Simulation NSE4_FGT-6.0 Answers 2021

NEW QUESTION 1
An administrator is configuring an IPsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

• A. 192.168.3.0.24
• B. 192.168.2.0.24
• C. 192.168.1.0.24
• D. 192.168.0.0.8

Answer: A

NEW QUESTION 2
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could resolve this problem? (Choose two.)

• A. Enable Allow Invalid SSL Certificates for the relevant security profile.
• B. Change web browsers to one that does not support HPKP.
• C. Exempt those web sites that use HPKP from full SSL inspection.
• D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers.

Answer: BD

NEW QUESTION 3
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 4
Which action can be applied to each filter in the application control profile?

• A. Block, monitor, warning, and quarantine
• B. Allow, monitor, block and learn
• C. Allow, block, authenticate, and warning
• D. Allow, monitor, block, and quarantine

Answer: D

NEW QUESTION 5
How does FortiGate select the central SNAT policy that is applied to a TCP session?

• A. It selects the SNAT policy specified in the configuration of the outgoing interface.
• B. It selects the first matching central SNAT policy, reviewing from top to bottom.
• C. It selects the central SNAT policy with the lowest priority.
• D. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.

Answer: B

NEW QUESTION 6
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

• A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
• B. Client > secondary FortiGate> web server.
• C. Client >secondary FortiGate> primary FortiGate> web server.
• D. Client> primary FortiGate> secondary FortiGate> web server.

Answer: D

NEW QUESTION 7
View the exhibit.

Which users and user groups are allowed access to the network through captive portal?

• A. Users and groups defined in the firewall policy.
• B. Only individual users – not groups – defined in the captive portal configuration
• C. Groups defined in the captive portal configuration
• D. All users

Answer: C

NEW QUESTION 8
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

• A. To delete intermediary NAT devices in the tunnel path.
• B. To dynamically change phase 1 negotiation mode aggressive mode.
• C. To encapsulation ESP packets in UDP packets using port 4500.
• D. To force a new DH exchange with each phase 2 rekey.

Answer: AC

NEW QUESTION 9
Which of the following statements about virtual domains (VDOMs) are true? (Choose two.)

• A. The root VDOM is the management VDOM by default.
• B. A FortiGate device has 64 VDOMs, created by default.
• C. Each VDOM maintains its own system time.
• D. Each VDOM maintains its own routing table.

Answer: AD

NEW QUESTION 10
Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)

• A. Priority
• B. Metric
• C. Distance
• D. Cost

Answer: AC

NEW QUESTION 11
An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices Winch configuration steps must be performed on both devices to support this scenario? (Choose three.)

• A. Define the phase 1 parameters, without enabling IPsec interface mode
• B. Define the phase 2 parameters.
• C. Set the phase 2 encapsulation method to transport mode
• D. Define at least one firewall policy, with the action set to IPsec.
• E. Define a route to the remote network over the IPsec tunnel.

Answer: CDE

NEW QUESTION 12
NGFW mode allows policy-based configured for most impaction rules. Which security profile’s configuration does not change when you enable policy-based impaction?

• A. Antivirus
• B. Web proxy
• C. Web filtering
• D. Application control

Answer: D

NEW QUESTION 13
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 14
What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two.)

• A. Services defined in the firewall policy.
• B. Incoming and outgoing interfaces
• C. Highest to lowest priority defined in the firewall policy.
• D. Lowest to highest policy ID number.

Answer: BC

NEW QUESTION 15
You mc tasked to design a new IPsec deployment with the following criteria:
- There are two HQ sues that all satellite offices must connect to
- The satellite offices do not need to communicate directly with other satellite offices
- No dynamic routing will be used
- The design should minimize the number of tannels being configured. Winch topology should be used to satisfy all of the requirements?

• A. Partial mesh
• B. Hub-and-spoke
• C. Fully meshed
• D. Redundant

Answer: C

NEW QUESTION 16
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

• A. Include the group of guest users in a policy.
• B. Extend timeout timers.
• C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.
• D. Ensure all firewalls allow the FSSO required ports.

Answer: AD

NEW QUESTION 17
View the exhibit:

The client cannot connect to the HTTP web server. The administrator ran the FortiGate built-in sniffer and got the following output:

What should be done next to troubleshoot the problem?

• A. Run a sniffer in the web server.
• B. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”.
• C. Capture the traffic using an external sniffer connected to port1.
• D. Execute a debug flow.

Answer: C

NEW QUESTION 18
View the exhibit.

Based on this output, which statements are correct? (Choose two.)

• A. The all VDOM is not synchronized between the primary and secondary FortiGate devices.
• B. The root VDOM is not synchronized between the primary and secondary FortiGate devices.
• C. The global configuration is synchronized between the primary and secondary FortiGate devices.
• D. The FortiGate devices have three VDOMs.

Answer: CD

NEW QUESTION 19
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAND ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces must have different VLAN IDs.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Answer: B

NEW QUESTION 20
Which statement is true regarding SSL VPN timers? (Choose two.)

• A. Allow to mitigate DoS attacks from partial HTTP requests.
• B. SSL VPN settings do not have customizable timers.
• C. Disconnect idle SSL VPN users when a firewall policy authentication timeout occurs.
• D. Prevent SSL VPN users from being logged out because of high network latency.

Answer: AD

NEW QUESTION 21
Which configuration objects can be selected for the Source field of a firewall policy? (Choose two.)

• A. Firewall service
• B. User or user group
• C. IP Pool
• D. FQDN address

Answer: BC

NEW QUESTION 22
Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

• A. The port3 default route has the highest distance.
• B. The port3 default route has the lowest metric.
• C. There will be eight routes active in the routing table.
• D. The port1 and port2 default routes are active in the routing table.

Answer: AD

NEW QUESTION 23
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

• A. This is known as many-to-one NAT.
• B. Source IP is translated to the outgoing interface IP.
• C. Connections are tracked using source port and source MAC address.
• D. Port address translation is not used.

Answer: BD

NEW QUESTION 24
An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?

• A. tcp_port_scan
• B. ip_dst_session
• C. udp_flood
• D. ip_src_session

Answer: A

NEW QUESTION 25
If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate take?

• A. It notifies the administrator by sending an email.
• B. It provides a DLP block replacement page with a link to download the file.
• C. It blocks all future traffic for that IP address for a configured interval.
• D. It archives the data for that IP address.

Answer: C

NEW QUESTION 26
......