• Home
  • Articles
  • [Nov 28, 2023] NSE4_FGT-7.0 Test Prep Training Practice Exam Questions Practice Tests [Q77-Q92]

[Nov 28, 2023] NSE4_FGT-7.0 Test Prep Training Practice Exam Questions Practice Tests [Q77-Q92]

Share

[Nov 28, 2023] NSE4_FGT-7.0 Test Prep Training Practice Exam Questions Practice Tests

Exam Questions Answers Braindumps NSE4_FGT-7.0 Exam Dumps PDF Questions

NEW QUESTION # 77
Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

  • A. It is dropped.
  • B. It is allowed and inspected as long as the inspection is flow based
  • C. It is allowed, but with no inspection
  • D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: A


NEW QUESTION # 78
Which statement regarding the firewall policy authentication timeout is true?

  • A. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.
  • B. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
  • C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
  • D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

Answer: B


NEW QUESTION # 79
Refer to the exhibits.


The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

  • A. Change the Server IP address.
  • B. Change the SSL VPN port on the client.
  • C. Change the SSL VPN portal to the tunnel.
  • D. Change the idle-timeout.

Answer: B


NEW QUESTION # 80
Refer to the exhibits.


Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

  • A. Administrators cannot change the configuration.
  • B. FortiGate has entered conserve mode.
  • C. Administrators can access FortiGate only through the console port.
  • D. FortiGate will start sending all files to FortiSandbox for inspection.

Answer: A,B

Explanation:
Reference: https://www.skillfulist.com/fortigate/fortigate-conserve-mode-how-to-stop-it-and-what-it-means/


NEW QUESTION # 81
Which three statements about a flow-based antivirus profile are correct? (Choose three.)

  • A. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.
  • B. Optimized performance compared to proxy-based inspection.
  • C. FortiGate buffers the whole file but transmits to the client simultaneously.
  • D. IPS engine handles the process as a standalone.
  • E. If the virus is detected, the last packet is delivered to the client.

Answer: A,B,C


NEW QUESTION # 82
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).


Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

  • A. The flow-based inspection is used, which resets the last packet to the user.
  • B. The volume of traffic being inspected is too high for this model of FortiGate.
  • C. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.
  • D. The firewall policy performs the full content inspection on the file.

Answer: A

Explanation:
* "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately
* When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement message cannot be displayed. If the file is attempted to download again the block message will be shown.


NEW QUESTION # 83
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

  • A. On both FortiGate devices, set Dead Peer Detection to On Demand.
  • B. On HQ-FortiGate, set IKE mode to Main (ID protection).
  • C. On Remote-FortiGate, set port2 as Interface.
  • D. On HQ-FortiGate, disable Diffie-Helman group 2.

Answer: B,C


NEW QUESTION # 84
Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic? (Choose two.)

  • A. Source IP
  • B. Session
  • C. Spillover
  • D. Volume

Answer: B,D

Explanation:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing


NEW QUESTION # 85
Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
With this configuration, which statement is true?

  • A. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
  • B. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
  • C. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
  • D. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

Answer: B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46542


NEW QUESTION # 86
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

  • A. User or User Group
  • B. IP address
  • C. Once Internet Service is selected, no other object can be added
  • D. FQDN address

Answer: C


NEW QUESTION # 87
Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

  • A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
  • B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
  • C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
  • D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Answer: D


NEW QUESTION # 88
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

  • A. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
  • B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
  • C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
  • D. The client FortiGate requires a manually added route to remote subnets.

Answer: A,C


NEW QUESTION # 89
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

  • A. Both the phase 1 SA and phase 2 SA are bidirectional.
  • B. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
  • C. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
  • D. Phase 2 SA expiration can be time-based, volume-based, or both.
  • E. An SA never expires.

Answer: B,C,D


NEW QUESTION # 90
Refer to the exhibit.



The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

  • A. Enable match vip in the Deny policy.
  • B. Disable match-vip in the Deny policy.
  • C. Set the Destination address as Web_server in the Deny policy.
  • D. Set the Destination address as Deny_IP in the Allow-access policy.

Answer: A,C


NEW QUESTION # 91
An administrator must disable RPF check to investigate an issue.
Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

  • A. Disable the RPF check at the FortiGate interface level for the reply check.
  • B. Enable asymmetric routing, so the RPF check will be bypassed.
  • C. Enable asymmetric routing at the interface level.
  • D. Disable the RPF check at the FortiGate interface level for the source check.

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955 Infrast 7.0 SG page 38 RPF checking can be disabled in tho ways. If you enable asymmetric routing, it will disable RPF checking system wide. However this reduces the security of you network greatly. Features such us ANTIVIRUS, and IPS become non-effective. So, if you need to disable RPF checking, you can do so at the interface level using the command: config system interface edit <interface> set src-check [enable | disable] end


NEW QUESTION # 92
......


The NSE4_FGT-7.0 certification is designed for network administrators, security professionals, and IT managers who are responsible for managing and securing their organization's network infrastructure. Fortinet NSE 4 - FortiOS 7.0 certification is also suitable for professionals who want to advance their career in the field of cybersecurity, as it validates their skills and knowledge in one of the most popular cybersecurity solutions in the market.

 

Download Free Fortinet NSE4_FGT-7.0 Real Exam Questions: https://www.testkingfree.com/Fortinet/NSE4_FGT-7.0-practice-exam-dumps.html

NSE4_FGT-7.0 Exam Dumps, NSE4_FGT-7.0 Practice Test Questions: https://drive.google.com/open?id=1L3ZmHK8eeNPUdUHeozFntq0kMVM1_SBz

Related Articles

more
Fortinet NSE4_FGT-7.0 Certification Practice Exam