Avant-garde Fortinet NSE 4 - FortiOS 6.4 NSE4_FGT-6.4 Free Question

NEW QUESTION 1
Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

• A. To allow for out-of-order packets that could arrive after the FIN/ACK packets
• B. To finish any inspection operations
• C. To remove the NAT operation
• D. To generate logs

Answer: B

NEW QUESTION 2
Refer to the exhibit.


The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check.
Which interface will be selected as an outgoing interface?

• A. port2
• B. port4
• C. port3
• D. port1

Answer: B

NEW QUESTION 3
An administrator is running the following sniffer command:

Which three pieces of Information will be Includedin me sniffer output? {Choose three.)

• A. Interface name
• B. Packetpayload
• C. Ethernet header
• D. IP header
• E. Application header

Answer: BCE

NEW QUESTION 4
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

• A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
• B. An SA never expires.
• C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
• D. Phase 2 SA expiration can be time-based, volume-based, or both.
• E. Both the phase 1 SA and phase 2 SA are bidirectional.

Answer: BCD

NEW QUESTION 5
Refer to the exhibit.


The exhibits show a network diagram and the explicit web proxy configuration.
In the commanddiagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

• A. ‘host 192.168.0.2 and port 8080’
• B. ‘host 10.0.0.50 and port 80’
• C. ‘host 192.168.0.1 and port 80’
• D. ‘host 10.0.0.50 and port 8080’

Answer: A

NEW QUESTION 6
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

• A. The strict RPF check is run on the first sent and reply packet of any new session.
• B. Strict RPF checks the best route back to the sourceusingtheincoming interface.
• C. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
• D. Strict RPF allows packets back to sources with all active routes.

Answer: A

NEW QUESTION 7
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

• A. Lookup is done on the first packet from the session originator
• B. Lookup is done on the last packet sent from the responder
• C. Lookup is done on every packet, regardless of direction
• D. Lookup is done on the trust reply packet from the responder

Answer: AD

NEW QUESTION 8
View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 9
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

• A. diagnose wad session list
• B. diagnose wad session list | grep hook-pre&&hook-out
• C. diagnose wad session list | grep hook=pre&&hook=out
• D. diagnose wad session list | grep "hook=pre"&"hook=out"

Answer: D

NEW QUESTION 10
Which two statements ate true about the Security Fabric rating? (Choose two.)

• A. It provides executive summaries of the four largest areas of security focus.
• B. Many of the security issues can befixed immediately by click ng Apply where available.
• C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
• D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Answer: AC

NEW QUESTION 11
Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

• A. 10.200.1.1
• B. 10.200.3.1
• C. 10.200.1.100
• D. 10.200.1.10

Answer: A

NEW QUESTION 12
How do you format the FortiGate flash disk?

• A. Load a debug FortiOS image.
• B. Load the hardware test (HQIP) image.
• C. Execute the CLI command execute formatlogdisk.
• D. Select the format boot device option from the BIOS menu.

Answer: D

NEW QUESTION 13
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

• A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
• B. ADVPN is only supported with IKEv2.
• C. Tunnels are negotiated dynamically between spokes.
• D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Answer: AC

NEW QUESTION 14
Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

• A. Custom permission for Network
• B. Read/Write permission for Log & Report
• C. CLI diagnostics commands permission
• D. Read/Write permission for Firewall

Answer: A

NEW QUESTION 15
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

• A. The public key of the web servercertificate must be installed on the browser.
• B. The web-server certificate must be installed on the browser.
• C. The CA certificate that signed the web-server certificate must be installed on the browser.
• D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Answer: C

NEW QUESTION 16
Refer to theexhibits.


The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but they areunableto leavereactions on videos or other types ofposts.
Which part ofthe policy configuration must you change to resolve the issue?

• A. The SSL inspection needs tobe a deep content inspection.
• B. Force access to Facebook using the HTTP service.
• C. Additional application signatures arerequired to add to thesecurity policy.
• D. Add Facebook in the URL category in the security policy.

Answer: A

NEW QUESTION 17
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

• A. Shut down/reboot a downstream FortiGate device.
• B. Disable FortiAnalyzer logging for a downstream FortiGate device.
• C. Log in to a downstream FortiSwitch device.
• D. Ban or unban compromised hosts.

Answer: A

NEW QUESTION 18
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate,enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate,enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

NEW QUESTION 19
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

• A. To remove the NAT operation.
• B. To generate logs
• C. To finish any inspection operations.
• D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Answer: D

NEW QUESTION 20
View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

• A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
• B. port-VLAN1 is the native VLAN for the port1 physical interface.
• C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
• D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Answer: AC

NEW QUESTION 21
......