Up To The Immediate Present NSE4_FGT-6.2 Braindumps 2021

NEW QUESTION 1
Examine the network diagram shown in the exhibit, and then answer the following question:

A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes will satisfy this requirement on FGT1? (Choose two.)

• A. 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]
• B. 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]
• C. 172.20.2.0/24 (1/150) via 10.10.1.2, port3 [10/0]
• D. 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]

Answer: CD

NEW QUESTION 2
An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is configured with a web filter and an SSL inspection profile configured for deep inspection. Which of the following are possible actions to eliminate the certificate error generated by deep inspection? (Choose two.)

• A. Implement firewall authentication for all users that need access to fortinet.com.
• B. Manually install the FortiGate deep inspection certificate as a trusted CA.
• C. Configure fortinet.com access to bypass the IPS engine.
• D. Configure an SSL-inspection exemption for fortinet.com.

Answer: AD

NEW QUESTION 3
Examine the exhibit, which contains a session diagnostic output.

Which of the following statements about the session diagnostic output is true?

• A. The session is in ESTABLISHED state.
• B. The session is in LISTEN state.
• C. The session is in TIME_WAIT state.
• D. The session is in CLOSE_WAIT state.

Answer: A

NEW QUESTION 4
Which statement about FortiGuard services for FortiGate is true?

• A. The web filtering database is downloaded locally on FortiGate.
• B. Antivirus signatures are downloaded locally on FortiGate.
• C. FortiGate downloads IPS updates using UDP port 53 or 8888.
• D. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates.

Answer: B

NEW QUESTION 5
Which statements about antivirus scanning mode are true? (Choose two.)

• A. In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to the client.
• B. In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol option profiles.
• C. In proxy-based inspection mode, if a virus is detected, a replacement message may not be displayed immediately.
• D. In quick scan mode, you can configure antivirus profiles to use any of the available signature data bases.

Answer: AB

Explanation:
A: Buffers the whole file, packets sent to the client after scan finishes
B: When the antivirus profile is operating in flow-based inspection mode, two scanning mode options are available: full scan mode and quick scan mode.(Normal extended, or extreme-depending on what is configured in the CLI).

NEW QUESTION 6
View the exhibit.

Which users and user groups are allowed access to the network through captive portal?

• A. Users and groups defined in the firewall policy.
• B. Only individual users – not groups – defined in the captive portal configuration
• C. Groups defined in the captive portal configuration
• D. All users

Answer: A

NEW QUESTION 7
An administrator wants to configure a FortiGate as a DNS server. FotiGate must use a DNS database first, and then relay all irresolvable queries to an external DNS server. Which of the following DNS methods must you use?

• A. Recursive
• B. Non-recursive
• C. Forward to primary and secondary DNS
• D. Forward to system DNS

Answer: A

NEW QUESTION 8
An administrator has configured two VLAN interfaces:

A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface. However, the DHCP client cannot get a dynamic IP address from the DHCP server. What is the cause of the problem?

• A. Both interfaces must belong to the same forward domain.
• B. The role of the VLAN10 interface must be set to server.
• C. Both interfaces must have the same VLAN ID.
• D. Both interfaces must be in different VDOMs.

Answer: A

NEW QUESTION 9
View the exhibit:

The client cannot connect to the HTTP web server. The administrator ran the FortiGate built-in sniffer and got the following output:

What should be done next to troubleshoot the problem?

• A. Run a sniffer in the web server.
• B. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”.
• C. Capture the traffic using an external sniffer connected to port1.
• D. Execute a debug flow.

Answer: D

Explanation:
Step 1: Routing table check (in NAT mode)Step 2: Verify is services are opened (if access to the FortiGate)Step 3: Sniffer traceStep 4: Debug flowStep 5: Session list

NEW QUESTION 10
An administrator has enabled the DHCP Server on the port1 interface and configured the following based on the exhibit.

Which statement is correct based on this configuration? Response:

• A. The MAC address 00:0c:29:29:38:da belongs to the port1 interface.
• B. Access to the network is blocked for the devices with the MAC address 00:0c:29:29:38:da and the IP address 10.0.1.254.
• C. 00:0c:29:29:38:da is the virtual MAC address assigned to the secondary IP address (10.0.1.254) of the port1 interface.
• D. The IP address 10.0.1.254 is reserves for the device with the MAC address 00:0c:29:29:38:da.

Answer: D

NEW QUESTION 11
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

• A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
• B. Client > secondary FortiGate> web server.
• C. Clinet >secondary FortiGate> primary FortiGate> web server.
• D. Client> primary FortiGate> secondary FortiGate> web server.

Answer: D

NEW QUESTION 12
Which of the following statements about policy-based IPsec tunnels are true? (Choose two.)

• A. They can be configured in both NAT/Route and transparent operation modes.
• B. They support L2TP-over-IPsec.
• C. They require two firewall policies: one for each directions of traffic flow.
• D. They support GRE-over-IPsec.

Answer: AB

NEW QUESTION 13
By default, when logging to disk, when does FortiGate delete logs?

• A. 30 days
• B. 1 year
• C. Never
• D. 7 days

Answer: D

NEW QUESTION 14
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 15
Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)

• A. Priority
• B. Metric
• C. Distance
• D. Cost

Answer: AC

NEW QUESTION 16
Which statement is true regarding the policy ID number of a firewall policy?

• A. Defines the order in which rules are processed.
• B. Represents the number of objects used in the firewall policy.
• C. Required to modify a firewall policy using the CLI.
• D. Changes when firewall policies are reordered.

Answer: C

NEW QUESTION 17
Which statements about a One-to-One IP pool are true? (Choose two.)

• A. It is used for destination NAT.
• B. It allows the fixed mapping of an internal address range to an external address range.
• C. It does not use port address translation.
• D. It allows the configuration of ARP replies.

Answer: CD

NEW QUESTION 18
Which of the following statements about virtual domains (VDOMs) are true? (Choose two.)

• A. The root VDOM is the management VDOM by default.
• B. A FortiGate device has 64 VDOMs, created by default.
• C. Each VDOM maintains its own system time.
• D. Each VDOM maintains its own routing table.

Answer: AD

NEW QUESTION 19
Which statement about DLP on FortiGate is true?

• A. It can archive files and messages.
• B. It can be applied to a firewall policy in a flow-based VDOM
• C. Traffic shaping can be applied to DLP sensors.
• D. Files can be sent to FortiSandbox for detecting DLP threats.

Answer: A

NEW QUESTION 20
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

• A. Include the group of guest users in a policy.
• B. Extend timeout timers.
• C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.
• D. Ensure all firewalls allow the FSSO required ports.

Answer: AD

NEW QUESTION 21
An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?

• A. tcp_port_scan
• B. ip_dst_session
• C. udp_flood
• D. ip_src_session

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/DoS%20Pr

NEW QUESTION 22
Which of the following statements about converse mode are true? (Choose two.)

• A. FortiGate stops sending files to FortiSandbox for inspection.
• B. FortiGate stops doing RPF checks over incoming packets.
• C. Administrators cannot change the configuration.
• D. Administrators can access the FortiGate only through the console port.

Answer: AC

NEW QUESTION 23
Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then answer the following question:

An administrator has added the following static route on FGTI.

Since the change, the new static route is not showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?

• A. The new route’s destination subnet overlaps an existing route.
• B. The new route’s Distance value should be higher than 10.
• C. The Gateway IP address is not in the same subnet as port1.
• D. The Priority is 0, which means that this route will remain inactive.

Answer: C

NEW QUESTION 24
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: BD

NEW QUESTION 25
View the certificate shown to the exhibit, and then answer the following question:

The CA issued this certificate to which entity?

• A. A root CA
• B. A person
• C. A bridge CA
• D. A subordinate CA

Answer: A

NEW QUESTION 26
......