Winter Sale - Special Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 44314956B5

Good News !!! NSE4_FGT-7.0 Fortinet NSE 4 - FortiOS 7.0 is now Stable and Pass

NSE4_FGT-7.0 Fortinet NSE 4 - FortiOS 7.0 Question and Answers

Fortinet NSE 4 - FortiOS 7.0

Last Update 1 week ago
Total Questions : 172

NSE4_FGT-7.0 Exam is stable now with all latest questions are added 1 week ago. Just download our Full package and start your journey with Fortinet NSE 4 - FortiOS 7.0 certification. All these Fortinet Exam NSE4_FGT-7.0 questions are real and verified by our Experts in the related industry fields.

NSE4_FGT-7.0 PDF

NSE4_FGT-7.0 PDF (Printable)
$54
$119.99

NSE4_FGT-7.0 Testing Engine

NSE4_FGT-7.0 PDF (Printable)
$63
$139.99

NSE4_FGT-7.0 PDF + Testing Engine

NSE4_FGT-7.0 PDF (Printable)
$79.65
$176.99
Question # 1

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

Options:

A.  

FortiGate automatically negotiates different local and remote addresses with the remote peer.

B.  

FortiGate automatically negotiates a new security association after the existing security association expires.

C.  

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

D.  

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Discussion 0
Question # 2

Which of the following statements about central NAT are true? (Choose two.)

Options:

A.  

IP tool references must be removed from existing firewall policies before enabling central NAT.

B.  

Central NAT can be enabled or disabled from the CLI only.

C.  

Source NAT, using central NAT, requires at least one central SNAT policy.

D.  

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Discussion 0
Question # 3

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Options:

A.  

Set the maximum session TTL value for the TELNET service object.

B.  

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.  

Create a new service object for TELNET and set the maximum session TTL.

D.  

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Discussion 0
Question # 4

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

A User or User Group

B.  

IP address

C.  

No other object can be added

D.  

FQDN address

Options:

Discussion 0
Question # 5

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

Options:

A.  

A phase 2 configuration is not required.

B.  

This VPN cannot be used as part of a hub-and-spoke topology.

C.  

A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

D.  

The IPsec firewall policies must be placed at the top of the list.

Discussion 0
Question # 6

Examine this PAC file configuration.

Question # 6

Which of the following statements are true? (Choose two.)

Options:

A.  

Browsers can be configured to retrieve this PAC file from the FortiGate.

B.  

Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.

C.  

All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.

D.  

Any web request fortinet.com is allowed to bypass the proxy.

Discussion 0
Question # 7

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

Options:

A.  

The IP version of the sources and destinations in a firewall policy must be different.

B.  

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

C.  

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

D.  

The IP version of the sources and destinations in a policy must match.

E.  

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Discussion 0
Question # 8

Examine this FortiGate configuration:

Question # 8

Examine the output of the following debug command:

Question # 8

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

Options:

A.  

It is allowed, but with no inspection

B.  

It is allowed and inspected as long as the inspection is flow based

C.  

It is dropped.

D.  

It is allowed and inspected, as long as the only inspection required is antivirus.

Discussion 0
Question # 9

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

Options:

A.  

DNS

B.  

ping

C.  

udp-echo

D.  

TWAMP

Discussion 0
Question # 10

An administrator is running the following sniffer command:

Question # 10

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Options:

A.  

Interface name

B.  

Packet payload

C.  

Ethernet header

D.  

IP header

E.  

Application header

Discussion 0
Question # 11

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

Options:

A.  

This is known as many-to-one NAT.

B.  

Source IP is translated to the outgoing interface IP.

C.  

Connections are tracked using source port and source MAC address.

D.  

Port address translation is not used.

Discussion 0
Question # 12

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

Options:

A.  

By default, FortiGate uses WINS servers to resolve names.

B.  

By default, the SSL VPN portal requires the installation of a client’s certificate.

C.  

By default, split tunneling is enabled.

D.  

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Discussion 0
Question # 13

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.  

Subject Key Identifier value

B.  

SMMIE Capabilities value

C.  

Subject value

D.  

Subject Alternative Name value

Discussion 0
Question # 14

Refer to the exhibit.

Question # 14

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

Options:

A.  

There are five devices that are part of the security fabric.

B.  

Device detection is disabled on all FortiGate devices.

C.  

This security fabric topology is a logical topology view.

D.  

There are 19 security recommendations for the security fabric.

Discussion 0
Question # 15

Refer to the exhibit.

Question # 15

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

Options:

A.  

Traffic between port2 and port2-vlan1 is allowed by default.

B.  

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

C.  

port1 is a native VLAN.

D.  

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Discussion 0
Question # 16

Which two statements are true about the FGCP protocol? (Choose two.)

Options:

A.  

Not used when FortiGate is in Transparent mode

B.  

Elects the primary FortiGate device

C.  

Runs only over the heartbeat links

D.  

Is used to discover FortiGate devices in different HA groups

Discussion 0
Question # 17

Refer to the exhibit.

Question # 17

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.

With this configuration, which statement is true?

Options:

A.  

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

B.  

A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

C.  

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

D.  

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Discussion 0
Question # 18

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Options:

A.  

Antivirus engine

B.  

Intrusion prevention system engine

C.  

Flow engine

D.  

Detection engine

Discussion 0
Question # 19

Refer to the exhibits.

Question # 19

Question # 19

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Options:

A.  

The SSL inspection needs to be a deep content inspection.

B.  

Force access to Facebook using the HTTP service.

C.  

Additional application signatures are required to add to the security policy.

D.  

Add Facebook in the URL category in the security policy.

Discussion 0
Question # 20

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

Options:

A.  

get system status

B.  

get system performance status

C.  

diagnose sys top

D.  

get system arp

Discussion 0
Question # 21

An administrator has configured the following settings:

Question # 21

What are the two results of this configuration? (Choose two.)

Options:

A.  

Device detection on all interfaces is enforced for 30 minutes.

B.  

Denied users are blocked for 30 minutes.

C.  

A session for denied traffic is created.

D.  

The number of logs generated by denied traffic is reduced.

Discussion 0
Question # 22

Which two statements are correct about SLA targets? (Choose two.)

Options:

A.  

You can configure only two SLA targets per one Performance SL

A.  

B.  

SLA targets are optional.

C.  

SLA targets are required for SD-WAN rules with a Best Quality strategy.

D.  

SLA targets are used only when referenced by an SD-WAN rule.

Discussion 0
Question # 23

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Question # 23

Question # 23

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

Options:

A.  

The firewall policy performs the full content inspection on the file.

B.  

The flow-based inspection is used, which resets the last packet to the user.

C.  

The volume of traffic being inspected is too high for this model of FortiGate.

D.  

The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Discussion 0
Question # 24

Which two statements about antivirus scanning mode are true? (Choose two.)

Options:

A.  

In proxy-based inspection mode, files bigger than the buffer size are scanned.

B.  

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

C.  

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

D.  

In flow-based inspection mode, files bigger than the buffer size are scanned.

Discussion 0
Question # 25

Refer to the exhibit.

Question # 25

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Options:

A.  

On HQ-FortiGate, enable Auto-negotiate.

B.  

On Remote-FortiGate, set Seconds to 43200.

C.  

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.  

On HQ-FortiGate, set Encryption to AES256.

Discussion 0