Fortinet NSE4 Free Practice Questions 2021

NEW QUESTION 1
Which best describes the mechanism of a TCP SYN flood?

• A. The attackers keeps open many connections with slow data transmission so that other clients cannot start new connections.
• B. The attackers sends a packets designed to sync with the FortiGate
• C. The attacker sends a specially crafted malformed packet, intended to crash the target by exploiting its parser.
• D. The attacker starts many connections, but never acknowledges to fully form them.

Answer: D

NEW QUESTION 2
Examine the output below from the diagnose sys top command:

Which statements are true regarding the output above (Choose two.)

• A. The sshd process is the one consuming most CPU.
• B. The sshd process is using 123 pages of memory.
• C. The command diagnose sys kill miglogd will restart the miglogd process.
• D. All the processes listed are in sleeping state.

Answer: AD

NEW QUESTION 3
In which order are firewall policies processed on a FortiGate unit?

• A. From top to bottom, according with their sequence number.
• B. From top to bottom, according with their policy ID number.
• C. Based on best match.
• D. Based on the priority value.

Answer: A

NEW QUESTION 4
Which statements are correct properties of a partial mesh VPN deployment. (Choose two.)

• A. VPN tunnels interconnect between every single location.
• B. VPN tunnels are not configured between every single location.
• C. Some location may be reachable via a hub location.
• D. There are no hub locations in a partial mesh.

Answer: BC

NEW QUESTION 5
Which of the following statements are true regarding the web filtering modes? (Choose two.)

• A. Proxy based mode allows for customizable block pages to display when sites are prevented.
• B. Proxy based mode requires more resources than flow-based.
• C. Flow based mode offers more settings under the advanced configuration section of the GUI.
• D. Proxy based mode offers higher throughput than flow-based mode.

Answer: AB

NEW QUESTION 6
When configuring LDAP on the FortiGate as a remote database for users, what is not a part of the configuration?

• A. The name of the attribute that identifies each user (Common Name Identifier).
• B. The user account or group element names (user DN).
• C. The server secret to allow for remote queries (Primary server secret).
• D. The credentials for an LDAP administrator (password).

Answer: C

NEW QUESTION 7
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members.

What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two.)

• A. Port3 is configured with an IP address management access.
• B. The firewall rules are purged on the disconnected unit.
• C. The HA mode changes to standalone.
• D. The system hostname is set to the unit serial number.

Answer: AC

NEW QUESTION 8
Review to the network topology in the exhibit.

The workstation, 172.16.1.1/24, connects to port2 of the FortiGate device, and the ISP router, 172.16.1.2, connects to port1. Without changing IP addressing, which configuration changes are required to properly forward users traffic to the Internet? (Choose two)

• A. At least one firewall policy from port2 to port1 to allow outgoing traffic.
• B. A default route configured in the FortiGuard devices pointing to the ISP's router.
• C. Static or dynamic IP addresses in both ForitGate interfaces port1 and port2.
• D. The FortiGate devices configured in transparent mode.

Answer: AD

NEW QUESTION 9
A static route is configured for a FortiGate unit from the CLI using the following commands:
config router static edit 1
set device “wan1” set distance 20
set gateway 192.168.100.1 next
end
Which of the following conditions are required for this static default route to be displayed in the FortiGate unit's routing table? (Choose two.)

• A. The administrative status of the wan1 interface is displayed as down.
• B. The link status of the wan1 interface is displayed as up.
• C. All other default routers should have a lower distance.
• D. The wan1 interface address and gateway address are on the same subnet.

Answer: BD

NEW QUESTION 10
Which of the following options best defines what Diffie-Hellman is?

• A. A symmetric encryption algorithm.
• B. A "key-agreement" protocol.
• C. A "Security-association-agreement" protocol.
• D. An authentication algorithm.

Answer: B

NEW QUESTION 11
What is required in a FortiGate configuration to have more than one dialup IPsec VPN using aggressive mode?

• A. All the aggressive mode dialup VPNs MUST accept connections from the same peer ID.
• B. Each peer ID MUST match the FQDN of each remote peer.
• C. Each aggressive mode dialup MUST accept connections from different peer ID.
• D. The peer ID setting must NOT be used.

Answer: C

NEW QUESTION 12
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices.
Which three configuration steps must be performed on both units to support this scenario? (Choose three.)

• A. Create firewall policies to allow and control traffic between the source and destination IP addresses.
• B. Configure the appropriate user groups to allow users access to the tunnel.
• C. Set the operating mode to IPsec VPN mode.
• D. Define the phase 2 parameters.
• E. Define the Phase 1 parameters.

Answer: ADE

NEW QUESTION 13
An administrator configures a FortiGate unit in Transparent mode on the 192.168.11.0 subnet. Automatic Discovery is enabled to detect any available FortiAnalyzers on the
network.
Which of the following FortiAnalyzers will be detected?

• A. 192.168.11.100
• B. 192.168.11.251
• C. 192.168.10.100
• D. 192.168.10.251

Answer: AB

NEW QUESTION 14
Which IP packets can be hardware-accelerated by a NP6 processor? (Choose two.)

• A. Fragmented packets.
• B. Multicast packet.
• C. SCTP packet.
• D. GRE packet.

Answer: BC

NEW QUESTION 15
Which is true about incoming and outgoing interfaces in firewall policies?

• A. A physical interface may not be used.
• B. A zone may not be used.
• C. Multiple interfaces may not be used for both incoming and outgoing.
• D. Source and destination interfaces are mandatory.

Answer: D

NEW QUESTION 16
Examine the following FortiGate web proxy configuration; then answer the question below:
config web-proxy explicit
set pac-file-server-status enable set pac-file-server-port 8080
set pac-file-name wpad.dat end
Assuming that the FortiGate proxy IP address is 10.10.1.1, which URL must an Internet browser use to download the PAC file?

• A. https://10.10.1.1:8080
• B. https://10.10.1.1:8080/wpad.dat
• C. http://10.10.1.1:8080/
• D. http://10.10.1.1:8080/wpad.dat

Answer: D

NEW QUESTION 17
Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)

• A. Split tunneling is supported.
• B. It requires the installation of a VPN client.
• C. It requires the use of an Internet browser.
• D. It does not support traffic from third-party network applications.
• E. An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit.

Answer: ABE

NEW QUESTION 18
Review the static route configuration for IPsec shown in the exhibit; then answer the question below.

Which statements are correct regarding this configuration? (Choose two.)

• A. Interface remote is an IPsec interface.
• B. A gateway address is not required because the interface is a point-to-point connection.
• C. A gateway address is not required because the default route is used.
• D. Interface remote is a zone.

Answer: AB