NSE4_FGT-7.2 Dumps

NSE4_FGT-7.2 Braindumps NSE4_FGT-7.2 Real Questions NSE4_FGT-7.2 Practice Test NSE4_FGT-7.2 Actual Questions


Fortinet


NSE4_FGT-7.2


Fortinet NSE 4 - FortiOS 7.2


https://killexams.com/pass4sure/exam-detail/NSE4_FGT-7.2

Explanation:


Question: 50


Examine the exhibit, which contains a virtual IP and firewall policy configuration.




The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.


Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

A. 10.200. 1. 10

B. Any available IP address in the WAN (port1) subnet 10.200. 1.0/24 66 of 108 C. 10.200. 1. 1

D. 10.0. 1.254


Answer: A Explanation:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.


Question: 51


Refer to the exhibit.


An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

  1. The Detection Mode setting is not set to Passive.

  2. Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.

  3. The configured participants are not SD-WAN members.

  4. The Enable probe packets setting is not enabled.


Answer: B,D


Question: 52


A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file

through HTTPS, FortiGate does not detect the virus and the file can be downloaded.


What is the reason for the failed virus detection by FortiGate?

  1. The website is exempted from SSL inspection.

  2. The EICAR test file exceeds the protocol options oversize limit.

  3. The selected SSL inspection profile has certificate inspection enabled.

  4. The browser does not trust the FortiGate self-signed CA certificate.


Answer: A,D Explanation:

https traffic requires SSL decryption. Check the ssh inspection profile


Question: 53


What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  1. FortiGate automatically negotiates different local and remote addresses with the remote peer.

  2. FortiGate automatically negotiates a new security association after the existing security association expires.

  3. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

  4. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.


Answer: D Explanation:

https://kb.fortinet.com/kb/documentLink.do?externalID=12069


Question: 54


Refer to the exhibit.



Examine the intrusion prevention system (IPS) diagnostic command.


Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

  1. The IPS engine was inspecting high volume of traffic.

  2. The IPS engine was unable to prevent an intrusion attack .

  3. The IPS engine was blocking all traffic.

  4. The IPS engine will continue to run in a normal state.

Answer: A Explanation:

Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage


Question: 55


Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)


  1. The keyUsage extension must be set to keyCertSign.


  2. The common name on the subject field must use a wildcard name.


  3. The issuer must be a public CA.


  4. The CA extension must be set to TRUE.


Answer: A,D Explanation:

"In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."


Reference: https://www.reddit.com/r/fortinet/comments/c7j6jg/recommended_ssl_cert/


Question: 56


Which feature in the Security Fabric takes one or more actions based on event triggers?

  1. Fabric Connectors

  2. Automation Stitches

  3. Security Rating

  4. Logical Topology


Answer: B Explanation:

Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/286973/fortinet-security-fabric


Question: 57


Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

  1. By default, FortiGate uses WINS servers to resolve names.

  2. By default, the SSL VPN portal requires the installation of a client’s certificate.

  3. By default, split tunneling is enabled.

  4. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Answer: D Question: 58 Refer to the exhibit.


Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

  1. Traffic between port2 and port2-vlan1 is allowed by default.

  2. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

  3. port1 is a native VLAN.

  4. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.


Answer: C,D Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

Question: 59


What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  1. It limits the scope of application control to the browser-based technology category only.

  2. It limits the scope of application control to scan application traffic based on application category only.

  3. It limits the scope of application control to scan application traffic using parent signatures only

  4. It limits the scope of application control to scan application traffic on DNS protocol only.


Answer: B