NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Only secondary FortiGate devices are rebooted.

Uninterruptable upgrade is enabled by default.

Traffic load balancing is temporally disabled while upgrading the firmware.

The firmware image must be manually uploaded to each FortiGate.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Volume

Source IP

Session

Spillover

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to use parent signatures only.

None

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Enable Dead Peer Detection.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?

The session is a bidirectional UDP connection.

The session is a bidirectional TCP connection.

The session is a UDP unidirectional state.

The session is in TCP ESTABLISHED state.

None

Which two statements are correct about SLA targets? (Choose two.)

You can configure only two SLA targets per one Performance SLA.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

SLA targets are used only when referenced by an SD-WAN rule.

SLA targets are optional.

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

Credit card data leaks

Traffic to inappropriate web sites

SQL injection attacks

Server information disclosure attacks

Traffic to botnetservers

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

new-session

auth-on-demand

hard-timeout

soft-timeout

Idle-timeout

Based on the raw logs shown in the exhibit, which statement is correct?

Access to the social networking web filter category was explicitly blocked to all users.

Social networking web filter category is configured with the action set to authenticate.

The name of the firewall policy is all_users_web.

The action on firewall policy ID 1 is set to warning.

None

10.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

11.

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set webfilter-cache disable

set protocol udp

set webfilter-force-off disable

set fortiguard-anycast disable

12.

Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?

Route-based authentication is enabled

Session-based authentication is enabled

Policy-based authentication is enabled

IP-based authentication is enabled

None

13.

An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?

VLAN interface

Software Switch interface

Redundant interface

Aggregate interface

None

14.

Refer to the exhibit. Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

10.200.1.49

10.200.1.149

10.200.1.1

10.200.1.99

None

15.

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

The client FortiGate requires a manually added route to remote subnets.

16.

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

Log downloads from the GUI are stored as LZ4 compressed files

Log backups from the CLI can be configured to upload to FTP as a scheduled time

Log backups from the CLI cannot be restored to another FortiGate

Log downloads from the GUI are limited to the current filter view

17.

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

The public IP address of the FortiGate device.

remote user's public IP address

The remote user's virtual IP address.

The internal IP address of the FortiGate device.

None

18.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Logical Topology

Automation Stitches

Fabric Connectors

Security Rating

None

19.

Refer to the exhibit. The exhibit shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature

The sensor will reset all connections that match these signatures

The sensor will gather a packet log for all matched traffic

The sensor will block all attacks aimed at Windows servers

20.

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

FortiTelemetry

HTTPS

SSH

FTM

21.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates different local and remote addresses with the remote peer.

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

None

22.

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

Forward traffic logs

Security logs

Local traffic logs

System event logs

None

23.

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Policy rule

Security policy

Firewall policy

SSL inspection and authentication policy

24.

Which two statements are true about collector agent advanced mode? (Choose two.)

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

Advanced mode uses Windows convention-NetBios: Domain\Username.

Advanced mode supports nested or inherited groups.

Security profiles can be applied only to user groups, nor individual users.

25.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Consider the topology:
Application on a Windows machine FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

Create a new service object for TELNET and set the maximum session TTL.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Set the maximum session TTL value for the TELNET service object.

26.

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

File filter

DNS filter

Antivirus scanning

Intrusion prevention

27.

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure host check

Configure different SSL VPN realms

Configure split tunneling in tunnel mode

Configure Source IP Pools

None

28.

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

NGFW policy-based mode does not require the use of central source NAT policy

NGFW policy-based mode policies support only flow inspection

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

29.

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator can register the same FortiToken on more than one FortiGate.

The administrator can use a third-party radius OTP server.

The administrator must use the user self-registration server.

The administrator must use a FortiAuthenticator device.

None

30.

Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To generate logs

To remove the NAT operation

To allow for out-of-order packets that could arrive after the FIN/ACK packets

To finish any inspection operations

None

31.

Which two types of traffic are managed only by the management VDOM? (Choose two.)

PKI

DNS

Traffic shaping

FortiGuard web filter queries

32.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

The primary device in the cluster is always assigned IP address 169.254.0.1

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

Virtual IP addresses are used to distinguish between cluster members

Heartbeat interfaces have virtual IP addresses that are manually assigned

33.

Which two statements are true about the Security Fabric rating?

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

It provides executive summaries of the four largest areas of security focus

34.

Refer to the exhibit. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Device detection is disabled on all FortiGate devices.

There are 19 security recommendations for the security fabric

There are five devices that are part of the security fabric.

This security fabric topology is a logical topology view.

35.

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

DNS

NTP

FortiGate hostname

FortiGuard web filter cache

36.

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Flow-based inspection

Proxy-based inspection

Certificate inspection

Full Content inspection

37.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To encapsulation ESP packets in UDP packets using port 4500.

To dynamically change phase 1 negotiation mode aggressive mode.

To force a new DH exchange with each phase 2 rekey.

To delete intermediary NAT devices in the tunnel path.

38.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

By Sequence view will be disabled

Policy lookup will be disabled

Interface Pair view will be disabled

Search option will be disabled

None

39.

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

Strict RPF checks the best route back to the source using the incoming interface

Strict RPF allows packets back to sources with all active routes

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface

The strict RPF check is run on the first sent and reply packet of any new session

None

40.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Antivirus definitions are not up to date

Antivirus profile configuration is incorrect

Application control is not enabled

SSL/SSH Inspection profile is incorrect

None

41.

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Set the TTL value to never under config system-ttl.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

Set the session TTL on the HTTP policy to maximum.

Create a new service object for HTTP service and set the session TTL to never.

42.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Static URL filter, FortiGuard category filter, and advanced filters

FortiGuard category filter and rating filter

Static domain filter, SSL inspection filter, and external connectors filters

DNS-based web filter and proxy-based web filter

None

43.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

www.example.com/index.html

example.com

www.example.com:443

www.example.com

44.

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.2.0/24

192.168.1.0/24

192.168.3.0/24

192.168.0.0/8

None

45.

Which two statements are correct about a software switch on FortiGate? (Choose two.)

It can group only physical interfaces

It can be configured only when FortiGate is operating in NAT mode

Can act as a Layer 2 switch as well as a Layer 3 router

All interfaces in the software switch share the same IP address

46.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

The Services field removes the requirement of creating multiple VIPs for different services.

The Services field is used when several VIPs need to be bundled into VIP groups.

None

47.

Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web Services. What CLI command must the administrator use to view the route?

get router info routing-table database

diagnose firewall proute list

get router info routing-table all

get internet service route list

None

48.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

FortiGate does not support full SSL inspection when web filtering is enabled.

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

The browser requires a software update.

There are network connectivity issues.

None

49.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

IP address

User or User Group

FQDN address

Once Internet Service is selected, no other object can be added

None

50.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Log ID

Policy ID

Universally Unique Identifier

Sequence ID

None

51.

Which statement regarding the firewall policy authentication timeout is true?

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

None

52.

Refer to the exhibits. Based on the system performance output, which two statements are correct? (Choose two.)

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Administrators cannot change the configuration

FortiGate has entered conserve mode

FortiGate will start sending all files to FortiSandbox for inspection

Administrators can access FortiGate only through the console port

53.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

The Ping protocol is not supported for the public servers that are configured.

There may not be a static route to route the performance SLA traffic.

You need to turn on the Enable probe packets switch.

Participants configured are not SD-WAN members.

None

54.

Which scanning technique on FortiGate can be enabled only on the CLI?

Ransomware scan

Heuristics scan

Trojan scan

Antivirus scan

None

55.

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk. What is the default behavior when the local disk is full?

No new log is recorded until you manually clear logs from the local disk.

Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.

Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

None

56.

Which two statements about antivirus scanning mode are true? (Choose two.)

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client

In flow-based inspection mode, files bigger than the buffer size are scanned

In proxy-based inspection mode, files bigger than the buffer size are scanned

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client

57.

Refer to the exhibit. Why did FortiGate drop the packet?

It failed the RPF check.

It matched an explicitly configured firewall policy with the action DENY.

The next-hop IP address is unreachable.

It matched the default implicit firewall policy.

None

58.

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

None

59.

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

The two VLAN sub interfaces must have different VLAN IDs.

The two VLAN sub interfaces can have the same VLAN ID only if they belong to different VDOMs.

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

The two VLAN sub interfaces can have the same VLAN ID only if they have IP addresses in different subnets.

None

60.

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-Mgmt

FG-traffic

Mgmt

Root

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel