Fortinet NSE4_FGT-7.2 Exam Questions Instant Access

Question 1

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

ASSL VPN idle-timeout

BSSL VPN http-request-body-timeout

CSSL VPN login-timeout

DSSL VPN dtls-hello-timeout

Answer : A

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Question 2

51 Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

AThe security actions applied on the web applications will also be explicitly applied on the third-party websites.

BThe application signature database inspects traffic only from the original web application server.

CFortiGuard maintains only one signature of each web application that is unique.

DFortiGate can inspect sub-application traffic regardless where it was originated.

Answer : D

https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/300_System/303d_FortiG

Question 3

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

AIt limits the scanning of application traffic to the DNS protocol only.

BIt limits the scanning of application traffic to use parent signatures only.

CIt limits the scanning of application traffic to the browser-based technology category only.

DIt limits the scanning of application traffic to the application category only.

Answer : C

FortiGate Security 7.2 Study Guide (p.317): 'You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website.'

Question 4

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

AThe client FortiGate requires a client certificate signed by the CA on the server FortiGate.

BThe client FortiGate requires a manually added route to remote subnets.

CThe client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

DThe server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Answer : C, D

https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-ssl-vpn-client

To establish an SSL VPN connection between two FortiGate devices, the following two settings are required:

The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate will use a CA (Certificate Authority) certificate to verify the client FortiGate certificate, ensuring that the client device is trusted and allowed to establish an SSL VPN connection.

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: The client FortiGate must have an SSL VPN tunnel interface type configured in order to establish an SSL VPN connection. This interface type will be used to connect to the server FortiGate over the SSL VPN.

Question 5

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

AThe sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

BThe sensor will block all attacks aimed at Windows servers.

CThe sensor will reset all connections that match these signatures.

DThe sensor will gather a packet log for all matched traffic.

Answer : A, B

Question 6

Which statement about the IP authentication header (AH) used by IPsec is true?

AAH does not provide any data integrity or encryption.

BAH does not support perfect forward secrecy.

CAH provides data integrity bur no encryption.

DAH provides strong data integrity but weak encryption.

Answer : C

Question 7

Which two statements describe how the RPF check is used? (Choose two.)

AThe RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

BThe RPF check is run on the first sent and reply packet of any new session.

CThe RPF check is run on the first sent packet of any new session.

DThe RPF check is run on the first reply packet of any new session.

Answer : A, C

FortiGate Infrastructure 7.2 Study Guide (p.41): 'The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table.' 'FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn't perform any additional RPF checks on that session.'

A) The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host.This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1

C) The RPF check is run on the first sent packet of any new session.

This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation.This reduces the processing overhead and improves performance2

Fortinet NSE 4 - FortiOS 7.2 NSE4_FGT-7.2 Exam Questions