NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Which three methods are used by the collector agent for AD polling? (Choose three.)

WMI

WinSecLog

NetAPI

Novell API

FortiGate polling

Which two statements are true about the Security Fabric rating?

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

It provides executive summaries of the four largest areas of security focus

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

In which two ways can RPF checking be disabled? (Choose two.)

Disable strict-src-check under system settings.

Enable anti-replay in firewall policy.

Enable asymmetric routing.

Disable the RPF check at the FortiGate interface level for the source check.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

By Sequence view will be disabled

Policy lookup will be disabled

Interface Pair view will be disabled

Search option will be disabled

None

What devices form the core of the security fabric?

Two FortiGate devices and one FortiManager device

One FortiGate device and one FortiManager device

Two FortiGate devices and one Forti Analyzer device

One FortiGate device and one Forti Analyzer device

None

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Firewall policy

Security policy

Policy rule

SSL inspection and authentication policy

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

HTTPS

SSH

FTM

FortiTelemetry

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Traffic shaping

PKI

FortiGuard web filter queries

DNS

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

The two VLAN sub interfaces can have the same VLAN ID only if they belong to different VDOMs.

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in different subnets.

The two VLAN sub interfaces must have different VLAN IDs.

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

None

10.

wo protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

TWAMP

DNS

udp-echo

ping

11.

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add user accounts to the FortiGate group filter

Add user accounts to the Ignore User List

Add the support of NTLM authentication

Add user accounts to Active Directory (AD)

None

12.

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list | grep hook-pre&&hook-out

diagnose wad session list | grep "hook=pre"&"hook=out"

diagnose wad session list

diagnose wad session list | grep hook=pre&&hook=out

None

13.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

The SSL inspection needs to be a deep content inspection

Add Facebook in the URL category in the security policy

Additional application signatures are required to add to the security policy

Force access to Facebook using the HTTP service

None

14.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

DNS-based web filter and proxy-based web filter

Static domain filter, SSL inspection filter, and external connectors filters

FortiGuard category filter and rating filter

Static URL filter, FortiGuard category filter, and advanced filters

None

15.

Which two statements are correct about a software switch on FortiGate? (Choose two.)

It can group only physical interfaces

All interfaces in the software switch share the same IP address

It can be configured only when FortiGate is operating in NAT mode

Can act as a Layer 2 switch as well as a Layer 3 router

16.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

By default, split tunneling is enabled.

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, FortiGate uses WINS servers to resolve names.

None

17.

Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?

IP-based authentication is enabled

Policy-based authentication is enabled

Route-based authentication is enabled

Session-based authentication is enabled

None

18.

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Source defined as Internet Services in the firewall policy.

Services defined in the firewall policy.

Destination defined as Internet Services in the firewall policy.

Highest to lowest priority defined in the firewall policy.

Lowest to highest policy ID number.

19.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Enable asymmetric routing, so the RPF check will be bypassed.

Enable asymmetric routing at the interface level.

Disable the RPF check at the FortiGate interface level for the reply check.

Disable the RPF check at the FortiGate interface level for the source check.

None

20.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)

Learn

Exempt

Allow

Warning

21.

Which statement regarding the firewall policy authentication timeout is true?

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

None

22.

Refer to the exhibits. Based on the system performance output, which two statements are correct? (Choose two.)

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Administrators cannot change the configuration

Administrators can access FortiGate only through the console port

FortiGate will start sending all files to FortiSandbox for inspection

FortiGate has entered conserve mode

23.

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Dialup User

Pre-shared Key

Dynamic DNS

Static IP Address

None

24.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Log ID

Sequence ID

Policy ID

Universally Unique Identifier

None

25.

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Uninterruptable upgrade is enabled by default.

Traffic load balancing is temporally disabled while upgrading the firmware.

The firmware image must be manually uploaded to each FortiGate.

Only secondary FortiGate devices are rebooted.

26.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

FortiGuard update servers

NGFW mode

System time

Operating mode

27.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The serial number in the server certificate

The host field in the HTTP header

The server name indication (SNI) extension in the client hello message

The subject alternative name (SAN) field in the server certificate

The subject field in the server certificate

28.

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?

hard-timeout

new-session

idle-timeout

auth-on-demand

soft-timeout

None

29.

In an explicit proxy setup, where is the authentication method and database configured?

Authentication Rule

Authentication scheme

Proxy Policy

Firewall Policy

None

30.

Refer to the exhibit. The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Authentication is enforced at a policy level; all users will be prompted for authentication.

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

If there is a fall-through policy in place, users will not be prompted for authentication.

None

31.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

Connections are tracked using source port and source MAC address.

Source IP is translated to the outgoing interface IP.

Port address translation is not used.

This is known as many-to-one NAT.

32.

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?

The session is a UDP unidirectional state.

The session is a bidirectional UDP connection.

The session is a bidirectional TCP connection.

The session is in TCP ESTABLISHED state.

None

33.

Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web Services. What CLI command must the administrator use to view the route?

diagnose firewall proute list

get router info routing-table all

get internet service route list

get router info routing-table database

None

34.

How does FortiGate act when using SSL VPN in web mode?

FortiGate acts as an HTTP reverse proxy.

FortiGate acts as router.

FortiGate acts as an FDS server.

FortiGate acts as DNS server.

None

35.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Enable Dead Peer Detection.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

36.

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

Intrusion prevention system engine

None

37.

What are the two results of this configuration? (Choose two.)

An administrator has configured the following settings:
config system setting

set ses-denied-traffic enable

end

config system global

set block -session-timer 30

end

Denied users are blocked for 30 minutes.

A session for denied traffic is created

The number of logs generated by denied traffic is reduced

Device detection on all interfaces is enforced for 30 minutes

38.

Which two statements are true about the RPF check? (Choose two.)

RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

The RPF check is run on the first reply packet of any new session.

The RPF check is run on the first sent packet of any new session.

The RPF check is run on the first sent and reply packet of any new session.

39.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

new-session

auth-on-demand

Idle-timeout

hard-timeout

soft-timeout

40.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

Once Internet Service is selected, no other object can be added

FQDN address

User or User Group

IP address

None

41.

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

FG-traffic VDOM

Root VDOM

Global VDOM

Customer VDOM

None

42.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

www.example.com

www.example.com:443

www.example.com/index.html

example.com

43.

Refer to the exhibits to view the firewall policy and the antivirus profile. Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

The flow-based inspection is used, which resets the last packet to the user.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

The volume of traffic being inspected is too high for this model of FortiGate.

The firewall policy performs the full content inspection on the file.

None

44.

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Proxy-based inspection

Flow-based inspection

Certificate inspection

Full Content inspection

45.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On Remote-FortiGate, set Seconds to 43200.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On HQ-FortiGate, enable Auto-negotiate.

On HQ-FortiGate, set Encryption to AES256.

None

46.

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

A certificate is not required on the remote peer when you set the signature as the authentication method.

FortiGate supports pre-shared key and signature as authentication methods.

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

47.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Consider the topology:
Application on a Windows machine FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Create a new service object for TELNET and set the maximum session TTL.

Set the maximum session TTL value for the TELNET service object.

48.

Refer to the exhibit. Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

Traffic matching the signature will be allowed and logged.

Traffic matching the signature will be silently dropped and logged.

None

49.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Logical Topology

Fabric Connectors

Security Rating

Automation Stitches

None

50.

Which statement about the policy ID number of a firewall policy is true?

It defines the order in which rules are processed

It represents the number of objects used in the firewall policy

It is required to modify a firewall policy using the CLI

It changes when firewall policies are reordered

None

51.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field removes the requirement of creating multiple VIPs for different services.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

The Services field is used when several VIPs need to be bundled into VIP groups.

None

52.

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

Intrusion prevention

File filter

DNS filter

Antivirus scanning

53.

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

The internal IP address of the FortiGate device.

The remote user's virtual IP address.

The public IP address of the FortiGate device.

remote user's public IP address

None

54.

Refer to the exhibit. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Disable match-vip in the Deny policy.

Enable match-vip in the Deny policy.

Set the Destination address as Web_server in the Deny policy.

Set the Destination address as Deny_IP in the Allow-access policy.

55.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

Participants configured are not SD-WAN members.

The Ping protocol is not supported for the public servers that are configured.

You need to turn on the Enable probe packets switch.

There may not be a static route to route the performance SLA traffic.

None

56.

Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two.)

Log severity is set to error on FortiGate.

Traffic is blocked because Action is set to DENY in the firewall policy.

Traffic belongs to the root VDOM.

This is a security log.

57.

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Set the TTL value to never under config system-ttl.

Set the session TTL on the HTTP policy to maximum.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

Create a new service object for HTTP service and set the session TTL to never.

58.

Refer to the exhibit. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

There are 19 security recommendations for the security fabric

This security fabric topology is a logical topology view.

There are five devices that are part of the security fabric.

Device detection is disabled on all FortiGate devices.

59.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

execute ping

get system arp

diagnose sniffer packet any

diagnose sys top

execute traceroute

60.

Refer to the exhibit. An administrator is running a sniffer command as shown in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three.)

Interface name

Ethernet header

Application header

Packet payload

IP header

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel