Fortinet NSE4_FGT-7.2 Exam Questions Instant Access

Question 1

Which two types of traffic are managed only by the management VDOM? (Choose two.)

AFortiGuard web filter queries

BPKI

CTraffic shaping

DDNS

Answer : A, D

FortiGate Infrastructure 7.2 Study Guide (p.73): 'What about traffic originating from FortiGate? Some system daemons, such as NTP and FortiGuard updates, generate traffic coming from FortiGate. Traffic coming from FortiGate to those global services originates from the management VDOM. One, and only one, of the VDOMs on a FortiGate device is assigned the role of the management VDOM. It is important to note that the management VDOM designation is solely for traffic originated by FortiGate, such as FortiGuard updates, and has no effect on traffic passing through FortiGate.'

Question 2

What is a reason for triggering IPS fail open?

AThe IPS socket buffer is full and the IPS engine cannot process additional packets.

BThe IPS engine cannot decode a packet.

CThe IPS engine is upgraded.

DThe administrator enabled NTurbo acceleration.

Answer : A

Question 3

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook .

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

AMake SSL inspection needs to be a deep content inspection.

BForce access to Facebook using the HTTP service.

CGet the additional application signatures are required to add to the security policy.

DAdd Facebook in the URL category in the security policy.

Answer : A

They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts. This indicate that the rule are partially working as they can watch video but cant react, i.e. liking the content. So must be an issue with the SSL inspection rather then adding an app rule.

Question 4

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

AThe firewall policy performs the full content inspection on the file.

BThe flow-based inspection is used, which resets the last packet to the user.

CThe volume of traffic being inspected is too high for this model of FortiGate.

DThe intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

Answer : B

* 'ONLY' If the virus is detected at the 'START' of the connection, the IPS engine sends the block replacement message immediately

* When a virus is detected on a TCP session (FIRST TIME), but where 'SOME PACKETS' have been already forwarded to the receiver, FortiGate 'resets the connection' and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a 'SECOND ATTEMPT' to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.

In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement message cannot be displayed. If the file is attempted to download again the block message will be shown.

Question 5

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

AFortiGate automatically negotiates different local and remote addresses with the remote peer.

BFortiGate automatically negotiates a new security association after the existing security association expires.

CFortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

DFortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Answer : D

https://kb.fortinet.com/kb/documentLink.do?externalID=12069

FortiGate Infrastructure 7.2 Study Guide (p.264): '...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away.' 'Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled.'

Question 6

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

AThe next-hop IP address is unreachable.

BIt failed the RPF check .

CIt matched an explicitly configured firewall policy with the action DENY.

DIt matched the default implicit firewall policy.

Answer : D

https://kb.fortinet.com/kb/documentLink.do?externalID=13900

https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/

Question 7

Which three methods are used by the collector agent for AD polling? (Choose three.)

AFortiGate polling

BNetAPI

CNovell API

DWMI

EWinSecLog

Answer : B, D, E

FortiGate Infrastructure 7.2 Study Guide (p.127-128): 'As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide from left to right shows most recommend to least recommended: (WMI, WinSecLog, and NetAPI)'

Fortinet NSE 4 - FortiOS 7.2 NSE4_FGT-7.2 Exam Questions