NSE4 v7 – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 21 March 2023

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

Refer to the exhibit. Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

There will be eight routes active in the routing table

The port3 default route has the highest distance

The port1 and port2 default routes are active in the routing table

The port3 default route has the lowest metric

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

set protocol udp

set webfilter-force-off disable

set webfilter-cache disable

set fortiguard-anycast disable

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-traffic

FG-Mgmt

Mgmt

Root

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

The client FortiGate requires a manually added route to remote subnets.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

In an explicit proxy setup, where is the authentication method and database configured?

Firewall Policy

Authentication Rule

Authentication scheme

Proxy Policy

None

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The interface has been configured for one-arm sniffer.

The interface is a member of a virtual wire pair.

Captive portal is enabled in the interface.

The interface is a member of a zone.

The operation mode is transparent.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

Idle-timeout

new-session

soft-timeout

hard-timeout

auth-on-demand

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Source IP

Spillover

Volume

Session

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

None

10.

Refer to the exhibit. Examine the intrusion prevention system (IPS) diagnostic command. Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

The IPS engine was unable to prevent an intrusion attack

The IPS engine will continue to run in a normal state

The IPS engine was inspecting high volume of traffic

The IPS engine was blocking all traffic

None

11.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates different local and remote addresses with the remote peer.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

None

12.

Which of statement is true about SSL VPN web mode?

It assigns a virtual IP address to the client.

The external network application sends data through the VPN.

The tunnel is up while the client is connected.

It supports a limited number of protocols.

None

13.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Sequence ID

Universally Unique Identifier

Log ID

Policy ID

None

14.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Static URL filter, FortiGuard category filter, and advanced filters

Static domain filter, SSL inspection filter, and external connectors filters

DNS-based web filter and proxy-based web filter

FortiGuard category filter and rating filter

None

15.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?

Search option will be disabled

By Sequence view will be disabled

Policy lookup will be disabled

Interface Pair view will be disabled

None

16.

Which three methods are used by the collector agent for AD polling? (Choose three.)

WMI

Novell API

NetAPI

FortiGate polling

WinSecLog

17.

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

The category of Apple FaceTime is being blocked.

Apple FaceTime belongs to the custom blocked filter.

Apple FaceTime belongs to the custom monitored filter.

The category of Apple FaceTime is being monitored.

None

18.

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

FortiGate buffers the whole file but transmits to the client simultaneously

IPS engine handles the process as a standalone

If the virus is detected, the last packet is delivered to the client

Optimized performance compared to proxy-based inspection

Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection

19.

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add user accounts to the FortiGate group filter

Add user accounts to Active Directory (AD)

Add user accounts to the Ignore User List

Add the support of NTLM authentication

None

20.

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

Antivirus profile configuration is incorrect

Application control is not enabled

SSL/SSH Inspection profile is incorrect

Antivirus definitions are not up to date

None

21.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

The primary device in the cluster is always assigned IP address 169.254.0.1

Heartbeat interfaces have virtual IP addresses that are manually assigned

Virtual IP addresses are used to distinguish between cluster members

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

22.

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode does not require the use of central source NAT policy

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

NGFW policy-based mode policies support only flow inspection

23.

Which two statements are true about the Security Fabric rating?

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

It provides executive summaries of the four largest areas of security focus

24.

What devices form the core of the security fabric?

Two FortiGate devices and one Forti Analyzer device

One FortiGate device and one FortiManager device

One FortiGate device and one Forti Analyzer device

Two FortiGate devices and one FortiManager device

None

25.

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

The collector agent must search security event logs.

The collector agent uses a Windows API to query DCs for user logins.

The NetSessionEnum function is used to track user logouts.

NetAPI polling can increase bandwidth usage in large networks.

None

26.

Based on the raw logs shown in the exhibit, which statement is correct?

Social networking web filter category is configured with the action set to authenticate.

The name of the firewall policy is all_users_web.

The action on firewall policy ID 1 is set to warning.

Access to the social networking web filter category was explicitly blocked to all users.

None

27.

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The IP version of the sources and destinations in a policy must match.

The IP version of the sources and destinations in a firewall policy must be different.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

28.

An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?

VLAN interface

Aggregate interface

Software Switch interface

Redundant interface

None

29.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

User or User Group

IP address

FQDN address

Once Internet Service is selected, no other object can be added

None

30.

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Automated Response

Security Posture

Fabric Coverage

Optimization

None

31.

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

NTP

DNS

FortiGate hostname

FortiGuard web filter cache

32.

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

FortiGate uses the SMB protocol to read the event viewer logs from the DCs

FortiGate uses the AD server as the collector agent

FortiGate queries AD by using the LDAP to retrieve user group information

FortiGate points the collector agent to use a remote LDAP server

33.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Enable Dead Peer Detection.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

34.

Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To finish any inspection operations

To remove the NAT operation

To generate logs

To allow for out-of-order packets that could arrive after the FIN/ACK packets

None

35.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

www.example.com

www.example.com:443

www.example.com/index.html

example.com

36.

Refer to the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue?

Add Facebook in the URL category in the security policy

The SSL inspection needs to be a deep content inspection

Force access to Facebook using the HTTP service

Additional application signatures are required to add to the security policy

None

37.

Refer to the exhibit. Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.

10.200.1.1

10.200.1.100

10.200.1.10

10.200.3.1

None

38.

Which statement regarding the firewall policy authentication timeout is true?

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

None

39.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

Participants configured are not SD-WAN members.

The Ping protocol is not supported for the public servers that are configured.

You need to turn on the Enable probe packets switch.

There may not be a static route to route the performance SLA traffic.

None

40.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)

Exempt

Warning

Allow

Learn

41.

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

System event logs

Forward traffic logs

Security logs

Local traffic logs

None

42.

Which two types of traffic are managed only by the management VDOM? (Choose two.)

PKI

FortiGuard web filter queries

DNS

Traffic shaping

43.

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Web application firewall

Application control

Denial of Service

Antivirus

None

44.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field is used when several VIPs need to be bundled into VIP groups.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field removes the requirement of creating multiple VIPs for different services.

None

45.

Refer to the exhibit, which contains a session list output. Based on the information shown in the exhibit, which statement is true?

Port block allocation IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

Overload NAT IP pool is used in the firewall policy

None

46.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to the DNS protocol only.

None

47.

Refer to the exhibit. The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

Enable restrict access to trusted hosts

Change password

Enable two-factor authentication

Change Administrator profile

None

48.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The subject alternative name (SAN) field in the server certificate

The server name indication (SNI) extension in the client hello message

The serial number in the server certificate

The host field in the HTTP header

The subject field in the server certificate

49.

Refer to the exhibit showing a debug flow output. Which two statements about the debug flow output are correct? (Choose two.)

A new traffic session is created

The debug flow is of ICMP traffic

A firewall policy allowed the connection

The default route is required to receive a reply

50.

Which scanning technique on FortiGate can be enabled only on the CLI?

Antivirus scan

Trojan scan

Heuristics scan

Ransomware scan

None

51.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The keyUsage extension must be set to keyCertSign

The issuer must be a public CA

The common name on the subject field must use a wildcard name

The CA extension must be set to TRUE

52.

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

The strict RPF check is run on the first sent and reply packet of any new session

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface

Strict RPF checks the best route back to the source using the incoming interface

Strict RPF allows packets back to sources with all active routes

None

53.

Refer to the exhibit. The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Change the Server IP address.

Change the SSL VPN portal to the tunnel.

Change the idle-timeout.

Change the SSL VPN port on the client.

None

54.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

Source IP is translated to the outgoing interface IP.

Connections are tracked using source port and source MAC address.

Port address translation is not used.

This is known as many-to-one NAT.

55.

An organization's employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Change the udp-idle-timer.

Change the session-ttl.

Change the idle-timeout.

Change the login-timeout.

None

56.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

System time

Operating mode

NGFW mode

FortiGuard update servers

57.

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?

auth-on-demand

new-session

idle-timeout

soft-timeout

hard-timeout

None

58.

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

Log backups from the CLI can be configured to upload to FTP as a scheduled time

Log backups from the CLI cannot be restored to another FortiGate

Log downloads from the GUI are stored as LZ4 compressed files

Log downloads from the GUI are limited to the current filter view