The Refresh Guide To NSE4_FGT-7.0 Test Engine

NEW QUESTION 1

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

• A. Source defined as Internet Services in the firewall policy.
• B. Destination defined as Internet Services in the firewall policy.
• C. Highest to lowest priority defined in the firewall policy.
• D. Services defined in the firewall policy.
• E. Lowest to highest policy ID number.

Answer: ABD

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47435

NEW QUESTION 2

Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

• A. Lookup is done on the first packet from the session originator
• B. Lookup is done on the last packet sent from the responder
• C. Lookup is done on every packet, regardless of direction
• D. Lookup is done on the trust reply packet from the responder

Answer: AD

NEW QUESTION 3

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

• A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
• B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
• C. Virtual IP addresses are used to distinguish between cluster members.
• D. The primary device in the cluster is always assigned IP address 169.254.0.1.

Answer: BD

NEW QUESTION 4

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

• A. The port3 default route has the highest distance.
• B. The port3 default route has the lowest metric.
• C. There will be eight routes active in the routing table.
• D. The port1 and port2 default routes are active in the routing table.

Answer: AD

NEW QUESTION 5

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

• A. On HQ-FortiGate, set IKE mode to Main (ID protection).
• B. On both FortiGate devices, set Dead Peer Detection to On Demand.
• C. On HQ-FortiGate, disable Diffie-Helman group 2.
• D. On Remote-FortiGate, set port2 as Interface.

Answer: AD

NEW QUESTION 6

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

• A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
• B. ADVPN is only supported with IKEv2.
• C. Tunnels are negotiated dynamically between spokes.
• D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Answer: AC

NEW QUESTION 7

Refer to the exhibit.



The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

• A. If there is a full-through policy in place, users will not be prompted for authentication.
• B. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.
• C. Authentication is enforced at a policy level; all users will be prompted for authentication.
• D. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Answer: C

NEW QUESTION 8

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

• A. DNS
• B. ping
• C. udp-echo
• D. TWAMP

Answer: CD

NEW QUESTION 9

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

• A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
• B. Create a new service object for HTTP service and set the session TTL to never
• C. Set the TTL value to never under config system-ttl
• D. Set the session TTL on the HTTP policy to maximum

Answer: BC

NEW QUESTION 10

Which statement about video filtering on FortiGate is true?

• A. Full SSL Inspection is not required.
• B. It is available only on a proxy-based firewall policy.
• C. It inspects video files hosted on file sharing services.
• D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

NEW QUESTION 11

Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

• A. It is allowed, but with no inspection
• B. It is allowed and inspected as long as the inspection is flow based
• C. It is dropped.
• D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: C

NEW QUESTION 12

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

• A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
• B. An SA never expires.
• C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
• D. Phase 2 SA expiration can be time-based, volume-based, or both.
• E. Both the phase 1 SA and phase 2 SA are bidirectional.

Answer: ACD

NEW QUESTION 13

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

• A. FortiGate SN FGVM010000065036 HA uptime has been reset.
• B. FortiGate devices are not in sync because one device is down.
• C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
• D. FortiGate SN FGVM010000064692 has the higher HA priority.

Answer: AD

Explanation:
* 1. Override is disable by default - OK
* 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

NEW QUESTION 14

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

• A. A phase 2 configuration is not required.
• B. This VPN cannot be used as part of a hub-and-spoke topology.
• C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
• D. The IPsec firewall policies must be placed at the top of the list.

Answer: C

Explanation:
In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name (Infrastructure Study Guide, 206)

NEW QUESTION 15

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

• A. Interface name
• B. Packet payload
• C. Ethernet header
• D. IP header
• E. Application header

Answer: ABD

NEW QUESTION 16

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?

• A. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.
• B. No new log is recorded until you manually clear logs from the local disk.
• C. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.
• D. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

Answer: C

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/462620/log-disk-setting

NEW QUESTION 17

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

• A. To allow for out-of-order packets that could arrive after the FIN/ACK packets
• B. To finish any inspection operations
• C. To remove the NAT operation
• D. To generate logs

Answer: A

Explanation:
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

NEW QUESTION 18
......