NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Which two types of traffic are managed only by the management VDOM? (Choose two.)

PKI

DNS

Traffic shaping

FortiGuard web filter queries

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine was blocking all traffic

The IPS engine was inspecting high volume of traffic

The IPS engine was unable to prevent an intrusion attack

The IPS engine will continue to run in a normal state

None

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk. What is the default behavior when the local disk is full?

No new log is recorded until you manually clear logs from the local disk.

No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.

Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

None

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

By Sequence view will be disabled

Interface Pair view will be disabled

Search option will be disabled

Policy lookup will be disabled

None

Which of statement is true about SSL VPN web mode?

The tunnel is up while the client is connected.

The external network application sends data through the VPN.

It assigns a virtual IP address to the client.

It supports a limited number of protocols.

None

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Create a new service object for HTTP service and set the session TTL to never.

Set the session TTL on the HTTP policy to maximum.

Set the TTL value to never under config system-ttl.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Antivirus definitions are not up to date

Antivirus profile configuration is incorrect

SSL/SSH Inspection profile is incorrect

Application control is not enabled

None

Refer to the exhibit. Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.

10.200.3.1

10.200.1.1

10.200.1.100

10.200.1.10

None

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Session

Source IP

Spillover

Volume

10.

Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?

Policy-based authentication is enabled

IP-based authentication is enabled

Route-based authentication is enabled

Session-based authentication is enabled

None

11.

Refer to the exhibit showing a debug flow output. Which two statements about the debug flow output are correct? (Choose two.)

A new traffic session is created

The default route is required to receive a reply

A firewall policy allowed the connection

The debug flow is of ICMP traffic

12.

What is the primary FortiGate election process when the HA override setting is disabled?

Connected monitored ports > HA uptime > Priority > FortiGate Serial number

Connected monitored ports > Priority > HA uptime > FortiGate Serial number

Connected monitored ports > System uptime > Priority > FortiGate Serial number

Connected monitored ports > Priority > System uptime > FortiGate Serial number

None

13.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

There may not be a static route to route the performance SLA traffic.

Participants configured are not SD-WAN members.

You need to turn on the Enable probe packets switch.

The Ping protocol is not supported for the public servers that are configured.

None

14.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)

Allow

Exempt

Warning

Learn

15.

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

FortiGate supports pre-shared key and signature as authentication methods.

A certificate is not required on the remote peer when you set the signature as the authentication method.

16.

Which three methods are used by the collector agent for AD polling? (Choose three.)

NetAPI

Novell API

WinSecLog

WMI

FortiGate polling

17.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On HQ-FortiGate, enable Auto-negotiate.

On Remote-FortiGate, set Seconds to 43200.

On HQ-FortiGate, set Encryption to AES256.

None

18.

How does FortiGate act when using SSL VPN in web mode?

FortiGate acts as DNS server.

FortiGate acts as router.

FortiGate acts as an HTTP reverse proxy.

FortiGate acts as an FDS server.

None

19.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

The SSL inspection needs to be a deep content inspection

Add Facebook in the URL category in the security policy

Additional application signatures are required to add to the security policy

Force access to Facebook using the HTTP service

None

20.

In an explicit proxy setup, where is the authentication method and database configured?

Authentication Rule

Authentication scheme

Firewall Policy

Proxy Policy

None

21.

Refer to the exhibit to view the firewall policy. Which statement is correct if well-known viruses are not being blocked?

The action on the firewall policy must be set to deny.

The firewall policy must be configured in proxy-based inspection mode.

The firewall policy does not apply deep content inspection.

Web filter should be enabled on the firewall policy to complement the antivirus profile.

None

22.

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Security Posture

Optimization

Fabric Coverage

Automated Response

None

23.

Which three statements are true regarding session-based authentication? (Choose three.)

IP sessions from the same source IP address are treated as a single user.

It is not recommended if multiple users are behind the source NAT

It can differentiate among multiple clients behind the same source IP address.

It requires more resources.

HTTP sessions are treated as a single user.

24.

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Security policy

Policy rule

SSL inspection and authentication policy

Firewall policy

25.

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Full Content inspection

Flow-based inspection

Proxy-based inspection

Certificate inspection

26.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

auth-on-demand

new-session

Idle-timeout

hard-timeout

soft-timeout

27.

Which two statements are correct about SLA targets? (Choose two.)

SLA targets are optional.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

You can configure only two SLA targets per one Performance SLA.

SLA targets are used only when referenced by an SD-WAN rule.

28.

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set fortiguard-anycast disable

set webfilter-cache disable

set protocol udp

set webfilter-force-off disable

29.

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

The two VLAN sub interfaces must have different VLAN IDs.

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in different subnets.

The two VLAN sub interfaces can have the same VLAN ID only if they belong to different VDOMs.

None

30.

Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two.)

This is a security log.

Traffic belongs to the root VDOM.

Traffic is blocked because Action is set to DENY in the firewall policy.

Log severity is set to error on FortiGate.

31.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Automation Stitches

Security Rating

Logical Topology

Fabric Connectors

None

32.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

IP address

FQDN address

Once Internet Service is selected, no other object can be added

User or User Group

None

33.

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

Static routes are required to allow traffic to the next hop.

FortiGate forwards frames without changing the MAC address.

The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.

By default, all interfaces are part of the same broadcast domain.

34.

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.2.0/24

192.168.0.0/8

192.168.3.0/24

192.168.1.0/24

None

35.

Refer to the exhibit. The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. Which two statements are true? (Choose two.)

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used only as a management VDOM.

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.

36.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

www.example.com

www.example.com:443

example.com

www.example.com/index.html

37.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement a web filter category override for the specified website

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website

Implement web filter authentication for the specified website.

None

38.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Disable the RPF check at the FortiGate interface level for the reply check.

Enable asymmetric routing, so the RPF check will be bypassed.

Disable the RPF check at the FortiGate interface level for the source check.

Enable asymmetric routing at the interface level.

None

39.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

This is known as many-to-one NAT.

Source IP is translated to the outgoing interface IP.

Connections are tracked using source port and source MAC address.

Port address translation is not used.

40.

Refer to the exhibit. The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Authentication is enforced at a policy level; all users will be prompted for authentication.

If there is a fall-through policy in place, users will not be prompted for authentication.

None

41.

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

The strict RPF check is run on the first sent and reply packet of any new session

Strict RPF allows packets back to sources with all active routes

Strict RPF checks the best route back to the source using the incoming interface

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface

None

42.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Policy ID

Log ID

Sequence ID

Universally Unique Identifier

None

43.

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

Intrusion prevention

File filter

Antivirus scanning

DNS filter

44.

Refer to the exhibit. How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

45.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To encapsulation ESP packets in UDP packets using port 4500.

To force a new DH exchange with each phase 2 rekey.

To dynamically change phase 1 negotiation mode aggressive mode.

To delete intermediary NAT devices in the tunnel path.

46.

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

If the virus is detected, the last packet is delivered to the client

IPS engine handles the process as a standalone

Optimized performance compared to proxy-based inspection

FortiGate buffers the whole file but transmits to the client simultaneously

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

47.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The host field in the HTTP header

The server name indication (SNI) extension in the client hello message

The serial number in the server certificate

The subject field in the server certificate

The subject alternative name (SAN) field in the server certificate

48.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

NGFW mode

Operating mode

FortiGuard update servers

System time

49.

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

The category of Apple FaceTime is being monitored.

The category of Apple FaceTime is being blocked.

Apple FaceTime belongs to the custom blocked filter.

Apple FaceTime belongs to the custom monitored filter.

None

50.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request?

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website.

Implement web filter authentication for the specified website.

Implement a web filter category override for the specified website.

None

51.

Which statement about the policy ID number of a firewall policy is true?

It defines the order in which rules are processed

It is required to modify a firewall policy using the CLI

It changes when firewall policies are reordered

It represents the number of objects used in the firewall policy

None

52.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate SN FGVM010000065036 HA uptime has been reset.

53.

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

The client FortiGate requires a manually added route to remote subnets.

54.

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The IP version of the sources and destinations in a firewall policy must be different.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a policy must match.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

55.

Which scanning technique on FortiGate can be enabled only on the CLI?

Antivirus scan

Ransomware scan

Trojan scan

Heuristics scan

None

56.

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Web application firewall

Application control

Antivirus

Denial of Service

None

57.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, FortiGate uses WINS servers to resolve names.

By default, split tunneling is enabled.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

None

58.

Refer to the exhibit. The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Change the SSL VPN portal to the tunnel.

Change the SSL VPN port on the client.

Change the idle-timeout.

Change the Server IP address.

None

59.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

There are network connectivity issues.

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

FortiGate does not support full SSL inspection when web filtering is enabled.

The browser requires a software update.

None

60.

Which two statements are true about the Security Fabric rating?

It provides executive summaries of the four largest areas of security focus

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel