NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Which two statements are true about collector agent standard access mode? (Choose two.)

Standard mode security profiles apply to organizational units (OU).

Standard mode uses Windows convention-NetBios: Domain\Username.

Standard mode security profiles apply to user groups.

Standard access mode supports nested groups.

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Application control

Web application firewall

Denial of Service

Antivirus

None

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

Web application firewall

Application control

DNS filter

Web filter in flow-based inspection

Antivirus in flow-based inspection

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator can use a third-party radius OTP server.

The administrator must use a FortiAuthenticator device.

The administrator can register the same FortiToken on more than one FortiGate.

The administrator must use the user self-registration server.

None

Refer to the exhibit. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Device detection is disabled on all FortiGate devices.

There are 19 security recommendations for the security fabric

There are five devices that are part of the security fabric.

This security fabric topology is a logical topology view.

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Source defined as Internet Services in the firewall policy.

Highest to lowest priority defined in the firewall policy.

Destination defined as Internet Services in the firewall policy.

Lowest to highest policy ID number.

Services defined in the firewall policy.

Which three statements are true regarding session-based authentication? (Choose three.)

It requires more resources.

HTTP sessions are treated as a single user.

IP sessions from the same source IP address are treated as a single user.

It is not recommended if multiple users are behind the source NAT

It can differentiate among multiple clients behind the same source IP address.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To dynamically change phase 1 negotiation mode aggressive mode.

To force a new DH exchange with each phase 2 rekey.

To encapsulation ESP packets in UDP packets using port 4500.

To delete intermediary NAT devices in the tunnel path.

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

If the virus is detected, the last packet is delivered to the client

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

FortiGate buffers the whole file but transmits to the client simultaneously

Optimized performance compared to proxy-based inspection

IPS engine handles the process as a standalone

10.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)

Learn

Exempt

Allow

Warning

11.

wo protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

DNS

ping

TWAMP

udp-echo

12.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement web filter authentication for the specified website.

Implement a web filter category override for the specified website

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website

None

13.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

diagnose sys top

execute ping

diagnose sniffer packet any

get system arp

execute traceroute

14.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Interface Pair view will be disabled

Search option will be disabled

Policy lookup will be disabled

By Sequence view will be disabled

None

15.

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiCloud

FortiAnalyzer

FortiSIEM

FortiSandbox

FortiCache

16.

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Policy rule

Firewall policy

SSL inspection and authentication policy

Security policy

17.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Heartbeat interfaces have virtual IP addresses that are manually assigned

Virtual IP addresses are used to distinguish between cluster members

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

The primary device in the cluster is always assigned IP address 169.254.0.1

18.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to the browser-based technology category only.

None

19.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Interface Pair view will be disabled

By Sequence view will be disabled

Search option will be disabled

Policy lookup will be disabled

None

20.

Which scanning technique on FortiGate can be enabled only on the CLI?

Trojan scan

Heuristics scan

Antivirus scan

Ransomware scan

None

21.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

FQDN address

User or User Group

IP address

Once Internet Service is selected, no other object can be added

None

22.

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set protocol udp

set webfilter-force-off disable

set fortiguard-anycast disable

set webfilter-cache disable

23.

Which three methods are used by the collector agent for AD polling? (Choose three.)

NetAPI

WMI

WinSecLog

Novell API

FortiGate polling

24.

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

FortiGate supports pre-shared key and signature as authentication methods.

A certificate is not required on the remote peer when you set the signature as the authentication method.

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

25.

Refer to the exhibit. Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.

10.200.1.1

10.200.3.1

10.200.1.100

10.200.1.10

None

26.

Refer to the exhibits to view the firewall policy and the antivirus profile. Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

The volume of traffic being inspected is too high for this model of FortiGate.

The firewall policy performs the full content inspection on the file.

The flow-based inspection is used, which resets the last packet to the user.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

None

27.

Examine the two static routes shown in the exhibit, then answer the following question. Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

FortiGate will only actuate the port1 route in the routing table

FortiGate will load balance all traffic across both routes.

FortiGate will use the port1 route as the primary candidate.

FortiGate will route twice as much traffic to the port2 route

None

28.

Refer to the exhibit. The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Change the SSL VPN port on the client.

Change the idle-timeout.

Change the SSL VPN portal to the tunnel.

Change the Server IP address.

None

29.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Antivirus definitions are not up to date

SSL/SSH Inspection profile is incorrect

Application control is not enabled

Antivirus profile configuration is incorrect

None

30.

Refer to the exhibit to view the firewall policy. Which statement is correct if well-known viruses are not being blocked?

Web filter should be enabled on the firewall policy to complement the antivirus profile.

The action on the firewall policy must be set to deny.

The firewall policy does not apply deep content inspection.

The firewall policy must be configured in proxy-based inspection mode.

None

31.

Refer to the exhibit. An administrator is running a sniffer command as shown in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three.)

IP header

Interface name

Application header

Packet payload

Ethernet header

32.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

The Services field removes the requirement of creating multiple VIPs for different services.

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field is used when several VIPs need to be bundled into VIP groups.

None

33.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Automation Stitches

Fabric Connectors

Logical Topology

Security Rating

None

34.

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

FG-traffic VDOM

Customer VDOM

Root VDOM

Global VDOM

None

35.

Refer to the exhibit. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Enable match-vip in the Deny policy.

Set the Destination address as Web_server in the Deny policy.

Disable match-vip in the Deny policy.

Set the Destination address as Deny_IP in the Allow-access policy.

36.

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

SQL injection attacks

Traffic to botnetservers

Server information disclosure attacks

Credit card data leaks

Traffic to inappropriate web sites

37.

Refer to the exhibit. Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

The port3 default route has the lowest metric

The port1 and port2 default routes are active in the routing table

There will be eight routes active in the routing table

The port3 default route has the highest distance

38.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

This is known as many-to-one NAT.

Port address translation is not used.

Connections are tracked using source port and source MAC address.

Source IP is translated to the outgoing interface IP.

39.

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

The two VLAN sub interfaces can have the same VLAN ID only if they belong to different VDOMs.

The two VLAN sub interfaces must have different VLAN IDs.

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in different subnets.

None

40.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

41.

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

Intrusion prevention system engine

None

42.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Spillover

Session

Source IP

Volume

43.

An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?

Redundant interface

Software Switch interface

VLAN interface

Aggregate interface

None

44.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The keyUsage extension must be set to keyCertSign

The issuer must be a public CA

The common name on the subject field must use a wildcard name

The CA extension must be set to TRUE

45.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

Additional application signatures are required to add to the security policy

The SSL inspection needs to be a deep content inspection

Force access to Facebook using the HTTP service

Add Facebook in the URL category in the security policy

None

46.

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Automated Response

Optimization

Security Posture

Fabric Coverage

None

47.

Refer to the FortiGuard connection debug output. Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

FortiGate is using default FortiGuard communication settings.

One server was contacted to retrieve the contract information.

There is at least one server that lost packets consecutively.

A local FortiManager is one of the servers FortiGate communicates with.

48.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Port block allocation IP pool is used in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

Overload NAT IP pool is used in the firewall policy

None

49.

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine was blocking all traffic

The IPS engine was unable to prevent an intrusion attack

The IPS engine will continue to run in a normal state

The IPS engine was inspecting high volume of traffic

None

50.

Which two statements are true about the FGCP protocol? (Choose two.)

Not used when FortiGate is in Transparent mode

Runs only over the heartbeat links

Is used to discover FortiGate devices in different HA groups

Elects the primary FortiGate device

51.

Which two statements are true about collector agent advanced mode? (Choose two.)

Advanced mode supports nested or inherited groups.

Security profiles can be applied only to user groups, nor individual users.

Advanced mode uses Windows convention-NetBios: Domain\Username.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

52.

Refer to the exhibit. The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. Which two statements are true? (Choose two.)

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used only as a management VDOM.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.

53.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request?

Implement a web filter category override for the specified website.

Implement web filter quotas for the specified website.

Implement a DNS filter for the specified website.

Implement web filter authentication for the specified website.

None

54.

Which two statements about antivirus scanning mode are true? (Choose two.)

In proxy-based inspection mode, files bigger than the buffer size are scanned

In flow-based inspection mode, files bigger than the buffer size are scanned

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client

55.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

auth-on-demand

new-session

Idle-timeout

soft-timeout

hard-timeout

56.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Policy ID

Sequence ID

Universally Unique Identifier

Log ID

None

57.

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?

Enabled

Disabled

On Idle

On Demand

None

58.

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?

auth-on-demand

idle-timeout

new-session

soft-timeout

hard-timeout

None

59.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, FortiGate uses WINS servers to resolve names.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, split tunneling is enabled.

None

60.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Dead Peer Detection.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel