Fortinet NSE4_FGT-7.2 Exam Practice Test Instant Access

Question 1

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

ACreate a new firewall policy with the new HTTP service and place it above the existing HTTP policy.

BCreate a new service object for HTTP service and set the session TTL to never

CSet the TTL value to never under config system-ttl

DSet the session TTL on the HTTP policy to maximum

Answer : B, C

Question 2

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

AIt limits the scanning of application traffic to the DNS protocol only.

BIt limits the scanning of application traffic to use parent signatures only.

CIt limits the scanning of application traffic to the browser-based technology category only.

DIt limits the scanning of application traffic to the application category only.

Answer : C

FortiGate Security 7.2 Study Guide (p.317): 'You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website.'

Question 3

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

ABrowsers can be configured to retrieve this PAC file from the FortiGate.

BAny web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

CAll requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.

DAny web request fortinet.com is allowed to bypass the proxy.

Answer : A, D

Question 4

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

AThe matching firewall policy is set to proxy inspection mode.

BThe certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

CThe full SSL inspection feature does not have a valid license.

DThe browser does not trust the certificate used by FortiGate for SSL inspection.

Answer : D

FortiGate Security 7.2 Study Guide (p.235): 'If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser.'

Question 5

Refer to the exhibit.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?

Aport2

Bport4

Cport3

Dport1

Answer : D

Port 1 shows the lowest latency.

Question 6

An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

AEnable asymmetric routing, so the RPF check will be bypassed.

BDisable the RPF check at the FortiGate interface level for the source check.

CDisable the RPF check at the FortiGate interface level for the reply check .

DEnable asymmetric routing at the interface level.

Answer : B

Question 7

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

A10.200. 1. 1

B10.200.3. 1

C10.200. 1. 100

D10.200. 1. 10

Answer : C

Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN-LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

Fortinet NSE4_FGT-7.2 Fortinet NSE 4 - FortiOS 7.2 Exam Practice Test