Free NSE4_FGT-7.0 Sample Questions — Fortinet NSE 4 - FortiOS 7.0

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

• A. change in the virtual IP address happens when a FortiGate device joins or leaves the cluster
• B. Virtual IP addresses are used to distinguish between cluster members
• C. Heartbeat interfaces have virtual IP addresses that are manually assigned
• D. The primary device in the cluster is always assigned IP address 169.254.0.1.

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

• A. Set the TTL value to never under config system-ttl
• B. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy
• C. Create a new service object for HTTP service and set the session TTL to never
• D. Set the session TTL on the HTTP policy to maximum

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

• A. NTP
• B. DNS
• C. FortiGate hostname
• D. FortiGuard web filter cache

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

• A. System event logs
• B. Security logs
• C. Forward traffic logs
• D. Local traffic logs

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

• A. The subject field in the server certificate
• B. The subject alternative name (SAN) field in the server certificate
• C. The serial number in the server certificate
• D. The server name indication (SNI) extension in the client hello message
• E. The host field in the HTTP header

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Which DPD mode on FortiGate will meet the above requirement?

• A. On Demand
• B. Disabled
• C. On Idle
• D. Enabled

What devices form the core of the security fabric?

• A. Two FortiGate devices and one FortiAnalyzer device
• B. One FortiGate device and one FortiManager device
• C. One FortiGate device and one FortiAnalyzer device
• D. Two FortiGate devices and one FortiManager device

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

• A. Dialup User
• B. Static IP Address
• C. Pre-shared Key
• D. Dynamic DNS

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?

• A. Antivirus definitions are not up to date
• B. SSL/SSH Inspection profile is incorrect
• C. Antivirus profile configuration is incorrect
• D. Application control is not enabled

Which two statements are true about collector agent advanced mode? (Choose two.)

• A. Security profiles can be applied only to user groups, not individual users
• B. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate
• C. Advanced mode supports nested or inherited groups
• D. Advanced mode uses Windows convention "" NetBios: Domain\Username

An organization's employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

• A. Change the session-ttl
• B. Change the udp-idle-timer
• C. Change the idle-timeout
• D. Change the login-timeout

Which two statements are true about the Security Fabric rating? (Choose two.)

• A. The Security Fabric rating is a free service that comes bundled with all FortiGate devices
• B. Many of the security issues can be fixed immediately by clicking Apply where available
• C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric
• D. It provides executive summaries of the four largest areas of security focus

Which two types of traffic are managed only by the management VDOM? (Choose two.)

• A. PKI
• B. FortiGuard web filter queries
• C. DNS
• D. Traffic shaping

Which three methods are used by the collector agent for AD polling? (Choose three.)

• A. WMI
• B. Novell API
• C. WinSecLog
• D. NetAPI
• E. FortiGate polling

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

• A. Policy ID
• B. Log ID
• C. Universally Unique Identifier
• D. Sequence ID

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

• A. FortiSandbox
• B. FortiCloud
• C. FortiSIEM
• D. FortiCache
• E. FortiAnalyzer

Which feature in the Security Fabric takes one or more actions based on event triggers?

• A. Fabric Connectors
• B. Security Rating
• C. Logical Topology
• D. Automation Stitches

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

• A. Denial of Service
• B. Web application firewall
• C. Antivirus
• D. Application control

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

• A. set fortiguard-anycast disable
• B. set webfilter-force-off disable
• C. set webfilter-cache disable
• D. set protocol tcp

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scanning of application traffic to use parent signatures only
• B. It limits the scanning of application traffic to the browser-based technology category only
• C. It limits the scanning of application traffic to the DNS protocol only
• D. It limits the scanning of application traffic to the application category only