Downloadable NSE4 Preparation Labs 2021

NEW QUESTION 1
Which of the following statements are true regarding DLP File Type Filtering? (Choose two.)

• A. Filters based on file extension


• B. Filters based on fingerprints


• C. Filters based on file content


• D. File types are hard coded in the FortiOS

Answer: BC

NEW QUESTION 2
Which are outputs for the command ‘diagnose hardware deviceinfo nic’? (Choose two.)

• A. ARP cache


• B. Physical MAC address


• C. Errors and collisions


• D. Listening TCP ports

Answer: BC

NEW QUESTION 3
Which statements are true regarding IPv6 anycast addresses? (Choose two.)

• A. Multiple interfaces can share the same anycast address.


• B. They are allocated from the multicast address space.


• C. Different nodes cannot share the same anycast address.


• D. An anycast packet is routed to the nearest interface.

Answer: AD

NEW QUESTION 4
In HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below.

Which statements are correct regarding this setting? (Choose two.)

• A. Interface settings on port7 will not be synchronized with other cluster members.


• B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface.


• C. When connecting to port7 you always connect to the master device.


• D. A gateway address may be configured for port7.

Answer: AD

NEW QUESTION 5
Which action is taken by the FortiGate device when a file matches more than one rule in a Data Leak Prevention sensor?

• A. The actions specified by the rule that most specifically matched the file


• B. The actions specified in the first rule from top to bottom


• C. All actions specified by all the matched rules.


• D. The actions specified in the rule with the higher priority number

Answer: D

NEW QUESTION 6
Which of the following protocols are defined in the IPsec Standard? (Choose two)

• A. AH


• B. GRE


• C. SSL/TLS


• D. ESP

Answer: AD

NEW QUESTION 7
When configuring LDAP on the FortiGate as a remote database for users, what is not a part of the configuration?

• A. The name of the attribute that identifies each user (Common Name Identifier).


• B. The user account or group element names (user DN).


• C. The server secret to allow for remote queries (Primary server secret).


• D. The credentials for an LDAP administrator (password).

Answer: C

NEW QUESTION 8
Which statement is not correct regarding SSL VPN Tunnel mode?

• A. IP traffic is encapsulated over HTTPS.


• B. The standalone FortiClient SSL VPN client can be used to establish a Tunnel mode SSL VPN.


• C. A limited amount of IP applications are supported.


• D. The FortiGate device will dynamically assign an IP address to the SSL VPN network adapter.

Answer: C

NEW QUESTION 9
What is IPsec Perfect Forwarding Secrecy (PFS)?

• A. A phase-1 setting that allows the use of symmetric encryption.


• B. A phase-2 setting that allows the recalculation of a new common secret key each time the session key expires.


• C. A ‘key-agreement’ protocol.


• D. A ‘security-association- agreement’ protocol.

Answer: B

NEW QUESTION 10
Which statement describes what the CLI command diagnose debug authd fsso list is used for?

• A. Monitors communications between the FSSO collector agent and FortiGate unit.


• B. Displays which users are currently logged on using FSSO.


• C. Displays are listing of all connected FSSO collector agents.


• D. Lists all DC Agents installed on all domain controllers.

Answer: B

NEW QUESTION 11
Review the output of the command get router info routing-table database shown in the exhibit below; then answer the question following it.

Which two statements are correct regarding this output? (Choose two.)

• A. There will be six routes in the routing table.


• B. There will be seven routes in the routing table.


• C. There will be two default routes in the routing table.


• D. There will be two routes for the 10.0.2.0/24 subnet in the routing table.

Answer: AC

NEW QUESTION 12
Which of the following Fortinet products can receive updates from the FortiGuard Distribution Network?

• A. FortiGate


• B. FortiClient


• C. FortiMail


• D. FortiAnalyzer

Answer: ABC

NEW QUESTION 13
Review the static route configuration for IPsec shown in the exhibit; then answer the question below.

Which statements are correct regarding this configuration? (Choose two.)

• A. Interface remote is an IPsec interface.


• B. A gateway address is not required because the interface is a point-to-point connection.


• C. A gateway address is not required because the default route is used.


• D. Interface remote is a zone.

Answer: AB

NEW QUESTION 14
Which of the following are possible actions for FortiGuard web category filtering? (Choose three.)

• A. Allow


• B. Block


• C. Exempt


• D. Warning


• E. Shape

Answer: ABD

NEW QUESTION 15
An administrator has formed a high availability cluster involving two FortiGate units.
[Multiple upstream Layer 2 switches] – [FortiGate HA Cluster] – [Multiple downstream Layer 2 Switches]
The administrator wishes to ensure that a single link failure will have minimal impact upon the overall throughput of traffic through this cluster.
Which of the following options describes the best step the administrator can take? The administrator should

• A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode.


• B. Enable monitoring of all active interfaces.


• C. Set up a full-mesh design which uses redundant interfaces.


• D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted.

Answer: C

NEW QUESTION 16
Which of the following statements best describes the role of a DC agents in an FSSO DC?

• A. Captures the login events and forward them to the collector agent.


• B. Captures the user IP address and workstation name and forward that information to the FortiGate devices.


• C. Captures the login and logoff events and forward them to the collector agent.


• D. Captures the login events and forward them to the FortiGate devices.

Answer: C

NEW QUESTION 17
Which of the following statements are true regarding WAN Link Load Balancing? (Choose two).

• A. There can be only one virtual WAN Link per VDOM.


• B. FortiGate can measure the quality of each link based on latency, jitter, or packets percentage.


• C. Link health checks can be performed over each link member if the virtual WAN interface.


• D. Distance and priority values are configured in each link member if the virtual WAN interface.

Answer: AC

NEW QUESTION 18
Which statements are true regarding local user authentication? (Choose two.)

• A. Two-factor authentication can be enabled on a per user basis.


• B. Local users are for administration accounts only and cannot be used to authenticate network users.


• C. Administrators can create the user accounts in a remote server and store the user passwords locally in the FortiGate.


• D. Both the usernames and passwords can be stored locally on the FortiGate.

Answer: AD

NEW QUESTION 19
Which best describes the mechanism of a TCP SYN flood?

• A. The attackers keeps open many connections with slow data transmission so that other clients cannot start new connections.


• B. The attackers sends a packets designed to sync with the FortiGate


• C. The attacker sends a specially crafted malformed packet, intended to crash the target by exploiting its parser.


• D. The attacker starts many connections, but never acknowledges to fully form them.

Answer: D

NEW QUESTION 20
Which best describes the authentication timeout?

• A. How long FortiGate waits for the user to enter his or her credentials.


• B. How long a user is allowed to send and receive traffic before he or she must authenticate again.


• C. How long an authenticated user can be idle (without sending traffic) before they must authenticate again.


• D. How long a user-authenticated session can exist without having to authenticate again.

Answer: C

NEW QUESTION 21
Examine the following FortiGate web proxy configuration; then answer the question below:
config web-proxy explicit
set pac-file-server-status enable set pac-file-server-port 8080
set pac-file-name wpad.dat end
Assuming that the FortiGate proxy IP address is 10.10.1.1, which URL must an Internet browser use to download the PAC file?

• A. https://10.10.1.1:8080


• B. https://10.10.1.1:8080/wpad.dat


• C. http://10.10.1.1:8080/


• D. http://10.10.1.1:8080/wpad.dat

Answer: D

NEW QUESTION 22
A client can create a secure connection to a FortiGate device using SSL VPN in web-only mode. Which one of the following statements is correct regarding the use of web-only mode SSL VPN?

• A. Web-only mode supports SSL version 3 only.


• B. A Fortinet-supplied plug-in is required on the web client to use web-only mode SSL VPN.


• C. Web-only mode requires the user to have a web browser that supports 64-bit cipher length.


• D. The JAVA run-time environment must be installed on the client to be able to connect to a web-only mode SSL VPN.

Answer: C

NEW QUESTION 23
Which of the following statements are correct concerning the FortiGate session life support protocol? (Choose two)

• A. By default, UDP sessions are not synchronized.


• B. Up to four FortiGate devices in standalone mode are supported.


• C. only the master unit handles the traffic.


• D. Allows per-VDOM session synchronization.

Answer: AD

NEW QUESTION 24
What are the requirements for a HA cluster to maintain TCP connections after device or link failover? (Choose two.)

• A. Enable session pick-up.


• B. Enable override.


• C. Connections must be UDP or ICMP.


• D. Connections must not be handled by a proxy.

Answer: AD

NEW QUESTION 25
Which of the following statements are correct regarding FortiGate virtual domains (VDOMs)? (Choose two)

• A. VDOMs divide a single FortiGate unit into two or more independent firewall.


• B. A management VDOM handles SNM


• C. logging, alert email and FortiGuard updates.


• D. Each VDOM can run different firmware versions.


• E. Administrative users with a 'super_admin' profile can administrate only one VDOM.

Answer: AB

NEW QUESTION 26
Which two statements are true regarding firewall policy disclaimers? (Choose two.)

• A. They cannot be used in combination with user authentication.


• B. They can only be applied to wireless interfaces.


• C. Users must accept the disclaimer to continue.


• D. The disclaimer page is customizable.

Answer: CD

NEW QUESTION 27
For data leak prevention, which statement describes the difference between the block and quarantine actions?

• A. A block action prevents the transactio


• B. A quarantine action blocks all future transactions, regardless of the protocol.


• C. A block action prevents the transactio


• D. A quarantine action archives the data.


• E. A block action has a finite duratio


• F. A quarantine action must be removed by an administrator.


• G. A block action is used for known user


• H. A quarantine action is used for unknown users.

Answer: A

NEW QUESTION 28
In a Crash log, what does a status of 0 indicate?

• A. Abnormal termination of a process


• B. A process closed for any reason


• C. Scanunitd process crashed


• D. Normal shutdown with no abnormalities


• E. DHCP process crashed

Answer: D

NEW QUESTION 29
......