NSE4 v7 Practice Test – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Disable the RPF check at the FortiGate interface level for the source check.

Disable the RPF check at the FortiGate interface level for the reply check.

Enable asymmetric routing at the interface level.

Enable asymmetric routing, so the RPF check will be bypassed.

None

Which three methods are used by the collector agent for AD polling? (Choose three.)

WMI

WinSecLog

NetAPI

Novell API

FortiGate polling

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

The client FortiGate requires a manually added route to remote subnets.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Which two statements are true about the RPF check? (Choose two.)

The RPF check is run on the first sent and reply packet of any new session.

The RPF check is run on the first sent packet of any new session.

The RPF check is run on the first reply packet of any new session.

RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

What are the two results of this configuration? (Choose two.)

An administrator has configured the following settings:
config system setting

set ses-denied-traffic enable

end

config system global

set block -session-timer 30

end

Denied users are blocked for 30 minutes.

A session for denied traffic is created

Device detection on all interfaces is enforced for 30 minutes

The number of logs generated by denied traffic is reduced

Refer to the exhibit. Why did FortiGate drop the packet?

It matched the default implicit firewall policy.

It matched an explicitly configured firewall policy with the action DENY.

The next-hop IP address is unreachable.

It failed the RPF check.

None

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.

By default, all interfaces are part of the same broadcast domain.

FortiGate forwards frames without changing the MAC address.

Static routes are required to allow traffic to the next hop.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Operating mode

System time

FortiGuard update servers

NGFW mode

Examine the two static routes shown in the exhibit, then answer the following question. Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

FortiGate will use the port1 route as the primary candidate.

FortiGate will only actuate the port1 route in the routing table

FortiGate will load balance all traffic across both routes.

FortiGate will route twice as much traffic to the port2 route

None

10.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

Port address translation is not used.

Connections are tracked using source port and source MAC address.

This is known as many-to-one NAT.

Source IP is translated to the outgoing interface IP.

11.

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-Mgmt

Root

FG-traffic

Mgmt

12.

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?

The session is a UDP unidirectional state.

The session is a bidirectional UDP connection.

The session is a bidirectional TCP connection.

The session is in TCP ESTABLISHED state.

None

13.

In an explicit proxy setup, where is the authentication method and database configured?

Firewall Policy

Authentication scheme

Authentication Rule

Proxy Policy

None

14.

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.0.0/8

192.168.3.0/24

192.168.1.0/24

192.168.2.0/24

None

15.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

IP address

User or User Group

Once Internet Service is selected, no other object can be added

FQDN address

None

16.

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

A certificate is not required on the remote peer when you set the signature as the authentication method.

FortiGate supports pre-shared key and signature as authentication methods.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

17.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The subject field in the server certificate

The host field in the HTTP header

The server name indication (SNI) extension in the client hello message

The serial number in the server certificate

The subject alternative name (SAN) field in the server certificate

18.

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set protocol udp

set webfilter-force-off disable

set fortiguard-anycast disable

set webfilter-cache disable

19.

What devices form the core of the security fabric?

Two FortiGate devices and one Forti Analyzer device

One FortiGate device and one Forti Analyzer device

One FortiGate device and one FortiManager device

Two FortiGate devices and one FortiManager device

None

20.

Refer to the FortiGuard connection debug output. Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

There is at least one server that lost packets consecutively.

A local FortiManager is one of the servers FortiGate communicates with.

One server was contacted to retrieve the contract information.

FortiGate is using default FortiGuard communication settings.

21.

Which two types of traffic are managed only by the management VDOM? (Choose two.)

Traffic shaping

PKI

DNS

FortiGuard web filter queries

22.

Which three statements are true regarding session-based authentication? (Choose three.)

It requires more resources.

It is not recommended if multiple users are behind the source NAT

It can differentiate among multiple clients behind the same source IP address.

IP sessions from the same source IP address are treated as a single user.

HTTP sessions are treated as a single user.

23.

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

Optimized performance compared to proxy-based inspection

IPS engine handles the process as a standalone

If the virus is detected, the last packet is delivered to the client

FortiGate buffers the whole file but transmits to the client simultaneously

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

24.

In which two ways can RPF checking be disabled? (Choose two.)

Enable anti-replay in firewall policy.

Enable asymmetric routing.

Disable the RPF check at the FortiGate interface level for the source check.

Disable strict-src-check under system settings.

25.

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Full Content inspection

Flow-based inspection

Proxy-based inspection

Certificate inspection

26.

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine was blocking all traffic

The IPS engine will continue to run in a normal state

The IPS engine was inspecting high volume of traffic

The IPS engine was unable to prevent an intrusion attack

None

27.

Which two statements are correct about SLA targets? (Choose two.)

SLA targets are used only when referenced by an SD-WAN rule.

SLA targets are optional.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

You can configure only two SLA targets per one Performance SLA.

28.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to the application category only.

None

29.

How does FortiGate act when using SSL VPN in web mode?

FortiGate acts as DNS server.

FortiGate acts as an FDS server.

FortiGate acts as router.

FortiGate acts as an HTTP reverse proxy.

None

30.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

31.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Enable Dead Peer Detection.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

32.

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Denial of Service

Antivirus

Web application firewall

Application control

None

33.

Refer to the exhibit. Given the interfaces shown in the exhibit, which two statements are true? (Choose two.)

Traffic between port2 and port2-vlan1 is allowed by default.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

port1 is a native VLAN.

34.

Refer to the exhibit. How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

35.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

www.example.com/index.html

www.example.com

example.com

www.example.com:443

36.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

get system status

get system performance status

get system arp

diagnose sys top

None

37.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On HQ-FortiGate, enable Auto-negotiate.

On HQ-FortiGate, set Encryption to AES256.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On Remote-FortiGate, set Seconds to 43200.

None

38.

Which two statements are correct about a software switch on FortiGate? (Choose two.)

It can be configured only when FortiGate is operating in NAT mode

All interfaces in the software switch share the same IP address

It can group only physical interfaces

Can act as a Layer 2 switch as well as a Layer 3 router

39.

Which of statement is true about SSL VPN web mode?

The external network application sends data through the VPN.

The tunnel is up while the client is connected.

It supports a limited number of protocols.

It assigns a virtual IP address to the client.

None

40.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, FortiGate uses WINS servers to resolve names.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, split tunneling is enabled.

None

41.

IPS Engine is used by which three security features? (Choose three.)

Application control

Web application firewall

Antivirus in flow-based inspection

DNS filter

Web filter in flow-based inspection

42.

Refer to the exhibit to view the firewall policy. Which statement is correct if well-known viruses are not being blocked?

The action on the firewall policy must be set to deny.

The firewall policy must be configured in proxy-based inspection mode.

The firewall policy does not apply deep content inspection.

Web filter should be enabled on the firewall policy to complement the antivirus profile.

None

43.

Refer to the exhibit. The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

Enable restrict access to trusted hosts

Enable two-factor authentication

Change password

Change Administrator profile

None

44.

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator must use a FortiAuthenticator device.

The administrator can register the same FortiToken on more than one FortiGate.

The administrator must use the user self-registration server.

The administrator can use a third-party radius OTP server.

None

45.

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

The strict RPF check is run on the first sent and reply packet of any new session

Strict RPF allows packets back to sources with all active routes

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface

Strict RPF checks the best route back to the source using the incoming interface

None

46.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request?

Implement web filter quotas for the specified website.

Implement web filter authentication for the specified website.

Implement a web filter category override for the specified website.

Implement a DNS filter for the specified website.

None

47.

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

Local traffic logs

Security logs

Forward traffic logs

System event logs

None

48.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Destination NAT is disabled in the firewall policy

Overload NAT IP pool is used in the firewall policy

Port block allocation IP pool is used in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

None

49.

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

NTP

FortiGuard web filter cache

DNS

FortiGate hostname

50.

Refer to the exhibit. Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

10.200.1.149

10.200.1.49

10.200.1.1

10.200.1.99

None

51.

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

Traffic to inappropriate web sites

SQL injection attacks

Traffic to botnetservers

Credit card data leaks

Server information disclosure attacks

52.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The keyUsage extension must be set to keyCertSign

The common name on the subject field must use a wildcard name

The CA extension must be set to TRUE

The issuer must be a public CA

53.

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

Log backups from the CLI cannot be restored to another FortiGate

Log downloads from the GUI are limited to the current filter view

Log backups from the CLI can be configured to upload to FTP as a scheduled time

Log downloads from the GUI are stored as LZ4 compressed files

54.

Which two statements are true about collector agent advanced mode? (Choose two.)

Advanced mode uses Windows convention-NetBios: Domain\Username.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

Advanced mode supports nested or inherited groups.

Security profiles can be applied only to user groups, nor individual users.

55.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Universally Unique Identifier

Sequence ID

Log ID

Policy ID

None

56.

Refer to the exhibit. What should the administrator do next to troubleshoot the problem?

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.

Execute a debug flow.

Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

Capture the traffic using an external sniffer connected to port1.

Run a sniffer on the web server.

None

57.

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The interface is a member of a virtual wire pair.

Captive portal is enabled in the interface.

The operation mode is transparent.

The interface has been configured for one-arm sniffer.

The interface is a member of a zone.

58.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Security Rating

Logical Topology

Fabric Connectors

Automation Stitches

None

59.

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Dynamic DNS

Dialup User

Pre-shared Key

Static IP Address

None

60.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Policy lookup will be disabled

By Sequence view will be disabled

Search option will be disabled

Interface Pair view will be disabled

None

Time's up

2 Comments

Lijo says:

November 6, 2022 at 12:28 pm

after submit ,need to show the correct answers

Organ says:

September 4, 2022 at 11:57 am

I took NSE4 few days before and Passed. Many question from this Quiz are in Exam. Recommend to take this practice test along with Guide. Quite helpful.
Thank You Practonet 🙂

Leave a Reply to Organ Cancel