Download Fortinet NSE 4 -FortiOS 7-2.NSE4_FGT-7.2.PremiumDumps.2023-12-08.48q.vcex

Vendor: Fortinet
Exam Code: NSE4_FGT-7.2
Exam Name: Fortinet NSE 4 -FortiOS 7-2
Date: Dec 08, 2023
File Size: 5 MB
Download Exam

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: EXAMFILESCOM

Discount: 20%

ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator
ProfExam Discount

Demo Questions

Question 1
An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value.  
Which timeout option should be configured on FortiGate?
  1. auth-on-demand
  2. soft-timeout
  3. idle-timeout
  4. new-session
  5. hard-timeout
Correct answer: E
Explanation:
Security Guide P167  Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221 
Security Guide P167  
Reference: 
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221 
Question 2
Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?
  1. To allow for out-of-order packets that could arrive after the FIN/ACK packets
  2. To finish any inspection operations
  3. To remove the NAT operation
  4. To generate logs.
Correct answer: A
Explanation:
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.
Question 3
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)
  1. SSH
  2. HTTPS
  3. FTM
  4. FortiTelemetry
Correct answer: AB
Explanation:
Security Guide P29  Reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/99buildingsecurity-into-fortios
Security Guide P29  
Reference: 
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/99buildingsecurity-into-fortios
Question 4
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.  
  • All traffic must be routed through the primary tunnel when both tunnels are up  
  • The secondary tunnel must be used only if the primary tunnel goes down  
  • In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover  
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)
  1. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
  2. Enable Dead Peer Detection.
  3. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  4. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Correct answer: BC
Explanation:
Infrastructure Guide P256, P276  Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network.  When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.  There are three DPD modes. On demand is the default mode.    Study Guide – IPsec VPN – Redundant VPNs.  Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.  Add at least one phase 2 definition for each phase 1.  Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup).  Alternatively, use dynamic routing.  Configure FW policies for each IPsec interface.  
Infrastructure Guide P256, P276  
Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network.  
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.  
There are three DPD modes. On demand is the default mode.  
  
Study Guide – IPsec VPN – Redundant VPNs.  
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.  
Add at least one phase 2 definition for each phase 1.  
Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup).  
Alternatively, use dynamic routing.  
Configure FW policies for each IPsec interface.  
Question 5
Which statement about video filtering on FortiGate is true?
  1. Full SSL Inspection is not required.
  2. It is available only on a proxy-based firewall policy.
  3. It inspects video files hosted on file sharing services.
  4. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
Correct answer: B
Explanation:
Security Guide P279  Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering 
Security Guide P279  
Reference: 
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering 
Question 6
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
  1. System time
  2. FortiGuaid update servers
  3. Operating mode
  4. NGFW mode
Correct answer: CD
Explanation:
C - "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.  D - "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspectionmode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide
C - "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.  
D - "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspectionmode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide
Question 7
Refer to the exhibit.  
    
  
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.  
The Root VDOM is the management VDOM.  
The To_Internet VDOM allows LAN users to access the internet.  
The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.  
With this configuration, which statement is true?
  1. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
  2. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
  3. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
  4. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
Correct answer: A
Question 8
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?
  1. get system status
  2. get system performance status
  3. diagnose sys top
  4. get system arp
Correct answer: D
Explanation:
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."  
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."  
Question 9
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
  1. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
  2. The client FortiGate requires a manually added route to remote subnets.
  3. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
  4. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Correct answer: CD
Explanation:
Infrastructure Guide 7.2 P213  Reference: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-sslvpn-client 
Infrastructure Guide 7.2 P213  
Reference: 
https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-sslvpn-client 
Question 10
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?
  1. System event logs
  2. Forward traffic logs
  3. Local traffic logs
  4. Security logs
Correct answer: C
Explanation:
Security Guide 7.2 P176  Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.  Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970
Security Guide 7.2 P176  
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.  
Reference: 
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!