Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
Fortinet
NSE4
NSE4_FGT-7.2
Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Pass the Fortinet NSE4 NSE4_FGT-7.2 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam NSE4_FGT-7.2 Premium Access

View all detail and faqs for the NSE4_FGT-7.2 exam

Go to Exam

524 Students Passed

96% Average Score

92% Same Questions

Viewing page 1 out of 6 pages

Viewing questions 1-10 out of questions

Questions # 1:

When configuring a firewall virtual wire pair policy, which following statement is true?

Options:

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

Only a single virtual wire pair can be included in each policy.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Exactly two virtual wire pairs need to be included in each policy.

Answer

Explanation

[Reference: https://kb.fortinet.com/kb/documentLink .do?externalID=FD48690]

Questions # 2:

You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

Options:

No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.

No new log is recorded until you manually clear logs from the local disk.

Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.

Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.

Answer

Explanation

config log disk setting

set diskfull [ overwrite | nolog ]

Action to take when disk is full. The system can overwrite the oldest log messages or stop logging when the disk is full. (default --> overwrite)

config log memory global-setting

set full-first-warning-threshold {integer}

Log full first warning threshold as a percent. (default --> 75)

[Reference:, https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/421620/config-log-disk-setting, https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/418620/config-log-memory-global-setting, , C. Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%., This is true because this is the default behavior of FortiGate when logging to the local disk. The local disk is the internal storage of FortiGate that can be used to store event logs and security logs. When the local disk is full, FortiGate will overwrite the oldest logs with the newest ones, and issue warnings at different thresholds of disk usage. The first warning is issued when log disk use reaches 75%, the second warning is issued when log disk use reaches 85%, and the final warning is issued when log disk use reaches 95%. The administrator can configure these thresholds and the action to take when the disk is full using the CLI command config log disk setting1, , , ]

Questions # 3:

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Options:

Antivirus engine

Intrusion prevention system engine

Flow engine

Detection engine

Answer

Explanation

http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

[Reference: http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control, ]

Questions # 4:

Which statement correctly describes the use of reliable logging on FortiGate?

Options:

Reliable logging is enabled by default in all configuration scenarios.

Reliable logging is required to encrypt the transmission of logs.

Reliable logging can be configured only using the CLI.

Reliable logging prevents the loss of logs when the local disk is full.

Answer

Explanation

FortiGate Security 7.2 Study Guide (p.192): "if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI."

Questions # 5:

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, which statement about VLAN IDs is true?

Options:

The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

The two VLAN subinterfaces must have different VLAN IDs.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Answer

C, D

Explanation

[Reference: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans, , , ]

Questions # 6:

113

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Options:

Full Content inspection

Proxy-based inspection

Certificate inspection

Flow-based inspection

Answer

Questions # 7:

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

Options:

The website is exempted from SSL inspection.

The EICAR test file exceeds the protocol options oversize limit.

The selected SSL inspection profile has certificate inspection enabled.

The browser does not trust the FortiGate self-signed CA certificate.

Answer

A, C

Explanation

SSL Inspection Profile, on the Inspection method there are 2 options to choose from, SSL Certificate Inspection or Full SSL Inspection. FG SEC 7.2 Studi Guide: Full SSL Inspection level is the only choice that allows antivirus to be effective.

Questions # 8:

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

Options:

Interface name

Packet payload

Ethernet header

IP header

Application header

Answer

A, B, D

Questions # 9:

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

Options:

FortiCache

FortiSIEM

FortiAnalyzer

FortiSandbox

FortiCloud

Answer

B, C, E

Explanation

[Reference:, https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-and-reporting-overview]

Questions # 10:

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

Options:

Extended authentication (XAuth) for faster authentication because fewer packets are exchanged

Extended authentication (XAuth) to request the remote peer to provide a username and password

No certificate is required on the remote peer when you set the certificate signature as the authentication method

Pre-shared key and certificate signature as authentication methods

Answer

B, D

Explanation

B. Extended authentication (XAuth) to request the remote peer to provide a username and password

This is true because extended authentication (XAuth) is a feature that allows FortiGate to request the remote peer to provide a username and password during the IPsec IKEv1 authentication process. XAuth is an extension of the IKEv1 protocol that adds an additional authentication step after the main mode or aggressive mode exchange. XAuth can be used with either pre-shared key or certificate signature as the primary authentication method, and it can provide stronger security and granular access control for IPsec VPNs12

D. Pre-shared key and certificate signature as authentication methods

This is true because pre-shared key and certificate signature are two authentication methods that are supported by FortiGate for IPsec IKEv1 VPNs. Pre-shared key is a method where both peers share a secret key that is used to authenticate each other during the IKEv1 exchange. Certificate signature is a method where both peers have digital certificates that are used to verify each other’s identity and public key during the IKEv1 exchange. Both methods can be combined with XAuth for additional authentication

Viewing page 1 out of 6 pages

Viewing questions 1-10 out of questions