[2022] Pass NSE4_FGT-7.0 Exam - Real Questions & Answers [Q99-Q123] : Actual Test Materials : http://blog.actualtests4sure.com

QUESTION 99
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

IP address

Once Internet Service is selected, no other object can be added

User or User Group

FQDN address

QUESTION 100
Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

Traffic is blocked because Action is set to DENY in the firewall policy.

Traffic belongs to the root VDOM.

This is a security log.

Log severity is set to error on FortiGate.

QUESTION 101
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

To remove the NAT operation.

To generate logs

To finish any inspection operations.

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

QUESTION 102
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

FortiGuard web filter cache

FortiGate hostname

NTP

DNS

QUESTION 103
Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

Apple FaceTime will be allowed, based on the Apple filter configuration.

Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn

Apple FaceTime will be allowed, based on the Categories configuration.

QUESTION 104
If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

User or User Group

IP address

No other object can be added

FQDN address

QUESTION 105
Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check.
Which interface will be selected as an outgoing interface?

port2

port4

port3

port1

QUESTION 106
Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

Root VDOM

FG-traffic VDOM

Customer VDOM

Global VDOM

QUESTION 107
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

SSH

HTTPS

FTM

FortiTelemetry

QUESTION 108
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

The keyUsage extension must be set to keyCertSign.

The common name on the subject field must use a wildcard name.

The issuer must be a public CA.

The CA extension must be set to TRUE.

QUESTION 109
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

The two VLAN sub interfaces must have different VLAN IDs.

The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

QUESTION 110
Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

The sensor will block all attacks aimed at Windows servers.

The sensor will reset all connections that match these signatures.

The sensor will gather a packet log for all matched traffic.

QUESTION 111
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Enable Dead Peer Detection.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

QUESTION 112
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

The interface has been configured for one-arm sniffer.

The interface is a member of a virtual wire pair.

The operation mode is transparent.

The interface is a member of a zone.

Captive portal is enabled in the interface.

QUESTION 113
Which two statements are true when FortiGate is in transparent mode? (Choose two.)

By default, all interfaces are part of the same broadcast domain.

The existing network IP schema must be changed when installing a transparent mode.

Static routes are required to allow traffic to the next hop.

FortiGate forwards frames without changing the MAC address.

QUESTION 114
A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?

Implement a web filter category override for the specified website

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website

Implement web filter authentication for the specified website.

QUESTION 115
Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

The first packet sent from Student failed the RPF check.
This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

The first reply packet for Student failed the RPF check.
This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

The first reply packet for Student failed the RPF check.
This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

The first packet sent from Student failed the RPF check.
This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

QUESTION 116
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

The next-hop IP address is unreachable.

It failed the RPF check.

It matched an explicitly configured firewall policy with the action DENY.

It matched the default implicit firewall policy.

QUESTION 117
Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

Run a sniffer on the web server.

Capture the traffic using an external sniffer connected to port1.

Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

Execute a debug flow.

QUESTION 118
Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

The security actions applied on the web applications will also be explicitly applied on the third-party websites.

The application signature database inspects traffic only from the original web application server.

FortiGuard maintains only one signature of each web application that is unique.

FortiGate can inspect sub-application traffic regardless where it was originated.

QUESTION 119
Which statement about the policy ID number of a firewall policy is true?

It changes when firewall policies are reordered.

It represents the number of objects used in the firewall policy.

It is required to modify a firewall policy using the CLI.

It defines the order in which rules are processed.

QUESTION 120
Which statement regarding the firewall policy authentication timeout is true?

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.

It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.

It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.

It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

QUESTION 121
Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

Web filter in flow-based inspection

Antivirus in flow-based inspection

DNS filter

Web application firewall

Application control

QUESTION 122
When configuring a firewall virtual wire pair policy, which following statement is true?

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

Only a single virtual wire pair can be included in each policy.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Exactly two virtual wire pairs need to be included in each policy.

QUESTION 123
Which two types of traffic are managed only by the management VDOM? (Choose two.)

FortiGuard web filter queries

PKI

Traffic shaping

DNS