Avant-garde NSE4_FGT-7.0 Preparation Exams For Fortinet NSE 4 - FortiOS 7.0 Certification

NEW QUESTION 1

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

• A. Root VDOM
• B. FG-traffic VDOM
• C. Customer VDOM
• D. Global VDOM

Answer: A

NEW QUESTION 2

An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

• A. VLAN interface
• B. Software Switch interface
• C. Aggregate interface
• D. Redundant interface

Answer: C

Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=120324

NEW QUESTION 3

Refer to the exhibit.



The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

• A. If there is a full-through policy in place, users will not be prompted for authentication.
• B. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.
• C. Authentication is enforced at a policy level; all users will be prompted for authentication.
• D. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Answer: C

NEW QUESTION 4

Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

• A. FortiGate will load balance all traffic across both routes.
• B. FortiGate will use the port1 route as the primary candidate.
• C. FortiGate will route twice as much traffic to the port2 route
• D. FortiGate will only actuate the port1 route in the routing table

Answer: B

Explanation:
“If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.”

NEW QUESTION 5

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

• A. Fabric Coverage
• B. Automated Response
• C. Security Posture
• D. Optimization

Answer: C

Explanation:
Reference:
https://www.fortinet.com/content/dam/fortinet/assets/support/fortinet-recommended-security-bestpractices.pdf

NEW QUESTION 6

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

• A. This is known as many-to-one NAT.
• B. Source IP is translated to the outgoing interface IP.
• C. Connections are tracked using source port and source MAC address.
• D. Port address translation is not used.

Answer: BD

NEW QUESTION 7

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check.
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900

NEW QUESTION 8

Exhibit:

Refer to the exhibit to view the authentication rule configuration In this scenario, which statement is true?

• A. IP-based authentication is enabled
• B. Route-based authentication is enabled
• C. Session-based authentication is enabled.
• D. Policy-based authentication is enabled

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD45387

NEW QUESTION 9

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

• A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
• B. FortiGate automatically negotiates a new security association after the existing security association expires.
• C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
• D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=12069

NEW QUESTION 10

Which two statements about antivirus scanning mode are true? (Choose two.)

• A. In proxy-based inspection mode, files bigger than the buffer size are scanned.
• B. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
• C. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
• D. In flow-based inspection mode, files bigger than the buffer size are scanned.

Answer: BC

Explanation:
An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM—something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

NEW QUESTION 11

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

• A. Interface name
• B. Packet payload
• C. Ethernet header
• D. IP header
• E. Application header

Answer: ABD

NEW QUESTION 12

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

• A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
• B. Create a new service object for HTTP service and set the session TTL to never
• C. Set the TTL value to never under config system-ttl
• D. Set the session TTL on the HTTP policy to maximum

Answer: BC

NEW QUESTION 13

An administrator must disable RPF check to investigate an issue.
Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

• A. Enable asymmetric routing, so the RPF check will be bypassed.
• B. Disable the RPF check at the FortiGate interface level for the source check.
• C. Disable the RPF check at the FortiGate interface level for the reply check.
• D. Enable asymmetric routing at the interface level.

Answer: B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION 14

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

• A. 192.168.3.0/24
• B. 192.168.2.0/24
• C. 192.168.1.0/24
• D. 192.168.0.0/8

Answer: B

NEW QUESTION 15

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

• A. get system status
• B. get system performance status
• C. diagnose sys top
• D. get system arp

Answer: D

Explanation:
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."

NEW QUESTION 16

Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

• A. Source IP
• B. Spillover
• C. Volume
• D. Session

Answer: CD

Explanation:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancing

NEW QUESTION 17

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scope of application control to the browser-based technology category only.
• B. It limits the scope of application control to scan application traffic based on application category only.
• C. It limits the scope of application control to scan application traffic using parent signatures only
• D. It limits the scope of application control to scan application traffic on DNS protocol only.

Answer: B

NEW QUESTION 18
......