Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Fortinet
NSE4
NSE4_FGT-7.2
Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Pass the Fortinet NSE4 NSE4_FGT-7.2 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam NSE4_FGT-7.2 Premium Access

View all detail and faqs for the NSE4_FGT-7.2 exam

Go to Exam

835 Students Passed

94% Average Score

94% Same Questions

Viewing page 4 out of 6 pages

Viewing questions 31-40 out of questions

Questions # 31:

Refer to the exhibit showing a debug flow output.

Question # 31

Which two statements about the debug flow output are correct? (Choose two.)

Options:

The debug flow is of ICMP traffic.

A firewall policy allowed the connection.

A new traffic session is created.

The default route is required to receive a reply.

Answer

A, C

Explanation

[Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow, , ]

Questions # 32:

106

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Options:

Shut down/reboot a downstream FortiGate device.

Disable FortiAnalyzer logging for a downstream FortiGate device.

Ban or unban compromised hosts.

Answer

A, B

Questions # 33:

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Options:

Configure Source IP Pools.

Configure split tunneling in tunnel mode.

Configure different SSL VPN realms.

Configure host check .

Answer

Questions # 34:

Refer to the exhibits.

The exhibits show a network diagram and firewall configurations.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.

Question # 34

In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Options:

Disable match-vip in the Deny policy.

Set the Destination address as Deny_IP in the Allow-access policy.

Enable match vip in the Deny policy.

Set the Destination address as Web_server in the Deny policy.

Answer

B, C

Explanation

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641

The exhibits show a network diagram and firewall configurations for a FortiGate unit that has two policies: Allow_access and Deny. The Allow_access policy allows traffic from the WAN (port1) interface to the LAN (port3) interface with the destination address of VIP and the service of HTTPS. The VIP object maps the external IP address 10.200.1.10 and port 10443 to the internal IP address 10.0.1.10 and port 443 of the Webserver. The Deny policy denies traffic from the WAN (port1) interface to the LAN (port3) interface with the source address of Deny_IP and the destination address of All.

In this scenario, the administrator wants to deny Webserver access for Remote-User2, who has the IP address 10.200.3.2, which is included in the Deny_IP address object. Remote-User1, who has the IP address 10.200.3.1, must be able to access the Webserver.

To achieve this goal, the administrator can make two changes to deny Webserver access for Remote-User2:

Set the Destination address as Webserver in the Deny policy. This will make the Deny policy more specific and match only the traffic that is destined for the Webserver’s internal IP address, instead of any destination address.

Enable match-vip in the Deny policy. This will make the Deny policy apply to traffic that matches a VIP object, instead of ignoring it1. This way, the Deny policy will block Remote-User2’s traffic that uses the VIP object’s external IP address and port.

Questions # 35:

Refer to the exhibits.

Question # 35

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Options:

Change the SSL VPN port on the client.

Change the Server IP address.

Change the idle-timeout.

Change the SSL VPN portal to the tunnel.

Answer

Explanation

[Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/150494, ]

Questions # 36:

In an explicit proxy setup, where is the authentication method and database configured?

Options:

Proxy Policy

Authentication Rule

Firewall Policy

Authentication scheme

Answer

Questions # 37:

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

Options:

Warning

Exempt

Allow

Learn

Answer

A, C

Questions # 38:

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

Options:

Browsers can be configured to retrieve this PAC file from the FortiGate.

Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.

Any web request fortinet.com is allowed to bypass the proxy.

Answer

A, D

Questions # 39:

Options:

Log downloads from the GUI are limited to the current filter view B. Log backups from the CLI cannot be restored to another FortiGate. C. Log backups from the CLI can be configured to upload to FTP as a scheduled time D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer

Questions # 40:

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)