NSE4 v7 – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Which two statements are correct about SLA targets? (Choose two.)

You can configure only two SLA targets per one Performance SLA.

SLA targets are optional.

SLA targets are used only when referenced by an SD-WAN rule.

SLA targets are required for SD-WAN rules with a Best Quality strategy.

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

FortiGate hostname

DNS

NTP

FortiGuard web filter cache

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Consider the topology:
Application on a Windows machine FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

Set the maximum session TTL value for the TELNET service object.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Create a new service object for TELNET and set the maximum session TTL.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Dead Peer Detection.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

Add Facebook in the URL category in the security policy

The SSL inspection needs to be a deep content inspection

Force access to Facebook using the HTTP service

Additional application signatures are required to add to the security policy

None

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

execute ping

diagnose sniffer packet any

diagnose sys top

execute traceroute

get system arp

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Dialup User

Dynamic DNS

Pre-shared Key

Static IP Address

None

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?

idle-timeout

soft-timeout

auth-on-demand

new-session

hard-timeout

None

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

Apple FaceTime belongs to the custom blocked filter.

The category of Apple FaceTime is being blocked.

Apple FaceTime belongs to the custom monitored filter.

The category of Apple FaceTime is being monitored.

None

10.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement web filter authentication for the specified website.

Implement a web filter category override for the specified website

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website

None

11.

An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?

Aggregate interface

Redundant interface

VLAN interface

Software Switch interface

None

12.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field removes the requirement of creating multiple VIPs for different services.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

The Services field is used when several VIPs need to be bundled into VIP groups.

None

13.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

Virtual IP addresses are used to distinguish between cluster members

The primary device in the cluster is always assigned IP address 169.254.0.1

Heartbeat interfaces have virtual IP addresses that are manually assigned

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

14.

Refer to the exhibit. The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

If there is a fall-through policy in place, users will not be prompted for authentication.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

Authentication is enforced at a policy level; all users will be prompted for authentication.

None

15.

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure Source IP Pools

Configure split tunneling in tunnel mode

Configure host check

Configure different SSL VPN realms

None

16.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the DNS protocol only.

None

17.

IPS Engine is used by which three security features? (Choose three.)

Web application firewall

Antivirus in flow-based inspection

DNS filter

Application control

Web filter in flow-based inspection

18.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

new-session

auth-on-demand

soft-timeout

Idle-timeout

hard-timeout

19.

Which two types of traffic are managed only by the management VDOM? (Choose two.)

FortiGuard web filter queries

DNS

Traffic shaping

PKI

20.

Refer to the exhibit. Why did FortiGate drop the packet?

It matched the default implicit firewall policy.

It matched an explicitly configured firewall policy with the action DENY.

The next-hop IP address is unreachable.

It failed the RPF check.

None

21.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

By default, FortiGate uses WINS servers to resolve names.

By default, split tunneling is enabled.

None

22.

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.0.0/8

192.168.2.0/24

192.168.1.0/24

192.168.3.0/24

None

23.

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Policy rule

Firewall policy

Security policy

SSL inspection and authentication policy

24.

Refer to the exhibit. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Set the Destination address as Web_server in the Deny policy.

Disable match-vip in the Deny policy.

Set the Destination address as Deny_IP in the Allow-access policy.

Enable match-vip in the Deny policy.

25.

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator must use the user self-registration server.

The administrator can use a third-party radius OTP server.

The administrator must use a FortiAuthenticator device.

The administrator can register the same FortiToken on more than one FortiGate.

None

26.

How does FortiGate act when using SSL VPN in web mode?

FortiGate acts as an HTTP reverse proxy.

FortiGate acts as router.

FortiGate acts as DNS server.

FortiGate acts as an FDS server.

None

27.

Which of statement is true about SSL VPN web mode?

It supports a limited number of protocols.

It assigns a virtual IP address to the client.

The external network application sends data through the VPN.

The tunnel is up while the client is connected.

None

28.

Which statement regarding the firewall policy authentication timeout is true?

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

None

29.

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

FortiGate buffers the whole file but transmits to the client simultaneously

IPS engine handles the process as a standalone

Optimized performance compared to proxy-based inspection

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

If the virus is detected, the last packet is delivered to the client

30.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

get system arp

get system performance status

diagnose sys top

get system status

None

31.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

NGFW mode

FortiGuard update servers

System time

Operating mode

32.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

DNS-based web filter and proxy-based web filter

Static URL filter, FortiGuard category filter, and advanced filters

Static domain filter, SSL inspection filter, and external connectors filters

FortiGuard category filter and rating filter

None

33.

Refer to the exhibits. Based on the system performance output, which two statements are correct? (Choose two.)

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Administrators can access FortiGate only through the console port

FortiGate has entered conserve mode

Administrators cannot change the configuration

FortiGate will start sending all files to FortiSandbox for inspection

34.

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?

Disabled

On Demand

Enabled

On Idle

None

35.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

This is known as many-to-one NAT.

Source IP is translated to the outgoing interface IP.

Connections are tracked using source port and source MAC address.

Port address translation is not used.

36.

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

The collector agent must search security event logs.

The NetSessionEnum function is used to track user logouts.

NetAPI polling can increase bandwidth usage in large networks.

The collector agent uses a Windows API to query DCs for user logins.

None

37.

How do you format the FortiGate flash disk?

Load the hardware test (HQIP) image.

Execute the CLI command execute formatlogdisk.

Load a debug FortiOS image.

Select the format boot device option from the BIOS menu.

None

38.

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine was inspecting high volume of traffic

The IPS engine was blocking all traffic

The IPS engine will continue to run in a normal state

The IPS engine was unable to prevent an intrusion attack

None

39.

Which two statements are true about the Security Fabric rating?

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

It provides executive summaries of the four largest areas of security focus

40.

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

HTTPS

FortiTelemetry

FTM

SSH

41.

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

NGFW policy-based mode policies support only flow inspection

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode does not require the use of central source NAT policy

42.

Which scanning technique on FortiGate can be enabled only on the CLI?

Heuristics scan

Trojan scan

Ransomware scan

Antivirus scan

None

43.

Refer to the exhibit. The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. Which two statements are true? (Choose two.)

A static route is required on the To-Internet VDOM to allow LAN users to access the Internet.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

Inter-VDOM links are not required between the Root and To-Internet VDOMs because the Root VDOM is used only as a management VDOM.

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

44.

Refer to the exhibit. What should the administrator do next to troubleshoot the problem?

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.

Execute a debug flow.

Capture the traffic using an external sniffer connected to port1.

Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

Run a sniffer on the web server.

None

45.

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.

FortiGate forwards frames without changing the MAC address.

By default, all interfaces are part of the same broadcast domain.

Static routes are required to allow traffic to the next hop.

46.

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

Create a new service object for HTTP service and set the session TTL to never.

Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

Set the TTL value to never under config system-ttl.

Set the session TTL on the HTTP policy to maximum.

47.

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

The firmware image must be manually uploaded to each FortiGate.

Traffic load balancing is temporally disabled while upgrading the firmware.

Uninterruptable upgrade is enabled by default.

Only secondary FortiGate devices are rebooted.

48.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

FortiGate automatically negotiates different local and remote addresses with the remote peer.

None

49.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

One-to-one NAT IP pool is used in the firewall policy

Port block allocation IP pool is used in the firewall policy

Overload NAT IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

None

50.

Which three statements are true regarding session-based authentication? (Choose three.)

It is not recommended if multiple users are behind the source NAT

HTTP sessions are treated as a single user.

It requires more resources.

IP sessions from the same source IP address are treated as a single user.

It can differentiate among multiple clients behind the same source IP address.

51.

Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To allow for out-of-order packets that could arrive after the FIN/ACK packets

To finish any inspection operations

To generate logs

To remove the NAT operation

None

52.

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Proxy-based inspection

Flow-based inspection

Certificate inspection

Full Content inspection

None

53.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Log ID

Universally Unique Identifier

Sequence ID

Policy ID

None

54.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

User or User Group

FQDN address

Once Internet Service is selected, no other object can be added

IP address

None

55.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

FortiGate does not support full SSL inspection when web filtering is enabled.

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

There are network connectivity issues.

The browser requires a software update.

None

56.

Refer to the exhibit. Given the interfaces shown in the exhibit, which two statements are true? (Choose two.)

port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Traffic between port2 and port2-vlan1 is allowed by default.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

port1 is a native VLAN.

57.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Interface Pair view will be disabled

Policy lookup will be disabled

By Sequence view will be disabled

Search option will be disabled

None

58.

Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?

Policy-based authentication is enabled

Session-based authentication is enabled

Route-based authentication is enabled

IP-based authentication is enabled

None

59.

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list

diagnose wad session list | grep hook=pre&&hook=out

diagnose wad session list | grep hook-pre&&hook-out

diagnose wad session list | grep "hook=pre"&"hook=out"

None

60.

Refer to the exhibit. Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.

10.200.3.1

10.200.1.1

10.200.1.100

10.200.1.10

None

Time's up

Leave a Reply Cancel