Up To The Minute Fortinet NSE 4 - FortiOS 7.2 NSE4_FGT-7.2 Study Guide

NEW QUESTION 1
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 2
Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web Services.

Which CLI command must the administrator use to view the route?

• A. get router info routing-table database
• B. diagnose firewall route list
• C. get internet-service route list
• D. get router info routing-table all

Answer: B

Explanation:
ISDB static route will not create entry directly in routing-table. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for-Predefined-Internet/ta-p/1
and here
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-route/ta-p/190640
FortiGate Infrastructure 7.2 Study Guide (p.16 and p.59): "Even though they are configured as static routes, ISDB routes are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table." "FortiOS maintains a policy route table that you can view by running the diagnose firewall proute list command."

NEW QUESTION 3
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

• A. The matching firewall policy is set to proxy inspection mode.
• B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
• C. The full SSL inspection feature does not have a valid license.
• D. The browser does not trust the certificate used by FortiGate for SSL inspection.

Answer: D

Explanation:
FortiGate Security 7.2 Study Guide (p.235): "If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."

NEW QUESTION 4
An administrator configures outgoing interface any in a firewall policy. What is the result of the policy list view?

• A. Search option is disabled.
• B. Policy lookup is disabled.
• C. By Sequence view is disabled.
• D. Interface Pair view is disabled.

Answer: D

Explanation:
"If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface pairs—some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence)."

NEW QUESTION 5
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

• A. The interface has been configured for one-arm sniffer.
• B. The interface is a member of a virtual wire pair.
• C. The operation mode is transparent.
• D. The interface is a member of a zone.
• E. Captive portal is enabled in the interface.

Answer: ABC

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm

NEW QUESTION 6
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log downloads from the GUI are limited to the current filter view
• B. Log backups from the CLI cannot be restored to another FortiGat
• C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: AB

NEW QUESTION 7
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

• A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
• B. Extended authentication (XAuth) to request the remote peer to provide a username and password
• C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
• D. Pre-shared key and certificate signature as authentication methods

Answer: BD

Explanation:
* B. Extended authentication (XAuth) to request the remote peer to provide a username and password
This is true because extended authentication (XAuth) is a feature that allows FortiGate to request the remote peer to provide a username and password during the IPsec IKEv1 authentication process. XAuth is an extension of the IKEv1 protocol that adds an additional authentication step after the main mode or aggressive mode exchange. XAuth can be used with either pre-shared key or certificate signature as the primary authentication method, and it can provide stronger security and granular access control for IPsec VPNs12
* D. Pre-shared key and certificate signature as authentication methods
This is true because pre-shared key and certificate signature are two authentication methods that are supported by FortiGate for IPsec IKEv1 VPNs. Pre-shared key is a method where both peers share a secret key that is used to authenticate each other during the IKEv1 exchange. Certificate signature is a method where both peers have digital certificates that are used to verify each other’s identity and public key during the IKEv1 exchange. Both methods can be combined with XAuth for additional authentication

NEW QUESTION 8
Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

• A. The security actions applied on the web applications will also be explicitly applied on the third-party websites.
• B. The application signature database inspects traffic only from the original web application server.
• C. FortiGuard maintains only one signature of each web application that is unique.
• D. FortiGate can inspect sub-application traffic regardless where it was originate

Answer: D

NEW QUESTION 9
Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a
decrease in the CPU usage?

• A. The IPS engine was inspecting high volume of traffic.
• B. The IPS engine was unable to prevent an intrusion attack .
• C. The IPS engine was blocking all traffic.
• D. The IPS engine will continue to run in a normal state.

Answer: A

Explanation:
fortinet-fortigate-security-study-guide-for-fortios-72 page 417 If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.

NEW QUESTION 10
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

• A. Social networking web filter category is configured with the action set to authenticate.
• B. The action on firewall policy ID 1 is set to warning.
• C. Access to the social networking web filter category was explicitly blocked to all users.
• D. The name of the firewall policy is all_users_web.

Answer: A

NEW QUESTION 11
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check .
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900 https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/

NEW QUESTION 12
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

• A. By default, FortiGate uses WINS servers to resolve names.
• B. By default, the SSL VPN portal requires the installation of a client's certificate.
• C. By default, split tunneling is enabled.
• D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Answer: D

NEW QUESTION 13
Refer to the exhibit.


The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200. 1. 1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

• A. 10.200. 1. 1
• B. 10.200.3. 1
• C. 10.200. 1. 100
• D. 10.200. 1. 10

Answer: C

Explanation:
Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN-LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.

NEW QUESTION 14
Refer to the exhibits.


The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

• A. Change the SSL VPN port on the client.
• B. Change the Server IP address.
• C. Change the idle-timeout.
• D. Change the SSL VPN portal to the tunnel.

Answer: A

NEW QUESTION 15
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

• A. diagnose wad session list
• B. diagnose wad session list | grep hook-pre&&hook-out
• C. diagnose wad session list | grep hook=pre&&hook=out
• D. diagnose wad session list | grep "hook=pre"&"hook=out"

Answer: A

NEW QUESTION 16
Which statement is correct regarding the security fabric?

• A. FortiManager is one of the required member devices.
• B. FortiGate devices must be operating in NAT mode.
• C. A minimum of two Fortinet devices is required.
• D. FortiGate Cloud cannot be used for logging purposes.

Answer: B

Explanation:
FortiGate Security 7.2 Study Guide (p.428): "You must have a minimum of two FortiGate devices at the core of the Security Fabric, plus one FortiAnalyzer or cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The FortiGate devices must be running in NAT mode."

NEW QUESTION 17
Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

• A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• C. The first reply packet for Student failed the RPF check .This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
• D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

Answer: D

NEW QUESTION 18
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

• A. The keyUsage extension must be set to keyCertSign.
• B. The common name on the subject field must use a wildcard name.
• C. The issuer must be a public CA.
• D. The CA extension must be set to TRUE.

Answer: AD

Explanation:
"In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."

NEW QUESTION 19
......