NSE4_FGT-7.2: Fortinet NSE 4 -FortiOS 7-2 - Free download from Exam Files

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

IP address
No other object can be added
FQDN address
User or User Group

Correct answer: B

Explanation:

FortiGate Security 7.2 Study Guide (p.59): "When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded."This is true because Internet Service is a special type of destination object that can only be used alone in a firewall policy. Internet Service is a feature that allows FortiGate to identify and filter traffic based on the internet service or application that it belongs to, such as Facebook, YouTube, Skype, etc. Internet Service uses a database of IP addresses and ports that are associated with each internet service or application, and updates it regularly from FortiGuard. When Internet Service is selected as the destination in a firewall policy, FortiGate will match the traffic to the corresponding internet service or application, and apply the appropriate action and security profiles to it. However, Internet Service cannot be combined with any other destination object, such as IP address, FQDN address, user or user group, etc., as this would create a conflict or ambiguity in the firewall policy. Therefore, no other object can be added if Internet Service is already selected as the destination in a firewall policy

FortiGate Security 7.2 Study Guide (p.59): "When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded."

This is true because Internet Service is a special type of destination object that can only be used alone in a firewall policy. Internet Service is a feature that allows FortiGate to identify and filter traffic based on the internet service or application that it belongs to, such as Facebook, YouTube, Skype, etc. Internet Service uses a database of IP addresses and ports that are associated with each internet service or application, and updates it regularly from FortiGuard. When Internet Service is selected as the destination in a firewall policy, FortiGate will match the traffic to the corresponding internet service or application, and apply the appropriate action and security profiles to it. However, Internet Service cannot be combined with any other destination object, such as IP address, FQDN address, user or user group, etc., as this would create a conflict or ambiguity in the firewall policy. Therefore, no other object can be added if Internet Service is already selected as the destination in a firewall policy

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

Source defined as Internet Services in the firewall policy.
Destination defined as Internet Services in the firewall policy.
Highest to lowest priority defined in the firewall policy.
Services defined in the firewall policy.
Lowest to highest policy ID number.

Correct answer: ABD

Explanation:

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects:Incoming InterfaceOutgoing InterfaceSource: IP address, user, internet servicesDestination: IP address or internet servicesService: IP protocol and port numberSchedule: Applies during configured times

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects:

Incoming Interface
Outgoing Interface
Source: IP address, user, internet services
Destination: IP address or internet services
Service: IP protocol and port number
Schedule: Applies during configured times

Which two statements are correct about SLA targets? (Choose two.)

You can configure only two SLA targets per one Performance SLA.
SLA targets are optional.
SLA targets are required for SD-WAN rules with a Best Quality strategy.
SLA targets are used only when referenced by an SD-WAN rule.

Correct answer: BD

Which two statements explain antivirus scanning modes? (Choose two.)

In proxy-based inspection mode, files bigger than the buffer size are scanned.
In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
In flow-based inspection mode, files bigger than the buffer size are scanned.

Correct answer: BC

Explanation:

An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM--something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.FortiGate Security 7.2 Study Guide (p.350 & 352): "In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. Because the file is ransmitted simultaneously, flow-based mode consumes more CPU cycles than proxy-based." "Each protocol’s proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is reached) before scanning. The client must wait for the scanning to finish."

An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM--something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

FortiGate Security 7.2 Study Guide (p.350 & 352): "In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. Because the file is ransmitted simultaneously, flow-based mode consumes more CPU cycles than proxy-based." "Each protocol’s proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is reached) before scanning. The client must wait for the scanning to finish."

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

On Remote-FortiGate, set Seconds to 43200.
On HQ-FortiGate, set Encryption to AES256.
On HQ-FortiGate, enable Diffie-Hellman Group 2.
On HQ-FortiGate, enable Auto-negotiate.

Correct answer: B

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Full Content inspection
Proxy-based inspection
Certificate inspection
Flow-based inspection

Correct answer: D

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Antivirus engine
Intrusion prevention system engine
Flow engine
Detection engine

Correct answer: B

Explanation:

http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The IP version of the sources and destinations in a firewall policy must be different.
The Incoming Interfac
Outgoing Interfac
Schedule, and Service fields can be shared with both IPv4 and IPv6.
The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
The IP version of the sources and destinations in a policy must match.
The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Correct answer: BDE

Which two statements describe how the RPF check is used? (Choose two.)

The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
The RPF check is run on the first sent and reply packet of any new session.
The RPF check is run on the first sent packet of any new session.
The RPF check is run on the first reply packet of any new session.

Correct answer: AC

Explanation:

FortiGate Infrastructure 7.2 Study Guide (p.41): "The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table." "FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn’t perform any additional RPF checks on that session."* A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host. This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1* C. The RPF check is run on the first sent packet of any new session.This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation. This reduces the processing overhead and improves performance2

FortiGate Infrastructure 7.2 Study Guide (p.41): "The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table." "FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn’t perform any additional RPF checks on that session."

* A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host. This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1

* C. The RPF check is run on the first sent packet of any new session.

This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation. This reduces the processing overhead and improves performance2

Refer to the exhibit.