NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Refer to the exhibit. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

This security fabric topology is a logical topology view.

Device detection is disabled on all FortiGate devices.

There are 19 security recommendations for the security fabric

There are five devices that are part of the security fabric.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Universally Unique Identifier

Policy ID

Sequence ID

Log ID

None

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

FortiGate does not support full SSL inspection when web filtering is enabled.

There are network connectivity issues.

The browser requires a software update.

None

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiSIEM

FortiCache

FortiCloud

FortiAnalyzer

FortiSandbox

Examine the two static routes shown in the exhibit, then answer the following question. Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

FortiGate will only actuate the port1 route in the routing table

FortiGate will load balance all traffic across both routes.

FortiGate will route twice as much traffic to the port2 route

FortiGate will use the port1 route as the primary candidate.

None

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

FortiGate hostname

DNS

FortiGuard web filter cache

NTP

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

Intrusion prevention system engine

None

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The issuer must be a public CA

The CA extension must be set to TRUE

The keyUsage extension must be set to keyCertSign

The common name on the subject field must use a wildcard name

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

FortiGate supports pre-shared key and signature as authentication methods.

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

A certificate is not required on the remote peer when you set the signature as the authentication method.

10.

Which statement regarding the firewall policy authentication timeout is true?

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

None

11.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Overload NAT IP pool is used in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

Port block allocation IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

None

12.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to the DNS protocol only.

None

13.

Refer to the exhibit. Given the interfaces shown in the exhibit, which two statements are true? (Choose two.)

port1 is a native VLAN.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

Traffic between port2 and port2-vlan1 is allowed by default.

port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

14.

Refer to the exhibit. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Disable match-vip in the Deny policy.

Enable match-vip in the Deny policy.

Set the Destination address as Web_server in the Deny policy.

Set the Destination address as Deny_IP in the Allow-access policy.

15.

Refer to the exhibit showing a debug flow output. Which two statements about the debug flow output are correct? (Choose two.)

The debug flow is of ICMP traffic

A firewall policy allowed the connection

The default route is required to receive a reply

A new traffic session is created

16.

Refer to the exhibit. Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

Traffic matching the signature will be silently dropped and logged.

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

Traffic matching the signature will be allowed and logged.

None

17.

In an explicit proxy setup, where is the authentication method and database configured?

Firewall Policy

Proxy Policy

Authentication scheme

Authentication Rule

None

18.

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

FortiGate uses the SMB protocol to read the event viewer logs from the DCs

FortiGate uses the AD server as the collector agent

FortiGate queries AD by using the LDAP to retrieve user group information

FortiGate points the collector agent to use a remote LDAP server

19.

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set protocol udp

set webfilter-cache disable

set fortiguard-anycast disable

set webfilter-force-off disable

20.

Refer to the exhibit. The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

Enable two-factor authentication

Enable restrict access to trusted hosts

Change password

Change Administrator profile

None

21.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Volume

Spillover

Source IP

Session

22.

Which three statements are true regarding session-based authentication? (Choose three.)

It requires more resources.

It is not recommended if multiple users are behind the source NAT

IP sessions from the same source IP address are treated as a single user.

HTTP sessions are treated as a single user.

It can differentiate among multiple clients behind the same source IP address.

23.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

The SSL inspection needs to be a deep content inspection

Add Facebook in the URL category in the security policy

Additional application signatures are required to add to the security policy

Force access to Facebook using the HTTP service

None

24.

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

Forward traffic logs

Local traffic logs

Security logs

System event logs

None

25.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

www.example.com:443

www.example.com/index.html

example.com

www.example.com

26.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

There may not be a static route to route the performance SLA traffic.

Participants configured are not SD-WAN members.

You need to turn on the Enable probe packets switch.

The Ping protocol is not supported for the public servers that are configured.

None

27.

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine was unable to prevent an intrusion attack

The IPS engine was blocking all traffic

The IPS engine will continue to run in a normal state

The IPS engine was inspecting high volume of traffic

None

28.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Fabric Connectors

Logical Topology

Automation Stitches

Security Rating

None

29.

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

Intrusion prevention

DNS filter

File filter

Antivirus scanning

30.

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list | grep "hook=pre"&"hook=out"

diagnose wad session list | grep hook=pre&&hook=out

diagnose wad session list | grep hook-pre&&hook-out

diagnose wad session list

None

31.

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The interface has been configured for one-arm sniffer.

Captive portal is enabled in the interface.

The interface is a member of a zone.

The interface is a member of a virtual wire pair.

The operation mode is transparent.

32.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Consider the topology:
Application on a Windows machine FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Create a new service object for TELNET and set the maximum session TTL.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Set the maximum session TTL value for the TELNET service object.

33.

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.

FortiGate forwards frames without changing the MAC address.

By default, all interfaces are part of the same broadcast domain.

Static routes are required to allow traffic to the next hop.

34.

Refer to the exhibits to view the firewall policy and the antivirus profile. Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

The firewall policy performs the full content inspection on the file.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

The flow-based inspection is used, which resets the last packet to the user.

The volume of traffic being inspected is too high for this model of FortiGate.

None

35.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

get system performance status

diagnose sys top

get system arp

get system status

None

36.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement web filter authentication for the specified website.

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website

Implement a web filter category override for the specified website

None

37.

Which three methods are used by the collector agent for AD polling? (Choose three.)

WMI

FortiGate polling

NetAPI

Novell API

WinSecLog

38.

Refer to the exhibits. Based on the system performance output, which two statements are correct? (Choose two.)

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Administrators cannot change the configuration

FortiGate will start sending all files to FortiSandbox for inspection

FortiGate has entered conserve mode

Administrators can access FortiGate only through the console port

39.

Which two statements are true about collector agent standard access mode? (Choose two.)

Standard mode security profiles apply to user groups.

Standard mode uses Windows convention-NetBios: Domain\Username.

Standard access mode supports nested groups.

Standard mode security profiles apply to organizational units (OU).

40.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

The Services field removes the requirement of creating multiple VIPs for different services.

The Services field is used when several VIPs need to be bundled into VIP groups.

None

41.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

Connections are tracked using source port and source MAC address.

Source IP is translated to the outgoing interface IP.

This is known as many-to-one NAT.

Port address translation is not used.

42.

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Static IP Address

Dynamic DNS

Dialup User

Pre-shared Key

None

43.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

FortiGate automatically negotiates different local and remote addresses with the remote peer.

None

44.

Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two.)

Log severity is set to error on FortiGate.

This is a security log.

Traffic belongs to the root VDOM.

Traffic is blocked because Action is set to DENY in the firewall policy.

45.

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The IP version of the sources and destinations in a policy must match.

The IP version of the sources and destinations in a firewall policy must be different.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

46.

Which two statements are true about the RPF check? (Choose two.)

The RPF check is run on the first sent and reply packet of any new session.

The RPF check is run on the first sent packet of any new session.

RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

The RPF check is run on the first reply packet of any new session.

47.

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

Application control

Antivirus in flow-based inspection

Web filter in flow-based inspection

Web application firewall

DNS filter

48.

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

FortiTelemetry

SSH

FTM

HTTPS

49.

Refer to the exhibit to view the firewall policy. Which statement is correct if well-known viruses are not being blocked?

Web filter should be enabled on the firewall policy to complement the antivirus profile.

The firewall policy must be configured in proxy-based inspection mode.

The firewall policy does not apply deep content inspection.

The action on the firewall policy must be set to deny.

None

50.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

get system arp

diagnose sys top

execute ping

execute traceroute

diagnose sniffer packet any

51.

Refer to the exhibit. The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. Which two statements are true? (Choose two.)

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.

Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used only as a management VDOM.

52.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Antivirus definitions are not up to date

Application control is not enabled

Antivirus profile configuration is incorrect

SSL/SSH Inspection profile is incorrect

None

53.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request?

Implement a web filter category override for the specified website.

Implement web filter authentication for the specified website.

Implement web filter quotas for the specified website.

Implement a DNS filter for the specified website.

None

54.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Enable Dead Peer Detection.

55.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

auth-on-demand

Idle-timeout

new-session

hard-timeout

soft-timeout

56.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000065036 HA uptime has been reset.

57.

Refer to the exhibit. How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

58.

Which scanning technique on FortiGate can be enabled only on the CLI?

Heuristics scan

Trojan scan

Ransomware scan

Antivirus scan

None

59.

Refer to the exhibit. The exhibit shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will block all attacks aimed at Windows servers

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature

The sensor will gather a packet log for all matched traffic

The sensor will reset all connections that match these signatures

60.

Refer to the exhibit. Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

The port1 and port2 default routes are active in the routing table

There will be eight routes active in the routing table

The port3 default route has the lowest metric

The port3 default route has the highest distance

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel