100% Guarantee NSE4_FGT-6.0 Item Pool 2021

NEW QUESTION 1
Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two.)

• A. If the DHCP method fails, browsers will try the DNS method.
• B. The browser needs to be preconfigured with the DHCP server’s IP address.
• C. The browser sends a DHCPONFORM request to the DHCP server.
• D. The DHCP server provides the PAC file for download.

Answer: AC

NEW QUESTION 2
What files are sent to FortiSandbox for inspection in flow-based inspection mode?

• A. All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.
• B. All suspicious files that are above the defined oversize limit value in the protocol options.
• C. All suspicious files that match patterns defined in the antivirus profile.
• D. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.

Answer: C

NEW QUESTION 3
An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices Winch configuration steps must be performed on both devices to support this scenario? (Choose three.)

• A. Define the phase 1 parameters, without enabling IPsec interface mode
• B. Define the phase 2 parameters.
• C. Set the phase 2 encapsulation method to transport mode
• D. Define at least one firewall policy, with the action set to IPsec.
• E. Define a route to the remote network over the IPsec tunnel.

Answer: CDE

NEW QUESTION 4
Which is a requirement for creating an inter-VDOM link between two VDOMs?

• A. The inspection mode of at least one VDOM must be proxy-based.
• B. At least one of the VDOMs must operate in NAT mode.
• C. The inspection mode of both VDOMs must match.
• D. Both VDOMs must operate in NAT mode.

Answer: A

NEW QUESTION 5
Which statements about a One-to-One IP pool are true? (Choose two.)

• A. It is used for destination NAT.
• B. It allows the fixed mapping of an internal address range to an external address range.
• C. It does not use port address translation.
• D. It allows the configuration of ARP replies.

Answer: BC

NEW QUESTION 6
Which Statements about virtual domains (VDOMs) arc true? (Choose two.)

• A. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.
• B. Each VDOM can be configured with different system hostnames.
• C. Different VLAN sub-interfaces of the same physical interface can be assigned to different VDOMs.
• D. Each VDOM has its own routing table.

Answer: CD

NEW QUESTION 7
When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that FortiGate can forward Internet traffic?

• A. It must be configured in a static route using the sdwan virtual interface.
• B. It must be provided in the SD-WAN member interface configuration.
• C. It must be configured in a policy-route using the sdwan virtual interface.
• D. It must be learned automatically through a dynamic routing protocol.

Answer: A

NEW QUESTION 8
Which statements about HA for FortiGate devices are true? (Choose two.)

• A. Sessions handled by proxy-based security profiles cannot be synchronized.
• B. Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs.
• C. HA management interface settings are synchronized between cluster members.
• D. Heartbeat interfaces are not required on the primary device.

Answer: BC

NEW QUESTION 9
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

• A. A phase 2 configuration is not required.
• B. This VPN cannot be used as part of a hub-and-spoke topology.
• C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
• D. The IPsec firewall policies must be placed at the top of the list.

Answer: C

NEW QUESTION 10
Which action can be applied to each filter in the application control profile?

• A. Block, monitor, warning, and quarantine
• B. Allow, monitor, block and learn
• C. Allow, block, authenticate, and warning
• D. Allow, monitor, block, and quarantine

Answer: D

NEW QUESTION 11
Which of the following statements about central NAT are true? (Choose two.)

• A. IP tool references must be removed from existing firewall policies before enabling central NAT.
• B. Central NAT can be enabled or disabled from the CLI only.
• C. Source NAT, using central NAT, requires at least one central SNAT policy.
• D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall policy.

Answer: AB

NEW QUESTION 12
View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 13
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

• A. SMTP.Login.Brute.Force
• B. IMAP.Login.brute.Force
• C. ip_src_session
• D. Location: server Protocol: SMTP

Answer: B

NEW QUESTION 14
What FortiGate components are tested during the hardware test? (Choose three.)

• A. Administrative access
• B. HA heartbeat
• C. CPU
• D. Hard disk
• E. Network interfaces

Answer: CDE

NEW QUESTION 15
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log downloads from the GUI are limited to the current log filter view
• B. Log backups from the CLI cannot be restored to another FortiGate.
• C. Log backups from the CLI can be configured to upload to FTP at a scheduled time
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: BC

NEW QUESTION 16
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: BD

NEW QUESTION 17
If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?

• A. The Services field removes the requirement of creating multiple VIPs for different services.
• B. The Services field is used when several VIPs need to be bundled into VIP groups.
• C. The Services field does not allow source NAT and destination NAT to be combined in the same policy.
• D. The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

Answer: A

NEW QUESTION 18
View the exhibit.

VDOM1 is operating is transparent mode VDOM2 is operating in NAT Route mode. There is an inter-VDOM link between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is connected to port2. A web server with the IP address 10.200.1.2/24 is connected to port1.
What is required in the FortiGate configuration to route and allow connections from the client workstation to the web server? (Choose two.)

• A. A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination.
• B. A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination.
• C. One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the destination interface.
• D. One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the destination interface.

Answer: AC

NEW QUESTION 19
An administrator has configured two VLAN interfaces:

A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface. However, the DHCP client cannot get a dynamic IP address from the DHCP server. What is the cause of the problem?

• A. Both interfaces must belong to the same forward domain.
• B. The role of the VLAN10 interface must be set to server.
• C. Both interfaces must have the same VLAN ID.
• D. Both interfaces must be in different VDOMs.

Answer: A

NEW QUESTION 20
When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster?

• A. Connected monitored ports > HA uptime > priority > serial number
• B. Priority > Connected monitored ports > HA uptime > serial number
• C. Connected monitored ports > priority > HA uptime > serial number
• D. HA uptime > priority > Connected monitored ports > serial number

Answer: C

NEW QUESTION 21
Which statements about antivirus scanning mode are true? (Choose two.)

• A. In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to the client.
• B. In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol option profiles.
• C. In proxy-based inspection mode, if a virus is detected, a replacement message may not be displayed immediately.
• D. In quick scan mode, you can configure antivirus profiles to use any of the available signature data bases.

Answer: BD

NEW QUESTION 22
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 23
Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)

• A. Priority
• B. Metric
• C. Distance
• D. Cost

Answer: AC

NEW QUESTION 24
An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark Port Forward. What step is required for this configuration?

• A. Configure an SSL VPN realm for clients to use the port forward bookmark.
• B. Configure the client application to forward IP traffic through FortiClient.
• C. Configure the virtual IP address to be assigned t the SSL VPN users.
• D. Configure the client application to forward IP traffic to a Java applet proxy.

Answer: D

NEW QUESTION 25
......