Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Fortinet
NSE4
NSE4_FGT-7.2
Fortinet NSE 4 - FortiOS 7.2 Questions and Answers

Pass the Fortinet NSE4 NSE4_FGT-7.2 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam NSE4_FGT-7.2 Premium Access

View all detail and faqs for the NSE4_FGT-7.2 exam

Go to Exam

835 Students Passed

94% Average Score

94% Same Questions

Viewing page 5 out of 6 pages

Viewing questions 41-50 out of questions

Questions # 41:

Refer to the exhibit.

Question # 41

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Options:

port2

port4

port3

port1

Answer

Explanation

Port 1 shows the lowest latency.

Questions # 42:

Which statement about video filtering on FortiGate is true?

Options:

Full SSL Inspection is not required.

It is available only on a proxy-based firewall policy.

It inspects video files hosted on file sharing services.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Answer

Explanation

[Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering]

Questions # 43:

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Options:

Add the support of NTLM authentication.

Add user accounts to Active Directory (AD).

Add user accounts to the FortiGate group fitter.

Add user accounts to the Ignore User List.

Answer

Explanation

[Reference: https://community.fortinet.com/t5/Support-Forum/Collector-Agent-and-problem-getting-login-info/m-p/95481, , ]

Questions # 44:

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

Options:

The IP version of the sources and destinations in a firewall policy must be different.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a policy must match.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer

B, D, E

Questions # 45:

Refer to the exhibit.

Question # 45

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Options:

On HQ-FortiGate, enable Auto-negotiate.

On Remote-FortiGate, set Seconds to 43200.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On HQ-FortiGate, set Encryption to AES256.

Answer

Explanation

[Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495, , , Encryption and authentication algorithm needs to match in order for IPSEC be successfully established., , ]

Questions # 46:

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Options:

SSL VPN idle-timeout

SSL VPN http-request-body-timeout

SSL VPN login-timeout

SSL VPN dtls-hello-timeout

Answer

Explanation

[Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-disconnection-issues-when-connected-with/ta-p/207851#:~:text=By%20default%2C%20a%20SSL%2DVPN,hours%20due%20to%20auth%2Dtimeout, , The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted., , ]

Questions # 47:

Refer to the exhibit.

Question # 47

Based on the ZTNA tag, the security posture of the remote endpoint has changed.

What will happen to endpoint active ZTNA sessions?

Options:

They will be re-evaluated to match the endpoint policy.

They will be re-evaluated to match the firewall policy.

They will be re-evaluated to match the ZTNA policy.

They will be re-evaluated to match the security policy.

Answer

Explanation

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/580880/posture-check-verification-for-active-ztna-proxy-session-7-0-2

FortiGate Infrastructure 7.2 Study Guide (p.182): "Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy."

Questions # 48:

Refer to the exhibit.

Question # 48

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10.0. 1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10) pings the IP address of Remote-FortiGate (10.200.3. 1)?

Options:

10.200. 1. 149

10.200. 1. 1

10.200. 1.49

10.200. 1.99

Answer

Questions # 49:

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

Options:

IP address

No other object can be added

FQDN address

User or User Group

Answer

Explanation

FortiGate Security 7.2 Study Guide (p.59): "When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded."

This is true because Internet Service is a special type of destination object that can only be used alone in a firewall policy. Internet Service is a feature that allows FortiGate to identify and filter traffic based on the internet service or application that it belongs to, such as Facebook, YouTube, Skype, etc. Internet Service uses a database of IP addresses and ports that are associated with each internet service or application, and updates it regularly from FortiGuard. When Internet Service is selected as the destination in a firewall policy, FortiGate will match the traffic to the corresponding internet service or application, and apply the appropriate action and security profiles to it. However, Internet Service cannot be combined with any other destination object, such as IP address, FQDN address, user or user group, etc., as this would create a conflict or ambiguity in the firewall policy. Therefore, no other object can be added if Internet Service is already selected as the destination in a firewall policy

Questions # 50:

View the exhibit.

Question # 50