Fortinet NSE4-5.4 Free Practice Questions 2021

NEW QUESTION 1
Review the IPsec phase1 configuration in the Exhibit shown below; then answer the question following it.

Which of the following statements are correct regarding this configuration? (Select all that apply).

• A. The phase1 is for a route-based VPN configuration.
• B. The phase1 is for a policy-based VPN configuration.
• C. The local gateway IP is the address assigned to port1.
• D. The local gateway IP address is 10.200.3.1.

Answer: AC

NEW QUESTION 2
A static route is configured for a FortiGate unit from the CLI using the following commands:

Which of the following conditions are required for this static default route to be displayed in the FortiGate unit's routing table? (Choose two.)

• A. The administrative status of the wan1 interface is displayed as down.
• B. The link status of the wan1 interface is displayed as up.
• C. All other default routers should have a lower distance.
• D. The wan1 interface address and gateway address are on the same subnet.

Answer: BD

NEW QUESTION 3
Review the IPS sensor filter configuration shown in the exhibit

Based on the information in the exhibit, which statements are correct regarding the filter? (Choose two.)

• A. It does not log attacks targeting Linux servers.
• B. It matches all traffic to Linux servers.
• C. Its action will block traffic matching these signatures.
• D. It only takes effect when the sensor is applied to a policy.

Answer: CD

NEW QUESTION 4
Which of the following statements are correct concerning IKE mode config? (Choose two)

• A. It can dynamically assign IP addresses to IPsec VPN clients.
• B. It can dynamically assign DNS settings to IPsec VPN clients.
• C. It uses the ESP protocol.
• D. It can be enabled in the phase 2 configuration.

Answer: AB

NEW QUESTION 5
Review the output of the command config router ospf shown in the Exhibit below; then answer the question following it.

Which one of the following statements is correct regarding this output?

• A. OSPF Hello packets will only be sent on interfaces configured with the IP addresses 172.16.1.1 and 172.16.1.2.
• B. OSPF Hello packets will be sent on all interfaces of the FortiGate device.
• C. OSPF Hello packets will be sent on all interfaces configured with an address matching the 10.0.1.0/24 and 172.16.0.0/12 networks.
• D. OSPF Hello packets are not sent on point-to-point networks.

Answer: C

NEW QUESTION 6
A network administrator needs to implement dynamic route redundancy between a FortiGate unit
located in a remote office and a FortiGate unit located in the central office.
The remote office accesses central resources using IPSec VPN tunnels through two different Internet providers.
What is the best method for allowing the remote office access to the resources through the FortiGate unit used at the central office?

• A. Use two or more route-based IPSec VPN tunnels and enable OSPF on the IPSec virtual interfaces.
• B. Use two or more policy-based IPSec VPN tunnels and enable OSPF on the IPSec virtual interfaces.
• C. Use route-based VPNs on the central office FortiGate unit to advertise routes with a dynamic routing protocol and use a policy-based VPN on the remote office with two or more static default routes.
• D. Dynamic routing protocols cannot be used over IPSec VPN tunnels.

Answer: A

NEW QUESTION 7
Examine the exhibit; then answer the question below.

The Vancouver FortiGate initially had the following information in its routing table: S 172.20.0.0/16 [10/0] via 172.21.1.2, port2
C 172.21.0.0/16 is directly connected, port2 C 172.11.11.0/24 is directly connected, port1
Afterwards, the following static route was added:

Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?

• A. The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.
• B. The 'gateway' IP address is NOT in the same subnet as the IP address of port1.
• C. The priority is 0, which means that the route will remain inactive.
• D. The static route configuration is missing the distance setting.

Answer: B

NEW QUESTION 8
View the exhibit.

The client cannot connect to the HTTP web server. The administrator run the FortiGate built-in sniffer and got the following output:

What should be done next to troubleshoot the problem?

• A. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”.
• B. Run a sniffer in the web server.
• C. Capture the traffic using an external sniffer connected to port1.
• D. Execute a debug flow.

Answer: B

NEW QUESTION 9
Which of the following statements are true of the FortiGate unit's factory default configuration?

• A. `Port1' or `Internal' interface will have an IP of 192.168.1.99.
• B. `Port1' or `Internal' interface will have a DHCP server set up and enabled (on devices that support DHCP Servers).
• C. Default login will always be the username: admin (all lowercase) and no password.
• D. The implicit firewall action is ACCEPT.

Answer: ABC

NEW QUESTION 10
Which statements are correct regarding application control? (Choose two.)

• A. It is based on the IPS engine.
• B. It is based on the AV engine.
• C. It can be applied to SSL encrypted traffic.
• D. Application control cannot be applied to SSL encrypted traffic.

Answer: AC

NEW QUESTION 11
View the Exhibit.

The administrator needs to confirm that FortiGate 2 is properly routing that traffic to the 10.0.1.0/24 subnet. The administrator needs to confirm it by sending ICMP pings to FortiGate 2 from the CLI of FortiGate 1. What ping option needs to be enabled before running the ping?

• A. Execute ping-options source port1
• B. Execute ping-options source 10.200.1.1.
• C. Execute ping-options source 10.200.1.2
• D. Execute ping-options source 10.0.1.254

Answer: D

NEW QUESTION 12
Which statement concerning IPS is false?

• A. IPS packages contain an engine and signatures used by both IPS and other flow-based scans.
• B. One-arm topology with sniffer mode improves performance of IPS blocking.
• C. IPS can detect zero-day attacks.
• D. The status of the last service update attempt from FortiGuard IPS is shown on System>Config>FortiGuard and in output from 'diag autoupdate version'

Answer: D

NEW QUESTION 13
Which of the following FSSO agents are required for a DC agent mode solution? (Choose two.)

• A. FSSO agent
• B. DC agent
• C. Collector agent
• D. Radius server

Answer: BC

NEW QUESTION 14
If you enable the option "Generate Logs when Session Starts", what effect does this have on the
number of traffic log messages generated for each session?

• A. No traffic log message is generated.
• B. One traffic log message is generated.
• C. Two traffic log messages are generated.
• D. A log message is only generated if there is a security event.

Answer: C

NEW QUESTION 15
What is not true of configuring disclaimers on the FortiGate?

• A. Disclaimers can be used in conjunction with captive portal.
• B. Disclaimers appear before users authenticate.
• C. Disclaimers can be bypassed through security exemption lists.
• D. Disclaimers must be accepted in order to continue to the authentication login or originally intended destination.

Answer: C

NEW QUESTION 16
Review the exhibit of an explicit proxy policy configuration. If there is a proxy connection attempt coming from the IP address 10.0.1.5, and from a user that has not authenticated yet, what action does the FortiGate proxy take?

• A. User is prompted to authenticat
• B. Traffic from the user Student will be allowed by the policy #1. Traffic from any other user will be allowed by the policy #2.
• C. User is not prompted to authenticat
• D. The connection is allowed by the proxy policy #2.
• E. User is not prompted to authenticat
• F. The connection will be allowed by the proxy policy #1.
• G. User is prompted to authenticat
• H. Only traffic from the user Student will be allowe
• I. Traffic from any other user will be blocked.

Answer: D

NEW QUESTION 17
What are the purposes of NAT traversal in IPsec? (Choose two.)

• A. To detect intermediary NAT devices in the tunnel path.
• B. To encapsulate ESP packets in UDP packets using port 4500.
• C. To force a new DH exchange with each phase 2 re-key
• D. To dynamically change phase 1 negotiation mode to Aggressive.

Answer: AB