Top Quality Fortinet NSE4-5.4 examcollection

Q1. Which statement is correct based on this configuration?

A. The MAC address 00:0c:29:29:38:da belongs to the port1 interface.

B. Access to the network is blocked for the devices with the MAC address 00:0c:29:29:38:da and the IP address 10.0.1.254.

C. 00:0c:29:29:38:da is the virtual MAC address assigned to the secondary IP address (10.0.1.254) of the port1 interface.

D. The IP address 10.0.1.254 is reserves for the device with the MAC address 00:0c:29:29:38:da.

View Answer

Q2. View the exhibit.

Which of the following statements are correct? (Choose two.)

A. This is a redundant IPsec setup.

B. The TunnelB route is the primary one for searching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

C. This setup requires at least two firewall policies with action set to IPsec.

D. Dead peer detection must be disabled to support this type of IPsec setup.

View Answer

Q3. An administrator has created a custom IPS signature. Where does the custom IPS signature have to be applied?

A. In an IPS sensor

B. In an interface.

C. In a DoS policy.

D. In an application control profile.

View Answer

Q4. A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.

What is required in the SSL VPN configuration to meet these requirements?

A. Two separated SSL VPNs in different interfaces of the same VDOM

B. Different SSL VPN realms for each group

C. Different virtual SSLVPN IP addresses for each group

D. Two firewall policies with different captive portals

View Answer

Q5. An administrator has blocked Netflix login in a cloud access security inspection (CASI) profile. The administrator has also applied the CASI profile to a firewall policy.

What else is required for the CASI profile to work properly?

A. You must enable logging for security events on the firewall policy.

B. You must activate a FortiCloud account.

C. You must apply an application control profile to the firewall policy.

D. You must enable SSL inspection on the firewall policy.

View Answer

Q6. View the exhibit.

Which statements about the exhibit are true? (Choose two.)

A. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

B. port1-VLAN1 is the native VLAN for the port1 physical interface.

C. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

D. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

View Answer

Q7. Which statement about this configuration is correct?

A. The FortiGate generates spanning tree BPDU frames.

B. The FortiGate device forwards received spanning tree BPDU frames.

C. The FortiGate can block an interface if a layer-2 loop is detected.

D. Ethernet layer-2 loops are likely to occur.

View Answer

Q8. Which statements about DNS filter profiles are true? (Choose two.)

A. They can inspect HTTP traffic.

B. They must be applied in firewall policies with SSL inspection enabled.

C. They can block DNS request to known botnet command and control servers.

D. They can redirect blocked requests to a specific portal.

View Answer

Q9. Which component of FortiOS performs application control inspection?

A. Kernel

B. Antivirus engine

C. IPS engine

D. Application control engine

View Answer

Q10. How to configure Collector agent settings?

A. The dead entry timeout interval is used to age out entries with an unverified status.

B. The workstation verify interval is used to periodically check if a workstation is still a domain member.

C. The user group cache expiry is used to age out the monitored groups.

D. The IP address change verify interval monitors the server IP address where the collector agent is installed, and updates the collector agent configuration if it changes.

View Answer