NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Refer to the exhibit. Why did FortiGate drop the packet?

It matched the default implicit firewall policy.

It failed the RPF check.

The next-hop IP address is unreachable.

It matched an explicitly configured firewall policy with the action DENY.

Refer to the exhibit. The exhibit shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will block all attacks aimed at Windows servers

The sensor will gather a packet log for all matched traffic

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature

The sensor will reset all connections that match these signatures

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?

The session is a bidirectional TCP connection.

The session is in TCP ESTABLISHED state.

The session is a bidirectional UDP connection.

The session is a UDP unidirectional state.

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The interface is a member of a zone.

Captive portal is enabled in the interface.

The interface has been configured for one-arm sniffer.

The operation mode is transparent.

The interface is a member of a virtual wire pair.

What devices form the core of the security fabric?

One FortiGate device and one FortiManager device

Two FortiGate devices and one Forti Analyzer device

Two FortiGate devices and one FortiManager device

One FortiGate device and one Forti Analyzer device

Refer to the exhibit. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

There are five devices that are part of the security fabric.

Device detection is disabled on all FortiGate devices.

This security fabric topology is a logical topology view.

There are 19 security recommendations for the security fabric

Which two statements are true about the Security Fabric rating?

It provides executive summaries of the four largest areas of security focus

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two.)

This is a security log.

Traffic belongs to the root VDOM.

Log severity is set to error on FortiGate.

Traffic is blocked because Action is set to DENY in the firewall policy.

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

Credit card data leaks

Server information disclosure attacks

Traffic to inappropriate web sites

Traffic to botnetservers

SQL injection attacks

10.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Operating mode

NGFW mode

System time

FortiGuard update servers

11.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Port block allocation IP pool is used in the firewall policy

Overload NAT IP pool is used in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

12.

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

User or User Group

No other object can be added

IP address

FQDN address

13.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)

Exempt

Allow

Learn

Warning

14.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On HQ-FortiGate, set Encryption to AES256.

On HQ-FortiGate, enable Auto-negotiate.

On Remote-FortiGate, set Seconds to 43200.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

15.

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?

On Demand

Enabled

On Idle

Disabled

16.

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

Web filter in flow-based inspection

Application control

DNS filter

Antivirus in flow-based inspection

Web application firewall

17.

An organization's employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Change the login-timeout.

Change the idle-timeout.

Change the udp-idle-timer.

Change the session-ttl.

18.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

new-session

hard-timeout

auth-on-demand

soft-timeout

Idle-timeout

19.

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Certificate inspection

Full Content inspection

Proxy-based inspection

Flow-based inspection

20.

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiSandbox

FortiCache

FortiSIEM

FortiAnalyzer

FortiCloud

21.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to the application category only.

22.

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

The category of Apple FaceTime is being blocked.

Apple FaceTime belongs to the custom blocked filter.

The category of Apple FaceTime is being monitored.

Apple FaceTime belongs to the custom monitored filter.

23.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Enable asymmetric routing at the interface level.

Disable the RPF check at the FortiGate interface level for the reply check.

Enable asymmetric routing, so the RPF check will be bypassed.

Disable the RPF check at the FortiGate interface level for the source check.

24.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

Add Facebook in the URL category in the security policy

The SSL inspection needs to be a deep content inspection

Force access to Facebook using the HTTP service

Additional application signatures are required to add to the security policy

25.

Refer to the exhibit. Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

The port1 and port2 default routes are active in the routing table

The port3 default route has the highest distance

The port3 default route has the lowest metric

There will be eight routes active in the routing table

26.

Refer to the exhibit. Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

The signature setting includes a group of other signatures.

Traffic matching the signature will be silently dropped and logged.

Traffic matching the signature will be allowed and logged.

The signature setting uses a custom rating threshold.

27.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

FQDN address

Once Internet Service is selected, no other object can be added

IP address

User or User Group

28.

Which statement regarding the firewall policy authentication timeout is true?

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

29.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request?

Implement a web filter category override for the specified website.

Implement web filter quotas for the specified website.

Implement web filter authentication for the specified website.

Implement a DNS filter for the specified website.

30.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement a web filter category override for the specified website

Implement web filter authentication for the specified website.

Implement web filter quotas for the specified website

Implement a DNS filter for the specified website.

31.

IPS Engine is used by which three security features? (Choose three.)

Web filter in flow-based inspection

Application control

DNS filter

Web application firewall

Antivirus in flow-based inspection

32.

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.

Static routes are required to allow traffic to the next hop.

By default, all interfaces are part of the same broadcast domain.

FortiGate forwards frames without changing the MAC address.

33.

How do you format the FortiGate flash disk?

Load a debug FortiOS image.

Load the hardware test (HQIP) image.

Execute the CLI command execute formatlogdisk.

Select the format boot device option from the BIOS menu.

34.

Which two statements are true about collector agent standard access mode? (Choose two.)

Standard access mode supports nested groups.

Standard mode security profiles apply to organizational units (OU).

Standard mode security profiles apply to user groups.

Standard mode uses Windows convention-NetBios: Domain\Username.

35.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

Create a new service object for TELNET and set the maximum session TTL.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Set the maximum session TTL value for the TELNET service object.

36.

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Uninterruptable upgrade is enabled by default.

The firmware image must be manually uploaded to each FortiGate.

Only secondary FortiGate devices are rebooted.

Traffic load balancing is temporally disabled while upgrading the firmware.

37.

How does FortiGate act when using SSL VPN in web mode?

FortiGate acts as an FDS server.

FortiGate acts as an HTTP reverse proxy.

FortiGate acts as router.

FortiGate acts as DNS server.

38.

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

The NetSessionEnum function is used to track user logouts.

The collector agent must search security event logs.

The collector agent uses a Windows API to query DCs for user logins.

NetAPI polling can increase bandwidth usage in large networks.

39.

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

If the virus is detected, the last packet is delivered to the client

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

IPS engine handles the process as a standalone

Optimized performance compared to proxy-based inspection

FortiGate buffers the whole file but transmits to the client simultaneously

40.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Source IP

Volume

Session

Spillover

41.

Examine the two static routes shown in the exhibit, then answer the following question. Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

FortiGate will only actuate the port1 route in the routing table

FortiGate will route twice as much traffic to the port2 route

FortiGate will load balance all traffic across both routes.

FortiGate will use the port1 route as the primary candidate.

42.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

execute traceroute

execute ping

diagnose sniffer packet any

diagnose sys top

get system arp

43.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, split tunneling is enabled.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

By default, FortiGate uses WINS servers to resolve names.

44.

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The IP version of the sources and destinations in a policy must match.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a firewall policy must be different.

45.

In an explicit proxy setup, where is the authentication method and database configured?

Authentication scheme

Firewall Policy

Proxy Policy

Authentication Rule

46.

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

NGFW policy-based mode policies support only flow inspection

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode does not require the use of central source NAT policy

47.

Refer to the exhibit. The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. Which two statements are true? (Choose two.)

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.

Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used only as a management VDOM.

48.

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

Global VDOM

FG-traffic VDOM

Root VDOM

Customer VDOM

49.

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.0.0/8

192.168.2.0/24

192.168.3.0/24

192.168.1.0/24

50.

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list | grep hook=pre&&hook=out

diagnose wad session list | grep "hook=pre"&"hook=out"

diagnose wad session list | grep hook-pre&&hook-out

diagnose wad session list

51.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The subject field in the server certificate

The host field in the HTTP header

The subject alternative name (SAN) field in the server certificate

The server name indication (SNI) extension in the client hello message

The serial number in the server certificate

52.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

Connections are tracked using source port and source MAC address.

Source IP is translated to the outgoing interface IP.

Port address translation is not used.

This is known as many-to-one NAT.

53.

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-Mgmt

Mgmt

Root

FG-traffic

54.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The CA extension must be set to TRUE

The issuer must be a public CA

The common name on the subject field must use a wildcard name

The keyUsage extension must be set to keyCertSign

55.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate devices are not in sync because one device is down.

56.

Refer to the exhibit. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Set the Destination address as Deny_IP in the Allow-access policy.

Set the Destination address as Web_server in the Deny policy.

Disable match-vip in the Deny policy.

Enable match-vip in the Deny policy.

57.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To delete intermediary NAT devices in the tunnel path.

To dynamically change phase 1 negotiation mode aggressive mode.

To force a new DH exchange with each phase 2 rekey.

To encapsulation ESP packets in UDP packets using port 4500.

58.

Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web Services. What CLI command must the administrator use to view the route?

diagnose firewall proute list

get internet service route list

get router info routing-table database

get router info routing-table all

59.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Enable Dead Peer Detection.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

60.

Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?

Policy-based authentication is enabled

IP-based authentication is enabled

Route-based authentication is enabled

Session-based authentication is enabled

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply Cancel