This page was exported from Actual Test Materials [ http://blog.actualtests4sure.com ] Export date:Fri Nov 15 20:35:39 2024 / +0000 GMT ___________________________________________________ Title: [2022] Pass NSE4_FGT-7.0 Exam - Real Questions & Answers [Q99-Q123] --------------------------------------------------- [2022] Pass NSE4_FGT-7.0 Exam - Real Questions and Answers NSE4_FGT-7.0 Exam Questions Get Updated [2022] with Correct Answers QUESTION 99If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?  IP address  Once Internet Service is selected, no other object can be added  User or User Group  FQDN address QUESTION 100Refer to the exhibit.Based on the raw log, which two statements are correct? (Choose two.)  Traffic is blocked because Action is set to DENY in the firewall policy.  Traffic belongs to the root VDOM.  This is a security log.  Log severity is set to error on FortiGate. QUESTION 101Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?  To remove the NAT operation.  To generate logs  To finish any inspection operations.  To allow for out-of-order packets that could arrive after the FIN/ACK packets. QUESTION 102Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)  FortiGuard web filter cache  FortiGate hostname  NTP  DNS QUESTION 103Refer to the exhibit to view the application control profile.Based on the configuration, what will happen to Apple FaceTime?  Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration  Apple FaceTime will be allowed, based on the Apple filter configuration.  Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn  Apple FaceTime will be allowed, based on the Categories configuration. QUESTION 104If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?  User or User Group  IP address  No other object can be added  FQDN address QUESTION 105Refer to the exhibit.The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check.Which interface will be selected as an outgoing interface?  port2  port4  port3  port1 Port 1 shows the lowest latency.QUESTION 106Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?  Root VDOM  FG-traffic VDOM  Customer VDOM  Global VDOM QUESTION 107Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)  SSH  HTTPS  FTM  FortiTelemetry QUESTION 108Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)  The keyUsage extension must be set to keyCertSign.  The common name on the subject field must use a wildcard name.  The issuer must be a public CA.  The CA extension must be set to TRUE. QUESTION 109A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.  The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.  The two VLAN sub interfaces must have different VLAN IDs.  The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.  The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet. FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf -> page 147“Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID”QUESTION 110Refer to the exhibit.The exhibit shows the IPS sensor configuration.If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)  The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.  The sensor will block all attacks aimed at Windows servers.  The sensor will reset all connections that match these signatures.  The sensor will gather a packet log for all matched traffic. QUESTION 111A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.* All traffic must be routed through the primary tunnel when both tunnels are up* The secondary tunnel must be used only if the primary tunnel goes down* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)  Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.  Enable Dead Peer Detection.  Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.  Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels. B – because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer.C – remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel will be chosen to route packets towards their destination.QUESTION 112An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)  The interface has been configured for one-arm sniffer.  The interface is a member of a virtual wire pair.  The operation mode is transparent.  The interface is a member of a zone.  Captive portal is enabled in the interface. https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htmQUESTION 113Which two statements are true when FortiGate is in transparent mode? (Choose two.)  By default, all interfaces are part of the same broadcast domain.  The existing network IP schema must be changed when installing a transparent mode.  Static routes are required to allow traffic to the next hop.  FortiGate forwards frames without changing the MAC address. Reference:attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&documentID=FD33113QUESTION 114A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?  Implement a web filter category override for the specified website  Implement a DNS filter for the specified website.  Implement web filter quotas for the specified website  Implement web filter authentication for the specified website. QUESTION 115Refer to the exhibit.Which contains a network diagram and routing table output.The Student is unable to access Webserver.What is the cause of the problem and what is the solution for the problem?  The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.  The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.  The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.  The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3. QUESTION 116Examine this output from a debug flow:Why did the FortiGate drop the packet?  The next-hop IP address is unreachable.  It failed the RPF check.  It matched an explicitly configured firewall policy with the action DENY.  It matched the default implicit firewall policy. https://kb.fortinet.com/kb/documentLink.do?externalID=13900QUESTION 117Refer to the exhibit.In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.What should the administrator do next to troubleshoot the problem?  Run a sniffer on the web server.  Capture the traffic using an external sniffer connected to port1.  Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”  Execute a debug flow. QUESTION 118Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?  The security actions applied on the web applications will also be explicitly applied on the third-party websites.  The application signature database inspects traffic only from the original web application server.  FortiGuard maintains only one signature of each web application that is unique.  FortiGate can inspect sub-application traffic regardless where it was originated. QUESTION 119Which statement about the policy ID number of a firewall policy is true?  It changes when firewall policies are reordered.  It represents the number of objects used in the firewall policy.  It is required to modify a firewall policy using the CLI.  It defines the order in which rules are processed. QUESTION 120Which statement regarding the firewall policy authentication timeout is true?  It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.  It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.  It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.  It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired. QUESTION 121Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)  Web filter in flow-based inspection  Antivirus in flow-based inspection  DNS filter  Web application firewall  Application control QUESTION 122When configuring a firewall virtual wire pair policy, which following statement is true?  Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.  Only a single virtual wire pair can be included in each policy.  Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.  Exactly two virtual wire pairs need to be included in each policy. QUESTION 123Which two types of traffic are managed only by the management VDOM? (Choose two.)  FortiGuard web filter queries  PKI  Traffic shaping  DNS  Loading … Practice NSE4_FGT-7.0 Questions With Certification guide Q&A from Training Expert Actualtests4sure: https://www.actualtests4sure.com/NSE4_FGT-7.0-test-questions.html --------------------------------------------------- Images: https://blog.actualtests4sure.com/wp-content/plugins/watu/loading.gif https://blog.actualtests4sure.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2022-09-12 10:47:28 Post date GMT: 2022-09-12 10:47:28 Post modified date: 2022-09-12 10:47:28 Post modified date GMT: 2022-09-12 10:47:28