Fortinet nse4-fgt-7-0 practice test
Fortinet NSE 4 - FortiOS 7.0 Exam
Last exam update: Jul 20 ,2024
Question 1
An administrator has a requirement to keep an application session from timing out on port 80. What
two changes can the administrator make to resolve the issue without affecting any existing services
running through FortiGate? (Choose two.)
- A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
- B. Create a new service object for HTTP service and set the session TTL to never
- C. Set the TTL value to never under config system-ttl
- D. Set the session TTL on the HTTP policy to maximum
Answer:
BC
Question 2
In which two ways can RPF checking be disabled? (Choose two )
- A. Enable anti-replay in firewall policy.
- B. Disable the RPF check at the FortiGate interface level for the source check
- C. Enable asymmetric routing.
- D. Disable strict-arc-check under system settings.
Answer:
CD
Explanation:
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955
Question 3
Refer to the exhibit to view the application control profile.
Based on the configuration, what will happen to Apple FaceTime?
- A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration
- B. Apple FaceTime will be allowed, based on the Apple filter configuration.
- C. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
- D. Apple FaceTime will be allowed, based on the Categories configuration.
Answer:
A
Question 4
Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the
physical layer nor the link layer? (Choose three.)
- A. diagnose sys top
- B. execute ping
- C. execute traceroute
- D. diagnose sniffer packet any
- E. get system arp
Answer:
BCD
Question 5
Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode?
(Choose two.)
- A. FG-traffic
- B. Mgmt
- C. FG-Mgmt
- D. Root
Answer:
AD
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-
mode
Question 6
Refer to the exhibit.
The exhibit contains a network interface configuration, firewall policies, and a CLI console
configuration.
How will FortiGate handle user authentication for traffic that arrives on the LAN interface?
- A. If there is a full-through policy in place, users will not be prompted for authentication.
- B. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.
- C. Authentication is enforced at a policy level; all users will be prompted for authentication.
- D. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.
Answer:
C
Question 7
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When
visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP
websites, the browser does not report errors.
What is the reason for the certificate warning errors?
- A. The browser requires a software update.
- B. FortiGate does not support full SSL inspection when web filtering is enabled.
- C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
- D. There are network connectivity issues.
Answer:
C
Explanation:
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD41394
Question 8
Which two statements are true about the RPF check? (Choose two.)
- A. The RPF check is run on the first sent packet of any new session.
- B. The RPF check is run on the first reply packet of any new session.
- C. The RPF check is run on the first sent and reply packet of any new session.
- D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.
Answer:
AD
Explanation:
Reference:
https://www.programmersought.com/article/16383871634/
Question 9
An organizations employee needs to connect to the office through a high-latency internet
connection.
Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?
- A. Change the session-ttl.
- B. Change the login timeout.
- C. Change the idle-timeout.
- D. Change the udp idle timer.
Answer:
B
Question 10
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 fails to come up. The administrator has also re-entered
the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration
changes will bring phase 1 up? (Choose two.)
- A. On HQ-FortiGate, set IKE mode to Main (ID protection).
- B. On both FortiGate devices, set Dead Peer Detection to On Demand.
- C. On HQ-FortiGate, disable Diffie-Helman group 2.
- D. On Remote-FortiGate, set port2 as Interface.
Answer:
AD
Question 11
An administrator needs to configure VPN user access for multiple sites using the same soft
FortiToken. Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?
- A. The administrator can register the same FortiToken on more than one FortiGate.
- B. The administrator must use a FortiAuthenticator device.
- C. The administrator can use a third-party radius OTP server.
- D. The administrator must use the user self-registration server.
Answer:
B
Question 12
Refer to the exhibit.
The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings
the IP address of Remote-FortiGate (10.200.3.1)?
- A. 10.200.1.149
- B. 10.200.1.1
- C. 10.200.1.49
- D. 10.200.1.99
Answer:
D
Question 13
An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?
- A. VLAN interface
- B. Software Switch interface
- C. Aggregate interface
- D. Redundant interface
Answer:
C
Explanation:
Reference:
https://forum.fortinet.com/tm.aspx?m=120324
Question 14
Refer to the exhibit, which contains a static route configuration.
An administrator created a static route for Amazon Web Services.
What CLI command must the administrator use to view the route?
- A. get router info routing-table all
- B. get internet service route list
- C. get router info routing-table database
- D. diagnose firewall proute list
Answer:
D
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/latest/administration-
guide/139692/routing-concepts
Question 15
Which three statements are true regarding session-based authentication? (Choose three.)
- A. HTTP sessions are treated as a single user.
- B. IP sessions from the same source IP address are treated as a single user.
- C. It can differentiate among multiple clients behind the same source IP address.
- D. It requires more resources.
- E. It is not recommended if multiple users are behind the source NAT
Answer:
ACD