Top Tips Of Up To Date NSE4_FGT-7.0 Preparation Exams

NEW QUESTION 1

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

• A. Antivirus scanning
• B. File filter
• C. DNS filter
• D. Intrusion prevention

Answer: AD

NEW QUESTION 2

Refer to the exhibit.



The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

• A. Disable match-vip in the Deny policy.
• B. Set the Destination address as Deny_IP in the Allow-access policy.
• C. Enable match vip in the Deny policy.
• D. Set the Destination address as Web_server in the Deny policy.

Answer: CD

NEW QUESTION 3

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

• A. FortiGate SN FGVM010000065036 HA uptime has been reset.
• B. FortiGate devices are not in sync because one device is down.
• C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
• D. FortiGate SN FGVM010000064692 has the higher HA priority.

Answer: AD

Explanation:
* 1. Override is disable by default - OK
* 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

NEW QUESTION 4

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

• A. A CRL
• B. A person
• C. A subordinate CA
• D. A root CA

Answer: D

NEW QUESTION 5

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

• A. Shut down/reboot a downstream FortiGate device.
• B. Disable FortiAnalyzer logging for a downstream FortiGate device.
• C. Log in to a downstream FortiSwitch device.
• D. Ban or unban compromised hosts.

Answer: AB

NEW QUESTION 6

Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

NEW QUESTION 7

Which two statements are correct about a software switch on FortiGate? (Choose two.)

• A. It can be configured only when FortiGate is operating in NAT mode
• B. Can act as a Layer 2 switch as well as a Layer 3 router
• C. All interfaces in the software switch share the same IP address
• D. It can group only physical interfaces

Answer: AC

NEW QUESTION 8

View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

• A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
• B. port-VLAN1 is the native VLAN for the port1 physical interface.
• C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
• D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Answer: AC

NEW QUESTION 9

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scanning of application traffic to the DNS protocol only.
• B. It limits the scanning of application traffic to use parent signatures only.
• C. It limits the scanning of application traffic to the browser-based technology category only.
• D. It limits the scanning of application traffic to the application category only.

Answer: C

NEW QUESTION 10

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces must have different VLAN IDs.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Answer: B

Explanation:
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf –> page 147
“Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID”

NEW QUESTION 11

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

• A. The IP version of the sources and destinations in a firewall policy must be different.
• B. The Incoming Interfac
• C. Outgoing Interfac
• D. Schedule, and Service fields can be shared with both IPv4 and IPv6.
• E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
• F. The IP version of the sources and destinations in a policy must match.
• G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer: BDE

NEW QUESTION 12

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

• A. FortiCache
• B. FortiSIEM
• C. FortiAnalyzer
• D. FortiSandbox
• E. FortiCloud

Answer: BCE

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-and-reporting-overview

NEW QUESTION 13

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate, enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495
Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

NEW QUESTION 14

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?

• A. IP address
• B. Once Internet Service is selected, no other object can be added
• C. User or User Group
• D. FQDN address

Answer: B

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policy

NEW QUESTION 15

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

• A. Firewall policy
• B. Policy rule
• C. Security policy
• D. SSL inspection and authentication policy

Answer: CD

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode

NEW QUESTION 16

Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

• A. Traffic between port2 and port2-vlan1 is allowed by default.
• B. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
• C. port1 is a native VLAN.
• D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Answer: CD

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

NEW QUESTION 17

How does FortiGate act when using SSL VPN in web mode?

• A. FortiGate acts as an FDS server.
• B. FortiGate acts as an HTTP reverse proxy.
• C. FortiGate acts as DNS server.
• D. FortiGate acts as router.

Answer: B

Explanation:
Reference:
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/Fortigate_v4.0MR3/fortigate-sslvpn-40-mr3.pdf

NEW QUESTION 18
......