Top Tips Of Improved NSE4_FGT-6.4 Questions

NEW QUESTION 1
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: CD

NEW QUESTION 2
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

• A. Source IP
• B. Spillover
• C. Volume
• D. Session

Answer: CD

NEW QUESTION 3
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

• A. Lookup is done on the first packet from the session originator
• B. Lookup is done on the last packet sent from the responder
• C. Lookup is done on every packet, regardless of direction
• D. Lookup is done on the trust reply packet from the responder

Answer: AD

NEW QUESTION 4
Which two statements about antivirus scanning mode are true? (Choose two.)

• A. In proxy-based inspection mode, files bigger than the buffer size are scanned.
• B. In flow-based inspection mod
• C. FortiGate buffers the file, but also simultaneously transmits it to the client.
• D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
• E. In flow-based inspection mode, files bigger than the buffer size are scanned.

Answer: CD

NEW QUESTION 5
An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

• A. Configure Source IP Pools.
• B. Configure split tunneling in tunnel mode.
• C. Configure different SSL VPN realms.
• D. Configure host check.

Answer: D

NEW QUESTION 6
Which statement regarding the firewall policy authentication timeout is true?

• A. It is an idle timeou
• B. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.
• C. It is a hard timeou
• D. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.
• E. It is an idle timeou
• F. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.
• G. It is a hard timeou
• H. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

Answer: A

NEW QUESTION 7
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On HQ-FortiGate,enable Auto-negotiate.
• B. On Remote-FortiGate, set Seconds to 43200.
• C. On HQ-FortiGate,enable Diffie-Hellman Group 2.
• D. On HQ-FortiGate, set Encryption to AES256.

Answer: D

NEW QUESTION 8
Which of statement is true about SSL VPN web mode?

• A. The tunnel is up while the client is connected.
• B. It supports a limited number of protocols.
• C. The external network application sends data through the VPN.
• D. It assigns a virtual IP address to the client.

Answer: C

NEW QUESTION 9
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

• A. The next-hop IP address is unreachable.
• B. It failed the RPF check.
• C. It matched an explicitly configured firewall policy with the action DENY.
• D. It matched the default implicit firewall policy.

Answer: D

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900

NEW QUESTION 10
An administrator is running the following sniffer command:

Which three pieces of Information will be Includedin me sniffer output? {Choose three.)

• A. Interface name
• B. Packetpayload
• C. Ethernet header
• D. IP header
• E. Application header

Answer: BCE

NEW QUESTION 11
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

• A. Social networking web filter category is configured with the action set to authenticate.
• B. The action on firewall policy ID 1 is set to warning.
• C. Access to the social networking web filter category was explicitly blocked to all users.
• D. The name of the firewall policy is all_users_web.

Answer: D

NEW QUESTION 12
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

• A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
• B. An SA never expires.
• C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
• D. Phase 2 SA expiration can be time-based, volume-based, or both.
• E. Both the phase 1 SA and phase 2 SA are bidirectional.

Answer: BCD

NEW QUESTION 13
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 14
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

• A. set fortiguard anycast disable
• B. set protocol udp
• C. set webfilter-force-off disable
• D. set webfilter-cache disable

Answer: AC

NEW QUESTION 15
Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

• A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• C. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
• D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer: C

NEW QUESTION 16
Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

• A. System event logs
• B. Forward traffic logs
• C. Local traffic logs
• D. Security logs

Answer: A

NEW QUESTION 17
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

• A. Shut down/reboot a downstream FortiGate device.
• B. Disable FortiAnalyzer logging for a downstream FortiGate device.
• C. Log in to a downstream FortiSwitch device.
• D. Ban or unban compromised hosts.

Answer: A

NEW QUESTION 18
Which statement about the policy ID number of a firewall policy is true? D18912E1457D5D1DDCBD40AB3BF70D5D

• A. It is required to modify a firewall policy using the CLI.
• B. It represents the number of objects used in the firewall policy.
• C. It changes when firewall policies are reordered.
• D. It defines the order in which rules are processed.

Answer: A

NEW QUESTION 19
Refer to the exhibit.

Which contains a PerformanceSLA configuration.
An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?

• A. Participants configured are not SD-WAN members.
• B. There may not be a static route to route the performance SLA traffic.
• C. The Ping protocol is not supported for the public servers that are configured.
• D. You need to turn on the Enable probe packets switch.

Answer: D

NEW QUESTION 20
An administrator Is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A. the local quick mode selector is 192.160.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

• A. 192.168.1.0/24
• B. 192.168.0.0/24
• C. 192.168.2.0/24
• D. 192.168.3.0/24

Answer: B

NEW QUESTION 21
Refer to the exhibits.


The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

• A. Change the SSL VPN port on the client.
• B. Change the Server IP address.
• C. Change the idle-timeout.
• D. Change the SSL VPN portal to the tunnel.

Answer: D

NEW QUESTION 22
......