The Updated Guide To NSE4_FGT-7.0 Free Download

NEW QUESTION 1

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log downloads from the GUI are limited to the current filter view
• B. Log backups from the CLI cannot be restored to another FortiGate.
• C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: AB

NEW QUESTION 2

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

• A. Web filter in flow-based inspection
• B. Antivirus in flow-based inspection
• C. DNS filter
• D. Web application firewall
• E. Application control

Answer: ABE

NEW QUESTION 3

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

• A. This is known as many-to-one NAT.
• B. Source IP is translated to the outgoing interface IP.
• C. Connections are tracked using source port and source MAC address.
• D. Port address translation is not used.

Answer: BD

NEW QUESTION 4

Which three methods are used by the collector agent for AD polling? (Choose three.)

• A. FortiGate polling
• B. NetAPI
• C. Novell API
• D. WMI
• E. WinSecLog

Answer: BDE

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

NEW QUESTION 5

Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

• A. Change password
• B. Enable restrict access to trusted hosts
• C. Change Administrator profile
• D. Enable two-factor authentication

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34502

NEW QUESTION 6

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

• A. Device detection on all interfaces is enforced for 30 minutes.
• B. Denied users are blocked for 30 minutes.
• C. A session for denied traffic is created.
• D. The number of logs generated by denied traffic is reduced.

Answer: CD

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

NEW QUESTION 7

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

• A. To detect intermediary NAT devices in the tunnel path.
• B. To dynamically change phase 1 negotiation mode aggressive mode.
• C. To encapsulation ESP packets in UDP packets using port 4500.
• D. To force a new DH exchange with each phase 2 rekey.

Answer: AC

NEW QUESTION 8

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

• A. Disabled
• B. On Demand
• C. Enabled
• D. On Idle

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

NEW QUESTION 9

Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

• A. Custom permission for Network
• B. Read/Write permission for Log & Report
• C. CLI diagnostics commands permission
• D. Read/Write permission for Firewall

Answer: C

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220

NEW QUESTION 10

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

• A. Firewall policy
• B. Policy rule
• C. Security policy
• D. SSL inspection and authentication policy

Answer: CD

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode

NEW QUESTION 11

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

• A. Full Content inspection
• B. Proxy-based inspection
• C. Certificate inspection
• D. Flow-based inspection

Answer: D

NEW QUESTION 12

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

• A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
• B. FortiGate supports pre-shared key and signature as authentication methods.
• C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
• D. A certificate is not required on the remote peer when you set the signature as the authentication method.

Answer: AB

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/913287/ipsec-vpn-authenticating-aremote-fortigate

NEW QUESTION 13

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

• A. The strict RPF check is run on the first sent and reply packet of any new session.
• B. Strict RPF checks the best route back to the source using the incoming interface.
• C. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
• D. Strict RPF allows packets back to sources with all active routes.

Answer: B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION 14

Which two statements are true about collector agent standard access mode? (Choose two.)

• A. Standard mode uses Windows convention-NetBios: Domain\Username.
• B. Standard mode security profiles apply to organizational units (OU).
• C. Standard mode security profiles apply to user groups.
• D. Standard access mode supports nested groups.

Answer: AC

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

NEW QUESTION 15

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

• A. The IPS engine was inspecting high volume of traffic.
• B. The IPS engine was unable to prevent an intrusion attack.
• C. The IPS engine was blocking all traffic.
• D. The IPS engine will continue to run in a normal state.

Answer: A

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage

NEW QUESTION 16

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

• A. Run a sniffer on the web server.
• B. Capture the traffic using an external sniffer connected to port1.
• C. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”
• D. Execute a debug flow.

Answer: D

NEW QUESTION 17

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

• A. The interface has been configured for one-arm sniffer.
• B. The interface is a member of a virtual wire pair.
• C. The operation mode is transparent.
• D. The interface is a member of a zone.
• E. Captive portal is enabled in the interface.

Answer: ABC

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

NEW QUESTION 18
......