What Practical NSE4_FGT-6.4 Pdf Exam Is

NEW QUESTION 1
Refer to the exhibit.

Which contains a PerformanceSLA configuration.
An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

• A. Participants configured are not SD-WAN members.
• B. There may not be a static route to route the performance SLA traffic.
• C. The Ping protocol is not supported for the public servers that are configured.
• D. You need to turn on the Enable probe packets switch.

Answer: D

NEW QUESTION 2
An administrator is running the following sniffer command:

Which three pieces of Information will be Includedin me sniffer output? {Choose three.)

• A. Interface name
• B. Packetpayload
• C. Ethernet header
• D. IP header
• E. Application header

Answer: BCE

NEW QUESTION 3
Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

• A. The IPS engine was inspecting high volume of traffic.
• B. The IPS engine was unable to prevent an intrusion attack.
• C. The IPS engine was blocking all traffic.
• D. The IPS engine will continue to run in a normal state.

Answer: C

NEW QUESTION 4
Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: B

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

NEW QUESTION 5
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate,enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate,enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

NEW QUESTION 6
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

• A. Web filtering
• B. Antivirus
• C. Web proxy
• D. Application control

Answer: B

NEW QUESTION 7
An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

• A. Configure Source IP Pools.
• B. Configure split tunneling in tunnel mode.
• C. Configure different SSL VPN realms.
• D. Configure host check.

Answer: D

NEW QUESTION 8
Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

• A. The debug flow is of ICMP traffic.
• B. A firewall policy allowed the connection.
• C. A new traffic session is created.
• D. The default route is required to receive a reply.

Answer: B

NEW QUESTION 9
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

• A. A phase 2 configuration is not required.
• B. This VPN cannot be used as part of a hub-and-spoke topology.
• C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
• D. The IPsec firewall policies must be placed at the top of the list.

Answer: C

Explanation:
In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name (Infrastructure Study Guide, 206)

NEW QUESTION 10
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

• A. Shut down/reboot a downstream FortiGate device.
• B. Disable FortiAnalyzer logging for a downstream FortiGate device.
• C. Log in to a downstream FortiSwitch device.
• D. Ban or unban compromised hosts.

Answer: A

NEW QUESTION 11
Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server?

• A. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]
• B. 0.0.0.0/0 [20/0] via 10.4.200.2, port2
• C. 10.4.200.0/30 is directly connected, port2
• D. 172.16.32.0/24 is directly connected, port1

Answer: D

NEW QUESTION 12
Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

• A. Change password
• B. Enable restrict access to trusted hosts
• C. Change Administrator profile
• D. Enable two-factor authentication

Answer: D

NEW QUESTION 13
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

• A. set fortiguard anycast disable
• B. set protocol udp
• C. set webfilter-force-off disable
• D. set webfilter-cache disable

Answer: AC

NEW QUESTION 14
Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

• A. This security fabric topology is a logical topology view.
• B. There are 19 security recommendations for the security fabric.
• C. There are five devices that are part of the security fabric.
• D. Device detection is disabled on all FortiGate devices.

Answer: AD

NEW QUESTION 15
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

• A. The keyUsage extension must be set to keyCertSign.
• B. The common name on the subject field must use a wildcard name.
• C. The issuer must be a public CA.
• D. The CA extension must be set to TRUE.

Answer: BD

NEW QUESTION 16
Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

• A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
• B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
• C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
• D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Answer: D

NEW QUESTION 17
Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

• A. hard-timeout
• B. auth-on-demand
• C. soft-timeout
• D. new-session
• E. Idle-timeout

Answer: ADE

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

NEW QUESTION 18
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

• A. SMTP.Login.Brute.Force
• B. IMAP.Login.brute.Force
• C. ip_src_session
• D. Location: server Protocol: SMTP

Answer: B

NEW QUESTION 19
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

• A. Policy lookup will be disabled.
• B. By Sequence view will be disabled.
• C. Search option will be disabled
• D. Interface Pair view will be disabled.

Answer: A

NEW QUESTION 20
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. The IPS filter is missing the Protocol: HTTPS option.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. A DoS policy should be used, instead of an IPS sensor.
• E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 21
View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 22
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

• A. FortiGate points the collector agent to use a remote LDAP server.
• B. FortiGate uses the AD server as the collector agent.
• C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
• D. FortiGate queries AD by using the LDAP to retrieve user group information.

Answer: CD

NEW QUESTION 23
......