Top Quality NSE4_FGT-6.2 Class 2021

NEW QUESTION 1
View the following exhibit, which shows the firewall policies and the object uses in the firewall policies.


The administrator is using the Policy Lookup feature and has entered the search create shown in the following exhibit.

Which of the following will be highlighted based on the input criteria?

• A. Policy with ID1.
• B. Policies with ID 2 and 3.
• C. Policy with ID 5.
• D. Policy with ID 4.

Answer: A

NEW QUESTION 2
Which of the following services can be inspected by the DLP profile? (Choose three.)

• A. NFS
• B. FTP
• C. IMAP
• D. CIFS
• E. HTTP-POST

Answer: BCE

NEW QUESTION 3
Which statements about DNS filter profiles are true? (Choose two.)

• A. They can inspect HTTP traffic.
• B. They can redirect blocked requests to a specific portal.
• C. They can block DNS requests to known botnet command and control servers.
• D. They must be applied in firewall policies with SSL inspection enabled.

Answer: BC

NEW QUESTION 4
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

• A. Lookup is done on the first packet from the session originator
• B. Lookup is done on the last packet sent from the responder
• C. Lookup is done on every packet, regardless of direction
• D. Lookup is done on the trust reply packet from the responder

Answer: AB

NEW QUESTION 5
Which of the following statements about central NAT are true? (Choose two.)

• A. IP tool references must be removed from existing firewall policies before enabling central NAT.
• B. Central NAT can be enabled or disabled from the CLI only.
• C. Source NAT, using central NAT, requires at least one central SNAT policy.
• D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Answer: AB

NEW QUESTION 6
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

• A. The public key of the web server certificate must be installed on the browser.
• B. The web-server certificate must be installed on the browser.
• C. The CA certificate that signed the web-server certificate must be installed on the browser.
• D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Answer: C

NEW QUESTION 7
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

What are the expected actions if traffic matches this IPS sensor? (Choose two.)

• A. The sensor will gather a packet log for all matched traffic.
• B. The sensor will not block attackers matching the A32S.Botnet signature.
• C. The sensor will block all attacks for Windows servers.
• D. The sensor will reset all connections that match these signatures.

Answer: BC

NEW QUESTION 8
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

• A. A.-192.168.3.0/24B.192.168.2.0/24C.192.168.1.0/24D.192.168.0.0/8

Answer: B

NEW QUESTION 9
Which configuration objects can be selected for the Source field of a firewall policy? (Choose two.)

• A. Firewall service
• B. User or user group
• C. IP Pool
• D. FQDN address

Answer: BD

NEW QUESTION 10
View the exhibit.

Based on this output, which statements are correct? (Choose two.)

• A. The all VDOM is not synchronized between the primary and secondary FortiGate devices.
• B. The root VDOM is not synchronized between the primary and secondary FortiGate devices.
• C. The global configuration is synchronized between the primary and secondary FortiGate devices.
• D. The FortiGate devices have three VDOMs.

Answer: BC

NEW QUESTION 11
Which action can be applied to each filter in the application control profile?

• A. Block, monitor, warning, and quarantine
• B. Allow, monitor, block and learn
• C. Allow, block, authenticate, and warning
• D. Allow, monitor, block, and quarantine

Answer: D

NEW QUESTION 12
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. The IPS filter is missing the Protocol: HTTPS option.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. A DoS policy should be used, instead of an IPS sensor.
• E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 13
Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

• A. It is allowed, but with no inspection
• B. It is allowed and inspected as long as the inspection is flow based
• C. It is dropped.
• D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: A

NEW QUESTION 14
An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field?

• A. A VIP group
• B. The mapped IP address object of the VIP object
• C. A VIP object
• D. An IP pool

Answer: B

NEW QUESTION 15
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces must have different VLAN IDs.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Answer: B

Explanation:
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf –> page 147
“Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID”

NEW QUESTION 16
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 17
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 18
On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose two.)

• A. hourly
• B. real time
• C. on-demand
• D. store-and-upload

Answer: BD

Explanation:
Configure logging options:* store-and-upload (CLI configuration only)—>only available to Fortigate with an internal hard drive* Real Time* Every minute* Every 5 minutes (default)

NEW QUESTION 19
View the exhibit.

Based on the configuration shown in the exhibit, what statements about application control behavior are true? (Choose two.)

• A. Access to all unknown applications will be allowed.
• B. Access to browser-based Social.Media applications will be blocked.
• C. Access to mobile social media applications will be blocked.
• D. Access to all applications in Social.Media category will be blocked.

Answer: AB

NEW QUESTION 20
Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)

• A. Priority
• B. Metric
• C. Distance
• D. Cost

Answer: AC

NEW QUESTION 21
Which of the following features is supported by web filter in flow-based inspection mode with NGFW mode set to profile-based?

• A. FortiGuard Quotas
• B. Static URL
• C. Search engines
• D. Rating option

Answer: B

NEW QUESTION 22
How does FortiGate verify the login credentials of a remote LDAP user?

• A. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.
• B. FortiGate sends the user-entered credentials to the LDAP server for authentication.
• C. FortiGate queries the LDAP server for credentials.
• D. FortiGate queries its own database for credentials.

Answer: B

Explanation:
You can configure Fortigate to point to an LDAP server for server-based password authentication throught the LDAP Server (Security Study Guide, 187)

NEW QUESTION 23
......