Fortinet NSE4_FGT-7.0 Exam Practice Test Instant Access

Question 1

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

AIt limits the scanning of application traffic to the DNS protocol only.

BIt limits the scanning of application traffic to use parent signatures only.

CIt limits the scanning of application traffic to the browser-based technology category only.

DIt limits the scanning of application traffic to the application category only.

Answer : C

Fortigate_Security 7 page 451

Question 2

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

AThe browser requires a software update.

BFortiGate does not support full SSL inspection when web filtering is enabled.

CThe CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

DThere are network connectivity issues.

Answer : C

Question 3

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

Aget router info routing-table all

Bget internet service route list

Cget router info routing-table database

Ddiagnose firewall proute list

Answer : D

Fortigate Infrastructure 7.0 Study Guide P.55

ISDB static route will not create entry directly in routing-table. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for-Predefined-Internet/ta-p/198756 and here https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-route/ta-p/190640

Question 4

Which three statements are true regarding session-based authentication? (Choose three.)

AHTTP sessions are treated as a single user.

BIP sessions from the same source IP address are treated as a single user.

CIt can differentiate among multiple clients behind the same source IP address.

DIt requires more resources.

EIt is not recommended if multiple users are behind the source NAT

Answer : A, C, E

FortiGate_Infrastructure_6.4 page 387

Question 5

What is the primary FortiGate election process when the HA override setting is disabled?

AConnected monitored ports > System uptime > Priority > FortiGate Serial number

BConnected monitored ports > HA uptime > Priority > FortiGate Serial number

CConnected monitored ports > Priority > HA uptime > FortiGate Serial number

DConnected monitored ports > Priority > System uptime > FortiGate Serial number

Answer : B

FortiGate_Infrastructure_7.0 page 304 PUPS - Ports/Uptime/Priority/Serial

Question 6

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

AFabric Coverage

BAutomated Response

CSecurity Posture

DOptimization

Answer : C

Description of the three major scorecards is seen in Security fabric > Security rating>Security posture. Security Posture Identify configuration weaknesses and best practice violations in your deployment. Fabric Coverage Identify in your overall network, where Security Fabric can enhance visibility and control. Optimization Optimize your fabric deployment.

Question 7

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

ASet the maximum session TTL value for the TELNET service object.

BSet the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

CCreate a new service object for TELNET and set the maximum session TTL.

DCreate a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Answer : C, D

Fortinet NSE4_FGT-7.0 Fortinet NSE 4 - FortiOS 7.0 Exam Practice Test