERE: https://www.surepassexam.com/NSE4_FGT-6.4-exam-dumps.html (New 94 Q&As)