Fortinet NSE4_FGT-7.2 Exam Practice Test Instant Access

Question 1

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

AThe firmware image must be manually uploaded to each FortiGate.

BOnly secondary FortiGate devices are rebooted.

CUninterruptable upgrade is enabled by default.

DTraffic load balancing is temporally disabled while upgrading the firmware.

Answer : C, D

Question 2

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

AVLAN interface

BSoftware Switch interface

CAggregate interface

DRedundant interface

Answer : C

An aggregate interface is a logical interface that combines two or more physical interfaces into one virtual interface1. An aggregate interface can increase network bandwidth and provide redundancy by distributing traffic across multiple physical interfaces using a load balancing algorithm1. An aggregate interface can also support link aggregation control protocol (LACP) to negotiate the link aggregation settings with the connected device1.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/567758/aggregation-and-redundancy

Question 3

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

AAntivirus scanning

BFile filter

CDNS filter

DIntrusion prevention

Answer : A, D

Question 4

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

ACreate a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

BCreate a new service object for HTTP service and set the session TTL to never

CSet the TTL value to never under config system-ttl

DSet the session TTL on the HTTP policy to maximum

Answer : B, C

Question 5

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

AOn HQ-FortiGate, set IKE mode to Main (ID protection).

BOn both FortiGate devices, set Dead Peer Detection to On Demand.

COn HQ-FortiGate, disable Diffie-Helman group 2.

DOn Remote-FortiGate, set port2 as Interface.

Answer : A, D

'In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.'

Question 6

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

AVirtual IP addresses are used to distinguish between cluster members.

BHeartbeat interfaces have virtual IP addresses that are manually assigned.

CThe primary device in the cluster is always assigned IP address 169.254.0.1.

DA change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Answer : A, D

Fortigate Infrastructure 7.2 Study Guide page 301

FortiGate Infrastructure 7.2 Study Guide (p.301):

'FGCP automatically assigns the heartbeat IP addresses based on the serial number of each device. The IP address 169.254.0.1 is assigned to the device with the highest serial number.'

'A change in the heartbeat IP addresses may happen when a FortiGate device joins or leaves the cluster.'

'The HA cluster uses the heartbeat IP addresses to distinguish the cluster members and synchronize data.'

https://networkinterview.com/fortigate-ha-high-availability/

Question 7

Which of the following statements about central NAT are true? (Choose two.)

AIP tool references must be removed from existing firewall policies before enabling central NAT .

BCentral NAT can be enabled or disabled from the CLI only.

CSource NAT, using central NAT, requires at least one central SNAT policy.

DDestination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Answer : A, B

Fortinet NSE 4 - FortiOS 7.2 NSE4_FGT-7.2 Exam Practice Test