• Home
  • Articles
  • Fortinet NSE4_FGT-7.2 Questions and Answers Guarantee you Oass the Test Easily [Q29-Q53]

Fortinet NSE4_FGT-7.2 Questions and Answers Guarantee you Oass the Test Easily [Q29-Q53]

Share

Fortinet NSE4_FGT-7.2 Questions and Answers Guarantee you Oass the Test Easily

Share Latest NSE4_FGT-7.2 DUMP with 175 Questions and Answers


The NSE4_FGT-7.2 certification exam is based on FortiOS 7.2, the latest version of Fortinet’s operating system. Fortinet NSE 4 - FortiOS 7.2 certification demonstrates that the candidate has a comprehensive understanding of the latest features and capabilities of FortiOS 7.2. Fortinet NSE 4 - FortiOS 7.2 certification is also a prerequisite for advanced certifications such as the NSE 5 and NSE 6 certifications.


Fortinet NSE4_FGT-7.2 (Fortinet NSE 4 - FortiOS 7.2) Certification Exam is a specialized exam designed for IT professionals who are interested in securing their networks using Fortinet technology. NSE4_FGT-7.2 exam is designed to test the candidate's knowledge and skills in Fortinet's FortiOS 7.2 operating system, which is used to secure networks and protect against cyber threats. The NSE4_FGT-7.2 exam is a vendor-specific certification exam that is recognized by the industry as a valuable credential for professionals in the network security field.

 

NEW QUESTION # 29
Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

  • A. On the Static URL Filter configuration, set Type to Simple
  • B. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking
  • C. On the Static URL Filter configuration, set Action to Exempt.
  • D. On the Static URL Filter configuration, set Action to Monitor.

Answer: C


NEW QUESTION # 30
Refer to the exhibit.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

  • A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
  • B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
  • C. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
  • D. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.

Answer: A


NEW QUESTION # 31
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

  • A. Policy with ID 4.
  • B. Policies with ID 2 and 3.
  • C. Policy with ID 4.
  • D. Policy with ID 5.

Answer: D

Explanation:
Reference:
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted


NEW QUESTION # 32
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

  • A. SMMIE Capabilities value
  • B. Subject value
  • C. Subject Alternative Name value
  • D. Subject Key Identifier value

Answer: D


NEW QUESTION # 33
Refer to the exhibits.
The exhibits show a network diagram and firewall configurations.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.


In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2?
(Choose two.)

  • A. Set the Destination address as Web_server in the Deny policy.
  • B. Set the Destination address as Deny_IP in the Allow-access policy.
  • C. Enable match vip in the Deny policy.
  • D. Disable match-vip in the Deny policy.

Answer: A,C

Explanation:
Explanation
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-


NEW QUESTION # 34
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?

  • A. It uses DNS over HTTPS.
  • B. It uses DNS overTLS.
  • C. It uses UDP 53.
  • D. It uses UDP 8888.

Answer: C


NEW QUESTION # 35
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

  • A. hard-timeout
  • B. new-session
  • C. idle-timeout
  • D. soft-timeout
  • E. auth-on-demand

Answer: A


NEW QUESTION # 36
In which two ways can RPF checking be disabled? (Choose two )

  • A. Enable asymmetric routing.
  • B. Enable anti-replay in firewall policy.
  • C. Disable strict-arc-check under system settings.
  • D. Disable the RPF check at the FortiGate interface level for the source check

Answer: A,C


NEW QUESTION # 37
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

  • A. hard-timeout
  • B. new-session
  • C. idle-timeout
  • D. soft-timeout
  • E. auth-on-demand

Answer: A

Explanation:
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout%3A%20User%20


NEW QUESTION # 38
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

  • A. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  • B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  • C. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
  • D. Enable Dead Peer Detection.

Answer: A,D

Explanation:
Explanation
Study Guide - IPsec VPN - IPsec configuration - Phase 1 Network.
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.
There are three DPD modes. On demand is the default mode.
Study Guide - IPsec VPN - Redundant VPNs.
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.
Add at least one phase 2 definition for each phase 1.
Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.
Configure FW policies for each IPsec interface.


NEW QUESTION # 39
Which of the following SD-WAN load balancing method use interface weight value to distribute traffic?
(Choose two.)

  • A. Session
  • B. Spillover
  • C. Volume
  • D. Source IP

Answer: A,C

Explanation:
Explanation
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing


NEW QUESTION # 40
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

  • A. A CRL
  • B. A person
  • C. A root CA
  • D. A subordinate CA

Answer: C


NEW QUESTION # 41
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

  • A. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
  • B. The matching firewall policy is set to proxy inspection mode.
  • C. The browser does not trust the certificate used by FortiGate for SSL inspection.
  • D. The full SSL inspection feature does not have a valid license.

Answer: C

Explanation:
FortiGate Security 7.2 Study Guide (p.235): "If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."


NEW QUESTION # 42
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

  • A. Configure a loopback interface with address 203.0.113.2/32.
  • B. In the VIP configuration, enable arp-reply.
  • C. In the firewall policy configuration, enable match-vip.
  • D. Enable port forwarding on the server to map the external service port to the internal service port.

Answer: C


NEW QUESTION # 43
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

  • A. System event logs
  • B. Forward traffic logs
  • C. Security logs
  • D. Local traffic logs

Answer: D

Explanation:
Reference:
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
FortiGate Security 7.2 Study Guide (p.176): "Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries."


NEW QUESTION # 44
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster?
(Choose two.)

  • A. FortiGuard web filter cache
  • B. NTP
  • C. FortiGate hostname
  • D. DNS

Answer: B,D


NEW QUESTION # 45
An administrator is configuring an IPsec VPN between site A and site B.
The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick mode selector is 192. 168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

  • A. 192. 168.0.0/24
  • B. 192. 168. 1.0/24
  • C. 192. 168.3.0/24
  • D. 192. 168.2.0/24

Answer: D

Explanation:
Explanation
For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B.
To complete the configuration, the administrator must configure the local quick mode selector for site B.
To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A.
Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.


NEW QUESTION # 46
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

  • A. get system arp
  • B. diagnose sys top
  • C. get system status
  • D. get system performance status

Answer: A

Explanation:
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."


NEW QUESTION # 47
Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

  • A. new-session
  • B. hard-timeout
  • C. Idle-timeout
  • D. soft-timeout
  • E. auth-on-demand

Answer: A,B,C


NEW QUESTION # 48
Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

  • A. Traffic matching the signature will be allowed and logged.
  • B. The signature setting includes a group of other signatures.
  • C. The signature setting uses a custom rating threshold.
  • D. Traffic matching the signature will be silently dropped and logged.

Answer: D

Explanation:
Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.
Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.


NEW QUESTION # 49
When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

  • A. Universally Unique Identifier
  • B. Sequence ID
  • C. Policy ID
  • D. Log ID

Answer: A


NEW QUESTION # 50
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

  • A. The name of the firewall policy is all_users_web.
  • B. Access to the social networking web filter category was explicitly blocked to all users.
  • C. Social networking web filter category is configured with the action set to authenticate.
  • D. The action on firewall policy ID 1 is set to warning.

Answer: C


NEW QUESTION # 51
Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

  • A. Flow-based inspection
  • B. Full Content inspection
  • C. Certificate inspection
  • D. Proxy-based inspection

Answer: A,D


NEW QUESTION # 52
Which of statement is true about SSL VPN web mode?

  • A. The external network application sends data through the VPN.
  • B. The tunnel is up while the client is connected.
  • C. It supports a limited number of protocols.
  • D. It assigns a virtual IP address to the client.

Answer: C

Explanation:
FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.


NEW QUESTION # 53
......

Dumps for Free NSE4_FGT-7.2 Practice Exam Questions: https://www.real4prep.com/NSE4_FGT-7.2-exam.html

PDF Dumps 2023 Exam Questions with Practice Test: https://drive.google.com/open?id=1_sFYGoL-2tT-DitFlJB3FNjEzidBlkz8

Related Articles

more
Fortinet NSE4_FGT-7.2 Certification Practice Exam