NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to use parent signatures only.

None

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

The category of Apple FaceTime is being blocked.

Apple FaceTime belongs to the custom blocked filter.

The category of Apple FaceTime is being monitored.

Apple FaceTime belongs to the custom monitored filter.

None

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

IP address

No other object can be added

User or User Group

FQDN address

None

Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To allow for out-of-order packets that could arrive after the FIN/ACK packets

To finish any inspection operations

To generate logs

To remove the NAT operation

None

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Sequence ID

Log ID

Policy ID

Universally Unique Identifier

None

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

NTP

FortiGuard web filter cache

FortiGate hostname

DNS

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Security Posture

Optimization

Fabric Coverage

Automated Response

None

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

Idle-timeout

soft-timeout

new-session

auth-on-demand

hard-timeout

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

Strict RPF allows packets back to sources with all active routes

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface

Strict RPF checks the best route back to the source using the incoming interface

The strict RPF check is run on the first sent and reply packet of any new session

None

10.

Refer to the exhibit. Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

Traffic matching the signature will be silently dropped and logged.

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

Traffic matching the signature will be allowed and logged.

None

11.

Which two statements are true about collector agent standard access mode? (Choose two.)

Standard mode uses Windows convention-NetBios: Domain\Username.

Standard access mode supports nested groups.

Standard mode security profiles apply to user groups.

Standard mode security profiles apply to organizational units (OU).

12.

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.2.0/24

192.168.0.0/8

192.168.3.0/24

192.168.1.0/24

None

13.

Which statement regarding the firewall policy authentication timeout is true?

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

None

14.

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiSIEM

FortiSandbox

FortiCache

FortiCloud

FortiAnalyzer

15.

IPS Engine is used by which three security features? (Choose three.)

DNS filter

Antivirus in flow-based inspection

Web filter in flow-based inspection

Web application firewall

Application control

16.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

This is known as many-to-one NAT.

Connections are tracked using source port and source MAC address.

Source IP is translated to the outgoing interface IP.

Port address translation is not used.

17.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Source IP

Volume

Session

Spillover

18.

What devices form the core of the security fabric?

One FortiGate device and one FortiManager device

Two FortiGate devices and one Forti Analyzer device

Two FortiGate devices and one FortiManager device

One FortiGate device and one Forti Analyzer device

None

19.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Virtual IP addresses are used to distinguish between cluster members

The primary device in the cluster is always assigned IP address 169.254.0.1

Heartbeat interfaces have virtual IP addresses that are manually assigned

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

20.

Refer to the exhibits. Based on the system performance output, which two statements are correct? (Choose two.)

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

FortiGate will start sending all files to FortiSandbox for inspection

FortiGate has entered conserve mode

Administrators cannot change the configuration

Administrators can access FortiGate only through the console port

21.

Refer to the exhibit. Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

10.200.1.99

10.200.1.149

10.200.1.1

10.200.1.49

None

22.

Which three statements are true regarding session-based authentication? (Choose three.)

It can differentiate among multiple clients behind the same source IP address.

It is not recommended if multiple users are behind the source NAT

IP sessions from the same source IP address are treated as a single user.

HTTP sessions are treated as a single user.

It requires more resources.

23.

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure split tunneling in tunnel mode

Configure different SSL VPN realms

Configure host check

Configure Source IP Pools

None

24.

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

Antivirus scanning

DNS filter

File filter

Intrusion prevention

25.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On HQ-FortiGate, set Encryption to AES256.

On HQ-FortiGate, enable Auto-negotiate.

On Remote-FortiGate, set Seconds to 43200.

None

26.

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Certificate inspection

Full Content inspection

Flow-based inspection

Proxy-based inspection

None

27.

Which statement about the policy ID number of a firewall policy is true?

It is required to modify a firewall policy using the CLI

It represents the number of objects used in the firewall policy

It changes when firewall policies are reordered

It defines the order in which rules are processed

None

28.

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The operation mode is transparent.

The interface is a member of a virtual wire pair.

The interface has been configured for one-arm sniffer.

The interface is a member of a zone.

Captive portal is enabled in the interface.

29.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

get system status

get system arp

diagnose sys top

get system performance status

None

30.

Refer to the exhibit. Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

The port3 default route has the lowest metric

The port3 default route has the highest distance

The port1 and port2 default routes are active in the routing table

There will be eight routes active in the routing table

31.

What are the two results of this configuration? (Choose two.)

An administrator has configured the following settings:
config system setting

set ses-denied-traffic enable

end

config system global

set block -session-timer 30

end

A session for denied traffic is created

The number of logs generated by denied traffic is reduced

Device detection on all interfaces is enforced for 30 minutes

Denied users are blocked for 30 minutes.

32.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The serial number in the server certificate

The subject field in the server certificate

The host field in the HTTP header

The subject alternative name (SAN) field in the server certificate

The server name indication (SNI) extension in the client hello message

33.

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Web application firewall

Application control

Antivirus

Denial of Service

None

34.

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

None

35.

Refer to the exhibit. An administrator is running a sniffer command as shown in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three.)

Packet payload

Interface name

Ethernet header

IP header

Application header

36.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, FortiGate uses WINS servers to resolve names.

By default, split tunneling is enabled.

None

37.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

System time

Operating mode

FortiGuard update servers

NGFW mode

38.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

By Sequence view will be disabled

Policy lookup will be disabled

Search option will be disabled

Interface Pair view will be disabled

None

39.

Refer to the exhibit. The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Authentication is enforced at a policy level; all users will be prompted for authentication.

If there is a fall-through policy in place, users will not be prompted for authentication.

None

40.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 has the higher HA priority.

41.

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?

The session is a bidirectional UDP connection.

The session is in TCP ESTABLISHED state.

The session is a UDP unidirectional state.

The session is a bidirectional TCP connection.

None

42.

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?

On Demand

On Idle

Enabled

Disabled

None

43.

What is the primary FortiGate election process when the HA override setting is disabled?

Connected monitored ports > System uptime > Priority > FortiGate Serial number

Connected monitored ports > Priority > HA uptime > FortiGate Serial number

Connected monitored ports > Priority > System uptime > FortiGate Serial number

Connected monitored ports > HA uptime > Priority > FortiGate Serial number

None

44.

Refer to the exhibits to view the firewall policy and the antivirus profile. Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

The flow-based inspection is used, which resets the last packet to the user.

The volume of traffic being inspected is too high for this model of FortiGate.

The firewall policy performs the full content inspection on the file.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

None

45.

In an explicit proxy setup, where is the authentication method and database configured?

Firewall Policy

Authentication scheme

Authentication Rule

Proxy Policy

None

46.

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

Root VDOM

FG-traffic VDOM

Customer VDOM

Global VDOM

None

47.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

diagnose sniffer packet any

execute ping

get system arp

execute traceroute

diagnose sys top

48.

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

FortiGate uses the AD server as the collector agent

FortiGate queries AD by using the LDAP to retrieve user group information

FortiGate uses the SMB protocol to read the event viewer logs from the DCs

FortiGate points the collector agent to use a remote LDAP server

49.

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

Log backups from the CLI can be configured to upload to FTP as a scheduled time

Log backups from the CLI cannot be restored to another FortiGate

Log downloads from the GUI are stored as LZ4 compressed files

Log downloads from the GUI are limited to the current filter view

50.

Which scanning technique on FortiGate can be enabled only on the CLI?

Antivirus scan

Trojan scan

Ransomware scan

Heuristics scan

None

51.

In which two ways can RPF checking be disabled? (Choose two.)

Disable the RPF check at the FortiGate interface level for the source check.

Disable strict-src-check under system settings.

Enable anti-replay in firewall policy.

Enable asymmetric routing.

52.

Refer to the exhibit. What should the administrator do next to troubleshoot the problem?

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.

Execute a debug flow.

Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

Run a sniffer on the web server.

Capture the traffic using an external sniffer connected to port1.

None

53.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The CA extension must be set to TRUE

The issuer must be a public CA

The common name on the subject field must use a wildcard name

The keyUsage extension must be set to keyCertSign

54.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates different local and remote addresses with the remote peer.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

None

55.

Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two.)

Log severity is set to error on FortiGate.

Traffic belongs to the root VDOM.

This is a security log.

Traffic is blocked because Action is set to DENY in the firewall policy.

56.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Port block allocation IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

Overload NAT IP pool is used in the firewall policy

None

57.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Application control is not enabled

Antivirus definitions are not up to date

Antivirus profile configuration is incorrect

SSL/SSH Inspection profile is incorrect

None

58.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To delete intermediary NAT devices in the tunnel path.

To force a new DH exchange with each phase 2 rekey.

To encapsulation ESP packets in UDP packets using port 4500.

To dynamically change phase 1 negotiation mode aggressive mode.

59.

Refer to the exhibit. How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

60.

Which two statements are true about collector agent advanced mode? (Choose two.)

Security profiles can be applied only to user groups, nor individual users.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

Advanced mode supports nested or inherited groups.

Advanced mode uses Windows convention-NetBios: Domain\Username.

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel