NSE4 v7 – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Fortinet

Exam: NSE 4

Exam Code: NSE4 v7.0

Total Question: 131

Question per Quiz: 60

Updated On: 24 July 2022

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to the application category only.

It limits the scanning of application traffic to use parent signatures only.

Which two statements are true about collector agent standard access mode? (Choose two.)

Standard mode uses Windows convention-NetBios: Domain\Username.

Standard mode security profiles apply to organizational units (OU).

Standard mode security profiles apply to user groups.

Standard access mode supports nested groups.

Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two.)

Traffic is blocked because Action is set to DENY in the firewall policy.

Log severity is set to error on FortiGate.

Traffic belongs to the root VDOM.

This is a security log.

Which two statements are true about collector agent advanced mode? (Choose two.)

Advanced mode uses Windows convention-NetBios: Domain\Username.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

Advanced mode supports nested or inherited groups.

Security profiles can be applied only to user groups, nor individual users.

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

FortiGate uses the SMB protocol to read the event viewer logs from the DCs

FortiGate points the collector agent to use a remote LDAP server

FortiGate uses the AD server as the collector agent

FortiGate queries AD by using the LDAP to retrieve user group information

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiAnalyzer

FortiCloud

FortiSIEM

FortiSandbox

FortiCache

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

The host field in the HTTP header

The subject field in the server certificate

The serial number in the server certificate

The server name indication (SNI) extension in the client hello message

The subject alternative name (SAN) field in the server certificate

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

FortiGuard update servers

System time

Operating mode

NGFW mode

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

192.168.0.0/8

192.168.2.0/24

192.168.1.0/24

192.168.3.0/24

10.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

This is known as many-to-one NAT.

Connections are tracked using source port and source MAC address.

Source IP is translated to the outgoing interface IP.

Port address translation is not used.

11.

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The IP version of the sources and destinations in a firewall policy must be different.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a policy must match.

12.

An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?

Redundant interface

VLAN interface

Aggregate interface

Software Switch interface

13.

Refer to the exhibit. Why did FortiGate drop the packet?

The next-hop IP address is unreachable.

It matched an explicitly configured firewall policy with the action DENY.

It failed the RPF check.

It matched the default implicit firewall policy.

14.

Which scanning technique on FortiGate can be enabled only on the CLI?

Heuristics scan

Ransomware scan

Antivirus scan

Trojan scan

15.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster

Heartbeat interfaces have virtual IP addresses that are manually assigned

Virtual IP addresses are used to distinguish between cluster members

The primary device in the cluster is always assigned IP address 169.254.0.1

16.

Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

The Ping protocol is not supported for the public servers that are configured.

There may not be a static route to route the performance SLA traffic.

You need to turn on the Enable probe packets switch.

Participants configured are not SD-WAN members.

17.

Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000065036 HA uptime has been reset.

18.

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

The client FortiGate requires a manually added route to remote subnets.

The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

19.

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?

On Idle

Enabled

Disabled

On Demand

20.

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

A certificate is not required on the remote peer when you set the signature as the authentication method.

FortiGate supports pre-shared key and signature as authentication methods.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

21.

Refer to the exhibits to view the firewall policy and the antivirus profile. Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

The firewall policy performs the full content inspection on the file.

The flow-based inspection is used, which resets the last packet to the user.

The volume of traffic being inspected is too high for this model of FortiGate.

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

22.

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure host check

Configure split tunneling in tunnel mode

Configure different SSL VPN realms

Configure Source IP Pools

23.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

diagnose sys top

execute ping

diagnose sniffer packet any

execute traceroute

get system arp

24.

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Pre-shared Key

Static IP Address

Dynamic DNS

Dialup User

25.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

diagnose sys top

get system status

get system arp

get system performance status

26.

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Automated Response

Optimization

Security Posture

Fabric Coverage

27.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile UI proxy-based inspection mode? (Choose two.)

Learn

Warning

Exempt

Allow

28.

Which three methods are used by the collector agent for AD polling? (Choose three.)

FortiGate polling

WinSecLog

WMI

Novell API

NetAPI

29.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Static domain filter, SSL inspection filter, and external connectors filters

Static URL filter, FortiGuard category filter, and advanced filters

FortiGuard category filter and rating filter

DNS-based web filter and proxy-based web filter

30.

Which statement regarding the firewall policy authentication timeout is true?

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

31.

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value. Which timeout option should be configured on FortiGate?

new-session

soft-timeout

auth-on-demand

hard-timeout

idle-timeout

32.

Refer to the exhibit to view the application control profile. Users who use Apple FaceTime video conferences are unable to set up meetings. In this scenario, which statement is true?

The category of Apple FaceTime is being monitored.

Apple FaceTime belongs to the custom monitored filter.

Apple FaceTime belongs to the custom blocked filter.

The category of Apple FaceTime is being blocked.

33.

Refer to the exhibit. Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

10.200.1.1

10.200.1.149

10.200.1.99

10.200.1.49

34.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

There are network connectivity issues.

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

FortiGate does not support full SSL inspection when web filtering is enabled.

The browser requires a software update.

35.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Enable asymmetric routing at the interface level.

Enable asymmetric routing, so the RPF check will be bypassed.

Disable the RPF check at the FortiGate interface level for the reply check.

Disable the RPF check at the FortiGate interface level for the source check.

36.

Refer to the exhibit. How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose two.)

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

37.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Consider the topology:
Application on a Windows machine FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Create a new service object for TELNET and set the maximum session TTL.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Set the maximum session TTL value for the TELNET service object.

38.

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Intrusion prevention system engine

Antivirus engine

39.

Refer to the exhibit. Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

Traffic matching the signature will be allowed and logged.

Traffic matching the signature will be silently dropped and logged.

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

40.

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Certificate inspection

Flow-based inspection

Full Content inspection

Proxy-based inspection

41.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Security Rating

Logical Topology

Fabric Connectors

Automation Stitches

42.

wo protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

ping

DNS

TWAMP

udp-echo

43.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

Log ID

Sequence ID

Policy ID

Universally Unique Identifier

44.

Which two statements are correct about SLA targets? (Choose two.)

SLA targets are required for SD-WAN rules with a Best Quality strategy.

You can configure only two SLA targets per one Performance SLA.

SLA targets are optional.

SLA targets are used only when referenced by an SD-WAN rule.

45.

Which two statements are true about the FGCP protocol? (Choose two.)

Elects the primary FortiGate device

Not used when FortiGate is in Transparent mode

Runs only over the heartbeat links

Is used to discover FortiGate devices in different HA groups

46.

Refer to the exhibit. Given the interfaces shown in the exhibit, which two statements are true? (Choose two.)

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

Traffic between port2 and port2-vlan1 is allowed by default.

port1 is a native VLAN.

port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

47.

Refer to the exhibits. Based on the system performance output, which two statements are correct? (Choose two.)

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Administrators cannot change the configuration

FortiGate has entered conserve mode

FortiGate will start sending all files to FortiSandbox for inspection

Administrators can access FortiGate only through the console port

48.

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator must use the user self-registration server.

The administrator must use a FortiAuthenticator device.

The administrator can register the same FortiToken on more than one FortiGate.

The administrator can use a third-party radius OTP server.

49.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement web filter quotas for the specified website

Implement a web filter category override for the specified website

Implement web filter authentication for the specified website.

Implement a DNS filter for the specified website.

50.

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

The internal IP address of the FortiGate device.

The public IP address of the FortiGate device.

The remote user's virtual IP address.

remote user's public IP address

51.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the SSL VPN portal requires the installation of a client’s certificate.

By default, FortiGate uses WINS servers to resolve names.

By default, split tunneling is enabled.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

52.

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list | grep hook-pre&&hook-out

diagnose wad session list | grep hook=pre&&hook=out

diagnose wad session list | grep "hook=pre"&"hook=out"

diagnose wad session list

53.

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add the support of NTLM authentication

Add user accounts to Active Directory (AD)

Add user accounts to the Ignore User List

Add user accounts to the FortiGate group filter

54.

Refer to the exhibit to view the firewall policy. Which statement is correct if well-known viruses are not being blocked?

The action on the firewall policy must be set to deny.

The firewall policy does not apply deep content inspection.

Web filter should be enabled on the firewall policy to complement the antivirus profile.

The firewall policy must be configured in proxy-based inspection mode.

55.

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Firewall policy

SSL inspection and authentication policy

Policy rule

Security policy

56.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

FortiGate automatically negotiates different local and remote addresses with the remote peer.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

57.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

Volume

Spillover

Session

Source IP

58.

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Dead Peer Detection.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

59.