Free May-2024 NSE4_FGT-7.2 Certification Sample Questions certification Exam [Q10-Q35]

Free May-2024 NSE4_FGT-7.2 Certification Sample Questions certification Exam

Certification Topics of NSE4_FGT-7.2 Exam PDF Recently Updated Questions

NEW QUESTION # 10
What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

• A. FortiGate uses fewer resources.
• B. FortiGate adds less latency to traffic.
• C. FortiGate performs a more exhaustive inspection on traffic.
• D. FortiGate allocates two sessions per connection.

Answer: A,B

NEW QUESTION # 11
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check .
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900

NEW QUESTION # 12
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

• A. FortiGate allocates 128 port blocks per user.
• B. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
• C. FortiGate allocates port blocks on a first-come, first-served basis.
• D. FortiGate generates a system event log for every port block allocation made per user.

Answer: A,B

NEW QUESTION # 13
View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
• B. This setup requires at least two firewall policies with the action set to IPsec.
• C. This is a redundant IPsec setup.
• D. Dead peer detection must be disabled to support this type of IPsec setup.

Answer: A,C

Explanation:
https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/632796/ospf-with-ipsec-vpn-for-network-redundancy

NEW QUESTION # 14
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

• A. FortiGate uses the AD server as the collector agent.
• B. FortiGate points the collector agent to use a remote LDAP server.
• C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
• D. FortiGate queries AD by using the LDAP to retrieve user group information.

Answer: C,D

Explanation:
Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

NEW QUESTION # 15
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

• A. Enabled
• B. Disabled
• C. On Idle
• D. On Demand

Answer: C

NEW QUESTION # 16
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster?
(Choose two.)

• A. FortiGate hostname
• B. DNS
• C. FortiGuard web filter cache
• D. NTP

Answer: B,D

NEW QUESTION # 17
Refer to the exhibit.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

• A. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
• B. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
• C. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
• D. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.

Answer: B

NEW QUESTION # 18
An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

• A. Add user accounts to the Ignore User List.
• B. Add user accounts to Active Directory (AD).
• C. Add the support of NTLM authentication.
• D. Add user accounts to the FortiGate group fitter.

Answer: A

NEW QUESTION # 19
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scanning of application traffic to the browser-based technology category only.
• B. It limits the scanning of application traffic to use parent signatures only.
• C. It limits the scanning of application traffic to the DNS protocol only.
• D. It limits the scanning of application traffic to the application category only.

Answer: A

Explanation:
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode

NEW QUESTION # 20
Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

• A. On the Static URL Filter configuration, set Type to Simple
• B. On the Static URL Filter configuration, set Action to Exempt.
• C. On the Static URL Filter configuration, set Action to Monitor.
• D. On the FortiGuard Category Based Filter Action to Warning for Social Networking

Answer: B

NEW QUESTION # 21
Which statement about the policy ID number of a firewall policy is true?

• A. It represents the number of objects used in the firewall policy.
• B. It is required to modify a firewall policy using the CLI.
• C. It changes when firewall policies are reordered.
• D. It defines the order in which rules are processed.

Answer: B

NEW QUESTION # 22
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

• A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
• B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
• C. Enable Dead Peer Detection.
• D. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Answer: C,D

Explanation:
Study Guide - IPsec VPN - IPsec configuration - Phase 1 Network.
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.
There are three DPD modes. On demand is the default mode.
Study Guide - IPsec VPN - Redundant VPNs.
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.
Add at least one phase 2 definition for each phase 1.
Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.
Configure FW policies for each IPsec interface.

NEW QUESTION # 23
Which statement correctly describes the use of reliable logging on FortiGate?

• A. Reliable logging is required to encrypt the transmission of logs.
• B. Reliable logging can be configured only using the CLI.
• C. Reliable logging prevents the loss of logs when the local disk is full.
• D. Reliable logging is enabled by default in all configuration scenarios.

Answer: C

Explanation:
Explanation
On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full disk, allowing administrators to maintain an accurate record of activity on the network. Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to enable in order to maintain a comprehensive record of activity on the network and help with troubleshooting and security analysis.

NEW QUESTION # 24
Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

• A. The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
• B. The sensor will block all attacks aimed at Windows servers.
• C. The sensor will reset all connections that match these signatures.
• D. The sensor will gather a packet log for all matched traffic.

Answer: A,B

NEW QUESTION # 25
Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

• A. The session is in TCP ESTABLISHED state.
• B. The session is a UDP unidirectional state.
• C. The session is a bidirectional UDP connection.
• D. The session is a bidirectional TCP connection.

Answer: C

Explanation:
Explanation
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NEW QUESTION # 26
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface. Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

• A. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
• B. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
• C. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
• D. The two VLAN sub interfaces must have different VLAN IDs.

Answer: D

Explanation:
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf > page 147
"Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID"

NEW QUESTION # 27
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

• A. Strict RPF checks the best route back to the source using the incoming interface.
• B. Strict RPF allows packets back to sources with all active routes.
• C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
• D. The strict RPF check is run on the first sent and reply packet of any new session.

Answer: C

NEW QUESTION # 28
Which three methods are used by the collector agent for AD polling? (Choose three.)

• A. FortiGate polling
• B. Novell API
• C. NetAPI
• D. WMI
• E. WinSecLog

Answer: C,D,E

NEW QUESTION # 29
Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.
Two PCS, PCI and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the Intarnet_ Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)

• A. In the IP pool configuration, set endip to 192.2. O .12
• B. In the IP pool configuration, set type to overload.
• C. Configure 192.2. O. 12/24 as the secondary IP address on port1
• D. In the firewall policy configuration, disable ippool.
• E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.

Answer: A,B,D

NEW QUESTION # 30
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

• A. The CA extension must be set to TRUE.
• B. The issuer must be a public CA.
• C. The common name on the subject field must use a wildcard name.
• D. The keyUsage extension must be set to keyCertSign.

Answer: A,D

Explanation:
"In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."

NEW QUESTION # 31
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

• A. FortiGate hostname
• B. DNS
• C. FortiGuard web filter cache
• D. NTP

Answer: B,D

NEW QUESTION # 32
How can you disable RPF checking?

• A. Disable fail-detect on the interface level settings.
• B. Unset fail-alert-interfaces on the interface level settings.
• C. Disable src-check on the interface level settings
• D. Disable strict-src-check under system settings.

Answer: C

NEW QUESTION # 33
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log backups from the CLI can be configured to upload to FTP as a scheduled time
• B. Log downloads from the GUI are limited to the current filter view
• C. Log backups from the CLI cannot be restored to another FortiGate.
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: B,C

NEW QUESTION # 34
Which statement is correct regarding the use of application control for inspecting web applications?

• A. Application control can identity child and parent applications, and perform different actions on them.
• B. Application control signatures are organized in a nonhierarchical structure.
• C. Application control does not require SSL inspection to identity web applications.
• D. Application control does not display a replacement message for a blocked web application.

Answer: A

Explanation:
Explanation
Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.

NEW QUESTION # 35
......

Earning the Fortinet NSE4_FGT-7.2 certification can lead to a variety of career opportunities in the field of network security. Fortinet NSE 4 - FortiOS 7.2 certification is recognized worldwide and is highly valued by employers seeking professionals with expertise in Fortinet products and solutions. Additionally, certified professionals can further advance their careers by pursuing higher-level certifications, such as the NSE 5 and NSE 7 certifications. Overall, the Fortinet NSE4_FGT-7.2 exam is an essential certification for network security professionals who want to stay ahead of the curve and demonstrate their expertise in Fortinet products and solutions.

 

2024 New Preparation Guide of Fortinet NSE4_FGT-7.2 Exam: https://actualtests.crampdf.com/NSE4_FGT-7.2-exam-prep-dumps.html