Login
Login

NSE4_FGT-7.2 Exam Questions

Total 168 Questions

Last Updated Exam : 16-Dec-2024

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?


A.

Add the support of NTLM authentication.


B.

Add user accounts to Active Directory (AD).


C. Add user accounts to the FortiGate group fitter.


D. Add user accounts to the Ignore User List.





D.   Add user accounts to the Ignore User List.

Reference: https://community.fortinet.com/t5/Support-Forum/Collector-Agent-and-problemgetting-login-info/m-p/95481

Which two statements are correct about SLA targets? (Choose two.)


A. You can configure only two SLA targets per one Performance SLA.


B. SLA targets are optional.


C. SLA targets are required for SD-WAN rules with a Best Quality strategy.


D. SLA targets are used only when referenced by an SD-WAN rule.





B.   SLA targets are optional.

D.   SLA targets are used only when referenced by an SD-WAN rule.

Reference: 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/382233/performance-sla-slatargets 

Which two statements are correct about a software switch on FortiGate? (Choose two.) 


A. It can be configured only when FortiGate is operating in NAT mode


B. Can act as a Layer 2 switch as well as a Layer 3 router


C. All interfaces in the software switch share the same IP address


D. It can group only physical interfaces





A.   It can be configured only when FortiGate is operating in NAT mode

C.   All interfaces in the software switch share the same IP address

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)


A. diagnose sys top


B. execute ping


C.  execute traceroute


D. diagnose sniffer packet any


E. get system arp





B.   execute ping

C.    execute traceroute

D.   diagnose sniffer packet any

In which two ways can RPF checking be disabled? (Choose two )


A. Enable anti-replay in firewall policy.


B. Disable the RPF check at the FortiGate interface level for the source check


C. Enable asymmetric routing.


D. Disable strict-arc-check under system settings.





C.   Enable asymmetric routing.

D.   Disable strict-arc-check under system settings.

Reference: https://kb.fortinet.com/kb/documentLink .do?externalID=FD33955

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?


A. It limits the scanning of application traffic to the DNS protocol only.


B. It limits the scanning of application traffic to use parent signatures only.


C.

It limits the scanning of application traffic to the browser-based technology category only.


D.

It limits the scanning of application traffic to the application category only.





C.   
It limits the scanning of application traffic to the browser-based technology category only.


FortiGate Security 7.2 Study Guide (p.317): "You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website."

Which two settings are required for SSL VPN to function between two FortiGate devices? 
(Choose two.)


A.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.


B. The client FortiGate requires a manually added route to remote subnets.


C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.


D. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.





C.   The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D.   The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-asssl-vpn-client

To establish an SSL VPN connection between two FortiGate devices, the following two settings are required:

The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate will use a CA (Certificate Authority) certificate to verify the client FortiGate certificate, ensuring that the client device is trusted and allowed to establish an SSL VPN connection.

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: The client FortiGate must have an SSL VPN tunnel interface type configured in order to establish an SSL VPN connection. This interface type will be used to connect to the server FortiGate over the SSL VPN. 

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.) 


A. The interface has been configured for one-arm sniffer.


B. The interface is a member of a virtual wire pair.


C. The operation mode is transparent.


D. The interface is a member of a zone.


E. Captive portal is enabled in the interface.





A.   The interface has been configured for one-arm sniffer.

B.   The interface is a member of a virtual wire pair.

C.   The operation mode is transparent.

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats new54/Top_VirtualWirePair.htm

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)


A.

The IP version of the sources and destinations in a firewall policy must be different.


B.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.


C.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.


D.

The IP version of the sources and destinations in a policy must match.


E.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.





B.   
The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.


D.   
The IP version of the sources and destinations in a policy must match.


E.   
The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.


Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)


A. System time


B. FortiGuaid update servers


C. Operating mode


D. NGFW mode





C.   Operating mode

D.   NGFW mode

C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide QUESTION NO: 23 51 Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites? A. The security actions applied on the web applications will also be explicitly applied on the third-party websites.
B. The application signature database inspects traffic only from the original web application server.
C. FortiGuard maintains only one signature of each web application that is unique.
D. FortiGate can inspect sub-application traffic regardless where it was originated.

Answer: D

Reference:
https://help.fortinet.com/fortiproxy/11/Content/Admin-Guides/FPXAdminGuide/300_System/303d_FortiG


Page 2 out of 17 Pages
Previous

Copyright © - All Rights Reserved