NSE4 v7 – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7

Total Question: 130

Question per Quiz: 60

Updated On: 15 May 2022

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The operation mode is transparent.

Captive portal is enabled in the interface.

The interface is a member of a virtual wire pair.

The interface is a member of a zone.

The interface has been configured for one-arm sniffer.

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-traffic

FG-Mgmt

Mgmt

Root

An organization's employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Change the session-ttl.

Change the idle-timeout.

Change the login-timeout.

Change the udp-idle-timer.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Interface Pair view will be disabled

By Sequence view will be disabled

Policy lookup will be disabled

Search option will be disabled

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

Traffic to inappropriate web sites

Credit card data leaks

Traffic to botnetservers

Server information disclosure attacks

SQL injection attacks

Which of statement is true about SSL VPN web mode?

It assigns a virtual IP address to the client.

The external network application sends data through the VPN.

The tunnel is up while the client is connected.

It supports a limited number of protocols.

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

System event logs

Forward traffic logs

Security logs

Local traffic logs

Refer to the exhibit. An administrator is running a sniffer command as shown in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three.)

Application header

Ethernet header

IP header

Packet payload

Interface name

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate devices are not in sync because one device is down.

10.

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

A certificate is not required on the remote peer when you set the signature as the authentication method.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

FortiGate supports pre-shared key and signature as authentication methods.

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

11.

Refer to the FortiGuard connection debug output. Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

There is at least one server that lost packets consecutively.

One server was contacted to retrieve the contract information.

A local FortiManager is one of the servers FortiGate communicates with.

FortiGate is using default FortiGuard communication settings.

12.

Refer to the exhibit. Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

10.200.1.99

10.200.1.49

10.200.1.1

10.200.1.149

13.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Heartbeat interfaces have virtual IP addresses that are manually assigned

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

The primary device in the cluster is always assigned IP address 169.254.0.1

Virtual IP addresses are used to distinguish between cluster members

14.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Search option will be disabled

Policy lookup will be disabled

Interface Pair view will be disabled

By Sequence view will be disabled

15.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To dynamically change phase 1 negotiation mode aggressive mode.

To force a new DH exchange with each phase 2 rekey.

To encapsulation ESP packets in UDP packets using port 4500.

To delete intermediary NAT devices in the tunnel path.

16.

What devices form the core of the security fabric?

One FortiGate device and one FortiManager device

Two FortiGate devices and one FortiManager device

Two FortiGate devices and one Forti Analyzer device

One FortiGate device and one Forti Analyzer device

17.

Which three statements are true regarding session-based authentication? (Choose three.)

It is not recommended if multiple users are behind the source NAT

HTTP sessions are treated as a single user.

IP sessions from the same source IP address are treated as a single user.

It can differentiate among multiple clients behind the same source IP address.

It requires more resources.

18.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

The SSL inspection needs to be a deep content inspection

Add Facebook in the URL category in the security policy

Additional application signatures are required to add to the security policy

Force access to Facebook using the HTTP service

19.

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

IP address

No other object can be added

FQDN address

User or User Group

20.

Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?

Policy-based authentication is enabled

Route-based authentication is enabled

IP-based authentication is enabled

Session-based authentication is enabled

21.

Which two statements are true about collector agent standard access mode? (Choose two.)

Standard access mode supports nested groups.

Standard mode security profiles apply to organizational units (OU).

Standard mode security profiles apply to user groups.

Standard mode uses Windows convention-NetBios: Domain\Username.

22.

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

DNS

FortiGuard web filter cache

FortiGate hostname

NTP

23.

Refer to the exhibit. The exhibit shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will reset all connections that match these signatures

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature

The sensor will gather a packet log for all matched traffic

The sensor will block all attacks aimed at Windows servers

24.

Which statement about the policy ID number of a firewall policy is true?

It is required to modify a firewall policy using the CLI

It represents the number of objects used in the firewall policy

It defines the order in which rules are processed

It changes when firewall policies are reordered

25.

Refer to the exhibit showing a debug flow output. Which two statements about the debug flow output are correct? (Choose two.)

The debug flow is of ICMP traffic

A firewall policy allowed the connection

A new traffic session is created

The default route is required to receive a reply

26.

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator must use the user self-registration server.

The administrator can register the same FortiToken on more than one FortiGate.

The administrator must use a FortiAuthenticator device.

The administrator can use a third-party radius OTP server.

27.

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

The category of Apple FaceTime is being monitored.

The category of Apple FaceTime is being blocked.

Apple FaceTime belongs to the custom blocked filter.

Apple FaceTime belongs to the custom monitored filter.

28.

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add user accounts to the Ignore User List

Add user accounts to the FortiGate group filter

Add the support of NTLM authentication

Add user accounts to Active Directory (AD)

29.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Application control is not enabled

Antivirus profile configuration is incorrect

SSL/SSH Inspection profile is incorrect

Antivirus definitions are not up to date

30.

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine will continue to run in a normal state

The IPS engine was blocking all traffic

The IPS engine was unable to prevent an intrusion attack

The IPS engine was inspecting high volume of traffic

31.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

FortiGuard category filter and rating filter

DNS-based web filter and proxy-based web filter

Static domain filter, SSL inspection filter, and external connectors filters

Static URL filter, FortiGuard category filter, and advanced filters

32.

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

Antivirus in flow-based inspection

Application control

DNS filter

Web application firewall

Web filter in flow-based inspection

33.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

The Ping protocol is not supported for the public servers that are configured.

Participants configured are not SD-WAN members.

There may not be a static route to route the performance SLA traffic.

You need to turn on the Enable probe packets switch.

34.

Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web Services. What CLI command must the administrator use to view the route?

get router info routing-table database

get internet service route list

diagnose firewall proute list

get router info routing-table all

35.

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Proxy-based inspection

Flow-based inspection

Certificate inspection

Full Content inspection

36.

Refer to the exhibit. The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

Enable two-factor authentication

Enable restrict access to trusted hosts

Change password

Change Administrator profile

37.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

diagnose sys top

get system performance status

get system status

get system arp

38.

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?

The session is a bidirectional UDP connection.

The session is a bidirectional TCP connection.

The session is in TCP ESTABLISHED state.

The session is a UDP unidirectional state.

39.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Fabric Connectors

Logical Topology

Security Rating

Automation Stitches

40.

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Highest to lowest priority defined in the firewall policy.

Source defined as Internet Services in the firewall policy.

Services defined in the firewall policy.

Lowest to highest policy ID number.

Destination defined as Internet Services in the firewall policy.

41.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The issuer must be a public CA

The CA extension must be set to TRUE

The keyUsage extension must be set to keyCertSign

The common name on the subject field must use a wildcard name

42.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

auth-on-demand

soft-timeout

hard-timeout

Idle-timeout

new-session

43.

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Traffic shaping

DNS

PKI

FortiGuard web filter queries

44.

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Security policy

Firewall policy

SSL inspection and authentication policy

Policy rule

45.

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface

The strict RPF check is run on the first sent and reply packet of any new session

Strict RPF checks the best route back to the source using the incoming interface

Strict RPF allows packets back to sources with all active routes

46.

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

The client FortiGate requires a manually added route to remote subnets.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

47.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Disable the RPF check at the FortiGate interface level for the source check.

Enable asymmetric routing at the interface level.

Enable asymmetric routing, so the RPF check will be bypassed.

Disable the RPF check at the FortiGate interface level for the reply check.

48.

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

The internal IP address of the FortiGate device.

remote user's public IP address

The public IP address of the FortiGate device.

The remote user's virtual IP address.

49.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

There are network connectivity issues.

The browser requires a software update.

FortiGate does not support full SSL inspection when web filtering is enabled.

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

50.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

User or User Group

Once Internet Service is selected, no other object can be added

IP address

FQDN address

51.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement a DNS filter for the specified website.

Implement a web filter category override for the specified website

Implement web filter authentication for the specified website.

Implement web filter quotas for the specified website

52.

Refer to the exhibit. Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.

10.200.1.10

10.200.3.1

10.200.1.100

10.200.1.1

53.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Session

Volume

Spillover

Source IP

54.

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

Only secondary FortiGate devices are rebooted.

Uninterruptable upgrade is enabled by default.

The firmware image must be manually uploaded to each FortiGate.

Traffic load balancing is temporally disabled while upgrading the firmware.

55.

Refer to the exhibit. How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

56.

Which two statements are true about collector agent advanced mode? (Choose two.)

Advanced mode uses Windows convention-NetBios: Domain\Username.

Advanced mode supports nested or inherited groups.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

Security profiles can be applied only to user groups, nor individual users.

57.

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set protocol udp

set fortiguard-anycast disable

set webfilter-force-off disable

set webfilter-cache disable

58.

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure Source IP Pools

Configure different SSL VPN realms

Configure split tunneling in tunnel mode

Configure host check

59.

Which two statements are correct about SLA targets? (Choose two.)

SLA targets are optional.

You can configure only two SLA targets per one Performance SLA.

SLA targets are used only when referenced by an SD-WAN rule.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

60.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)