The Secret Of Fortinet NSE4_FGT-7.0 Exam Engine

NEW QUESTION 1

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser
does not report errors.
What is the reason for the certificate warning errors?

• A. The browser requires a software update.
• B. FortiGate does not support full SSL inspection when web filtering is enabled.
• C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
• D. There are network connectivity issues.

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41394

NEW QUESTION 2

Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

• A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
• B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
• C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
• D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Answer: D

NEW QUESTION 3

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

• A. SSH
• B. HTTPS
• C. FTM
• D. FortiTelemetry

Answer: AB

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

NEW QUESTION 4

Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server?

• A. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]
• B. 0.0.0.0/0 [20/0] via 10.4.200.2, port2
• C. 10.4.200.0/30 is directly connected, port2
• D. 172.16.32.0/24 is directly connected, port1

Answer: D

NEW QUESTION 5

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 6

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

• A. The administrator can register the same FortiToken on more than one FortiGate.
• B. The administrator must use a FortiAuthenticator device.
• C. The administrator can use a third-party radius OTP server.
• D. The administrator must use the user self-registration server.

Answer: B

NEW QUESTION 7

View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

• A. Addicting.Games is allowed based on the Application Overrides configuration.
• B. Addicting.Games is blocked on the Filter Overrides configuration.
• C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
• D. Addcting.Games is allowed based on the Categories configuration.

Answer: A

NEW QUESTION 8

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

• A. Policy lookup will be disabled.
• B. By Sequence view will be disabled.
• C. Search option will be disabled
• D. Interface Pair view will be disabled.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47821

NEW QUESTION 9

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

• A. Disabled
• B. On Demand
• C. Enabled
• D. On Idle

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

NEW QUESTION 10

What is the primary FortiGate election process when the HA override setting is disabled?

• A. Connected monitored ports > System uptime > Priority > FortiGate Serial number
• B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
• C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
• D. Connected monitored ports > Priority > System uptime > FortiGate Serial number

Answer: B

Explanation:
Reference: http://myitmicroblog.blogspot.com/2018/11/what-should-you-know-about-ha-override.html

NEW QUESTION 11

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

• A. diagnose sys top
• B. execute ping
• C. execute traceroute
• D. diagnose sniffer packet any
• E. get system arp

Answer: BCD

NEW QUESTION 12

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

• A. FortiManager
• B. Root FortiGate
• C. FortiAnalyzer
• D. Downstream FortiGate

Answer: B

NEW QUESTION 13

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

• A. Log ID
• B. Universally Unique Identifier
• C. Policy ID
• D. Sequence ID

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies

NEW QUESTION 14

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

• A. Antivirus engine
• B. Intrusion prevention system engine
• C. Flow engine
• D. Detection engine

Answer: B

Explanation:
Reference: http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

NEW QUESTION 15

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

• A. www.example.com:443
• B. www.example.com
• C. example.com
• D. www.example.com/index.html

Answer: BC

Explanation:
FortiGate_Security_6.4 page 384
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names— "no URLs or wildcard characters are allowed".

NEW QUESTION 16

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

• A. remote user’s public IP address
• B. The public IP address of the FortiGate device.
• C. The remote user’s virtual IP address.
• D. The internal IP address of the FortiGate device.

Answer: D

Explanation:
Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP address

NEW QUESTION 17

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?
A User or User Group

• A. IP address
• B. No other object can be added
• C. FQDN address

Answer: B

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy

NEW QUESTION 18
......