Fortinet NSE4-5.4 Dumps 2021

NEW QUESTION 1
You have created a new administrator account, and assign it the prof_admin profile. Which is false about that account's permissions?

• A. It cannot upgrade or downgrade firmware.
• B. It can create and assign administrator accounts to parts of its own VDOM.
• C. It can reset forgotten passwords for other administrator accounts such as "admin".
• D. It has a smaller permissions scope than accounts with the "super_admin" profile.

Answer: A

NEW QUESTION 2
Which statement best describes the objective of the SYN proxy feature available in SP processors?

• A. Accelerate the TCP 3-way handshake
• B. Collect statistics regarding traffic sessions
• C. Analyze the SYN packet to decide if the new session can be offloaded to the SP processor
• D. Protect against SYN flood attacks.

Answer: D

NEW QUESTION 3
Caching improves performance by reducing FortiGate unit requests to the FortiGuard server. Which
of the following statements are correct regarding the caching of FortiGuard responses? (Select all that apply.)

• A. Caching is available for web filtering, antispam, and IPS requests.
• B. The cache uses a small portion of the FortiGate system memory.
• C. When the cache is full, the least recently used IP address or URL is deleted from the cache.
• D. An administrator can configure the number of seconds to store information in the cache before the FortiGate unit contacts the FortiGuard server again.
• E. The size of the cache will increase to accommodate any number of cached queries.

Answer: BCD

NEW QUESTION 4
The ordering of firewall policies is very important. Policies can be re-ordered within the FortiGate
unit's GUI and also using the CLI. The command used in the CLI to perform this function is ______.

• A. set order
• B. edit policy
• C. reorder
• D. move

Answer: D

NEW QUESTION 5
Your Linux email server runs on a non-standard port number, port 2525. Which statement is true?

• A. IPS cannot scan that traffic for SMTP anomalies because of the non-standard port numbe
• B. You must reconfigure the server to run on port 2.
• C. To apply IPS to traffic to that server, you must configure FortiGate SMTP proxy to listen on port 2525
• D. IPS will apply all SMTP signatures, regardless of whether they apply to clients or servers.
• E. Protocol decoders automatically detect SMTP and scan for matches with appropriate IPS signature.

Answer: B

NEW QUESTION 6
What must be configured in order to keep two static routes to the same destination in the routing
table?

• A. The same priority.
• B. The same distance and same priority.
• C. The same distance.
• D. The same metric.

Answer: B

NEW QUESTION 7
Which action does the FortiGate take when link health monitor times out?

• A. All routes to the destination subnet configured in the link health monitor are removed from the routing table.
• B. The distance values of all routes using interface configured in the link health monitor are increased.
• C. The priority values of all routes using configured in the link health monitor are increased.
• D. All routes using the next-hop gateway configured in the link health monitor are removed from the routing table.

Answer: D

NEW QUESTION 8
What FortiGate feature can be used to block a ping sweep scan from an attacker?

• A. Web application firewall (WAF)
• B. Rate based IPS signatures
• C. One-arm sniffer
• D. DoS policies

Answer: B

NEW QUESTION 9
A FortiGate is operating in NAT/Route mode and configured with two virtual LAN (VLAN) sub-
interfaces added to the same physical interface.
Which statement about the VLAN IDs in this scenario is true?

• A. The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
• B. The two VLAN sub-interfaces must have different VLAN IDs.
• C. The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
• D. The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Answer: B

NEW QUESTION 10
Which statement regarding the firewall policy authentication timeout is true?

• A. It is an idle timeou
• B. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
• C. It is a hard timeou
• D. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
• E. It is an idle timeou
• F. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
• G. It is a hard timeou
• H. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

Answer: A

NEW QUESTION 11
Which of the following statement correct describes the use of the "diagnose sys ha reset- uptime"
command?

• A. To force an HA failover when the HA override setting is disabled.
• B. To force an HA failover when the HA override setting is enabled.
• C. To clear the HA counters.
• D. To restart a FortiGate unit that is part of an HA cluster.

Answer: A

NEW QUESTION 12
Which of the following cannot be used in conjunction with the endpoint compliance check?

• A. HTTP Challenge Redirect to a Secure Channel (HTTPS) in the Authentication Settings.
• B. Any form of firewall policy authentication.
• C. WAN optimization.
• D. Traffic shaping.

Answer: A

NEW QUESTION 13
The exhibit shoes three static routes.

Which routes will be used to route the packets to the destination IP address 172.20.168.1?

• A. The route with the ID number 2 and 3.
• B. Only the route with the ID number 3.
• C. Only the route with the ID number 2.
• D. Only the route with the ID number 1.

Answer: D

NEW QUESTION 14
Which of the following statements are correct differences between NAT/route and transparent mode? (Choose two.)

• A. In transparent mode, interfaces do not have IP addresses.
• B. Firewall polices are only used in NAT/ route mode.
• C. Static routers are only used in NAT/route mode.
• D. Only transparent mode permits inline traffic inspection at layer 2.

Answer: AC

NEW QUESTION 15
In NAT/Route mode when there is no matching firewall policy for traffic to be forwarded by the
Firewall, which of the following statements describes the action taken on traffic?

• A. The traffic is blocked.
• B. The traffic is passed.
• C. The traffic is passed and logged.
• D. The traffic is blocked and logged.

Answer: A

NEW QUESTION 16
Which statement about the IP authentication header (AH) used by IPsec is true?

• A. AH does not provide any data integrity or encryption.
• B. AH does not support perfect forward secrecy.
• C. AH provides data integrity but no encryption.
• D. AH provides strong data integrity but weak encryption.

Answer: C

NEW QUESTION 17
Which statements are correct for port pairing and forwarding domains? (Choose two.)

• A. They both create separate broadcast domains.
• B. Port Pairing works only for physical interfaces.
• C. Forwarding Domain only applies to virtual interfaces.
• D. They may contain physical and/or virtual interfaces.

Answer: AD