Regenerate NSE4_FGT-7.0 Dumps Questions For Fortinet NSE 4 - FortiOS 7.0 Certification

NEW QUESTION 1

An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

• A. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
• B. Create a new service object for HTTP service and set the session TTL to never
• C. Set the TTL value to never under config system-ttl
• D. Set the session TTL on the HTTP policy to maximum

Answer: BC

NEW QUESTION 2

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

• A. Root VDOM
• B. FG-traffic VDOM
• C. Customer VDOM
• D. Global VDOM

Answer: A

NEW QUESTION 3

An administrator wants to configure timeouts for users. Regardless of the user€™s behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

• A. auth-on-demand
• B. soft-timeout
• C. idle-timeout
• D. new-session
• E. hard-timeout

Answer: E

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout%3A%20User%20

NEW QUESTION 4

Which two statements are true about the RPF check? (Choose two.)

• A. The RPF check is run on the first sent packet of any new session.
• B. The RPF check is run on the first reply packet of any new session.
• C. The RPF check is run on the first sent and reply packet of any new session.
• D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Answer: AD

Explanation:
Reference: https://www.programmersought.com/article/16383871634/

NEW QUESTION 5

An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

• A. VLAN interface
• B. Software Switch interface
• C. Aggregate interface
• D. Redundant interface

Answer: C

Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=120324

NEW QUESTION 6

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

• A. The session is in SYN_SENT state.
• B. The session is in FIN_ACK state.
• C. The session is in FTN_WAIT state.
• D. The session is in ESTABLISHED state.

Answer: A

Explanation:
Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NEW QUESTION 7

An administrator must disable RPF check to investigate an issue.
Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

• A. Enable asymmetric routing, so the RPF check will be bypassed.
• B. Disable the RPF check at the FortiGate interface level for the source check.
• C. Disable the RPF check at the FortiGate interface level for the reply check.
• D. Enable asymmetric routing at the interface level.

Answer: B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION 8

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

• A. The IPS engine was inspecting high volume of traffic.
• B. The IPS engine was unable to prevent an intrusion attack.
• C. The IPS engine was blocking all traffic.
• D. The IPS engine will continue to run in a normal state.

Answer: A

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage

NEW QUESTION 9

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

• A. Log ID
• B. Universally Unique Identifier
• C. Policy ID
• D. Sequence ID

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies

NEW QUESTION 10

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

• A. Subject Key Identifier value
• B. SMMIE Capabilities value
• C. Subject value
• D. Subject Alternative Name value

Answer: A

NEW QUESTION 11

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

• A. On HQ-FortiGate, set IKE mode to Main (ID protection).
• B. On both FortiGate devices, set Dead Peer Detection to On Demand.
• C. On HQ-FortiGate, disable Diffie-Helman group 2.
• D. On Remote-FortiGate, set port2 as Interface.

Answer: AD

NEW QUESTION 12

Exhibit:

Refer to the exhibit to view the authentication rule configuration In this scenario, which statement is true?

• A. IP-based authentication is enabled
• B. Route-based authentication is enabled
• C. Session-based authentication is enabled.
• D. Policy-based authentication is enabled

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD45387

NEW QUESTION 13

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

• A. 10.200.1.1
• B. 10.200.3.1
• C. 10.200.1.100
• D. 10.200.1.10

Answer: A

Explanation:
Reference:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Static%20N
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

NEW QUESTION 14

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

• A. A phase 2 configuration is not required.
• B. This VPN cannot be used as part of a hub-and-spoke topology.
• C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
• D. The IPsec firewall policies must be placed at the top of the list.

Answer: C

Explanation:
In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name (Infrastructure Study Guide, 206)

NEW QUESTION 15

Which two statements are true about the FGCP protocol? (Choose two.)

• A. Not used when FortiGate is in Transparent mode
• B. Elects the primary FortiGate device
• C. Runs only over the heartbeat links
• D. Is used to discover FortiGate devices in different HA groups

Answer: BC

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-clustering-protocol

NEW QUESTION 16

Which two statements are true about collector agent standard access mode? (Choose two.)

• A. Standard mode uses Windows convention-NetBios: Domain\Username.
• B. Standard mode security profiles apply to organizational units (OU).
• C. Standard mode security profiles apply to user groups.
• D. Standard access mode supports nested groups.

Answer: AC

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

NEW QUESTION 17
......