Fortinet NSE 4 - FortiOS 7.2 (NSE4_FGT-7.2) Free Practice Test

Question 1

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

A. To finish any inspection operations.

B. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

C. To generate logs

D. To remove the NAT operation.

Correct Answer: B

Question 2

Which statement about the IP authentication header (AH) used by IPsec is true?

A. AH does not provide any data integrity or encryption.

B. AH does not support perfect forward secrecy.

C. AH provides data integrity bur no encryption.

D. AH provides strong data integrity but weak encryption.

Correct Answer: C

Question 3

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A. Heartbeat interfaces have virtual IP addresses that are manually assigned.

B. The primary device in the cluster is always assigned IP address 169.254.0.1.

C. Virtual IP addresses are used to distinguish between cluster members.

D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Correct Answer: B,D

Question 4

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

A. To force a new DH exchange with each phase 2 rekey.

B. To encapsulation ESP packets in UDP packets using port 4500.

C. To detect intermediary NAT devices in the tunnel path.

D. To dynamically change phase 1 negotiation mode aggressive mode.

Correct Answer: B,C

Question 5

Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

A. Policy with ID 4.

B. Policy with ID 4.

C. Policy with ID 5.

D. Policies with ID 2 and 3.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

A. By default, split tunneling is enabled.

B. By default, the SSL VPN portal requires the installation of a client's certificate.

C. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

D. By default, FortiGate uses WINS servers to resolve names.

Correct Answer: C

Question 7

Which statement correctly describes the use of reliable logging on FortiGate?

A. Reliable logging is required to encrypt the transmission of logs.

B. Reliable logging is enabled by default in all configuration scenarios.

C. Reliable logging prevents the loss of logs when the local disk is full.

D. Reliable logging can be configured only using the CLI.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

Which statement about video filtering on FortiGate is true?

A. Full SSL Inspection is not required.

B. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

C. It is available only on a proxy-based firewall policy.

D. It inspects video files hosted on file sharing services.

Correct Answer: C

Question 9

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A. The ports default route has the highest distance.

B. The port3 default route has the lowest metric.

C. The port1 and port2 default routes are active in the routing table.

D. There will be eight routes active in the routing table.

Correct Answer: A,C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

Which three statements explain a flow-based antivirus profile? (Choose three.)

A. If a virus is detected, the last packet is delivered to the client.

B. The IPS engine handles the process as a standalone.

C. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

D. Flow-based inspection optimizes performance compared to proxy-based inspection.

E. FortiGate buffers the whole file but transmits to the client at the same time.

Correct Answer: C,D,E

Question 11

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

A. Dialup User

B. Pre-shared Key

C. Static IP Address

D. Dynamic DNS

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 12

Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

A. CLI diagnostics commands permission

B. Read/Write permission for Firewall

C. Read/Write permission for Log & Report

D. Custom permission for Network

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 13

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

A. The session is in FTN_WAIT state.

B. The session is in FIN_ACK state.

C. The session is in ESTABLISHED state.

D. The session is in SYN_SENT state.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 14

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

A. FQDN address

B. IP address

C. No other object can be added

D. User or User Group

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Fortinet NSE 4 - FortiOS 7.2 (NSE4_FGT-7.2) Free Practice Test