Fortinet NSE4_FGT-7.2 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .

With this configuration, which statement is true?

AInter-VDOM links are required to allow traffic between the Local and Root VDOMs.

BA static route is required on the To_Internet VDOM to allow LAN users to access the internet.

CInter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

DInter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Answer : A

Question 2

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

AThe Services field prevents SNAT and DNAT from being combined in the same policy.

BThe Services field is used when you need to bundle several VIPs into VIP groups.

CThe Services field removes the requirement to create multiple VIPs for different services.

DThe Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Answer : C

Question 3

Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

ADestination NAT is disabled in the firewall policy.

BOne-to-one NAT IP pool is used in the firewall policy.

COverload NAT IP pool is used in the firewall policy.

DPort block allocation IP pool is used in the firewall policy.

Answer : B

FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.

Question 4

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

AThe client FortiGate requires a client certificate signed by the CA on the server FortiGate.

BThe client FortiGate requires a manually added route to remote subnets.

CThe client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

DThe server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Answer : C, D

https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-ssl-vpn-client

To establish an SSL VPN connection between two FortiGate devices, the following two settings are required:

The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate will use a CA (Certificate Authority) certificate to verify the client FortiGate certificate, ensuring that the client device is trusted and allowed to establish an SSL VPN connection.

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: The client FortiGate must have an SSL VPN tunnel interface type configured in order to establish an SSL VPN connection. This interface type will be used to connect to the server FortiGate over the SSL VPN.

Question 5

Which two statements are correct about NGFW Policy-based mode? (Choose two.)

ANGFW policy-based mode does not require the use of central source NAT policy

BNGFW policy-based mode can only be applied globally and not on individual VDOMs

CNGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

DNGFW policy-based mode policies support only flow inspection

Answer : C, D

Question 6

How does FortiGate act when using SSL VPN in web mode?

AFortiGate acts as an FDS server.

BFortiGate acts as an HTTP reverse proxy.

CFortiGate acts as DNS server.

DFortiGate acts as router.

Answer : B

https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/Fortigate_v4.0MR3/fortigate-sslvpn-40-mr3.pdf

Question 7

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

AFortiGate SN FGVM010000065036 HA uptime has been reset.

BFortiGate devices are not in sync because one device is down.

CFortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

DFortiGate SN FGVM010000064692 has the higher HA priority.

Answer : A, D

1. Override is disable by default - OK

2. 'If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the

primary' The QUESTION NO : here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

Fortinet NSE 4 - FortiOS 7.2 NSE4_FGT-7.2 Exam Practice Test