What Free NSE4_FGT-7.0 Exam Guide Is

NEW QUESTION 1

What is the primary FortiGate election process when the HA override setting is disabled?

• A. Connected monitored ports > System uptime > Priority > FortiGate Serial number
• B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
• C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
• D. Connected monitored ports > Priority > System uptime > FortiGate Serial number

Answer: B

Explanation:
Reference: http://myitmicroblog.blogspot.com/2018/11/what-should-you-know-about-ha-override.html

NEW QUESTION 2

Refer to the exhibit.



The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

• A. If there is a full-through policy in place, users will not be prompted for authentication.
• B. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.
• C. Authentication is enforced at a policy level; all users will be prompted for authentication.
• D. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Answer: C

NEW QUESTION 3

Which feature in the Security Fabric takes one or more actions based on event triggers?

• A. Fabric Connectors
• B. Automation Stitches
• C. Security Rating
• D. Logical Topology

Answer: B

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/286973/fortinet-security-fabric

NEW QUESTION 4

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

• A. By default, all interfaces are part of the same broadcast domain.
• B. The existing network IP schema must be changed when installing a transparent mode.
• C. Static routes are required to allow traffic to the next hop.
• D. FortiGate forwards frames without changing the MAC address.

Answer: AD

Explanation:
Reference: https://kb.fortinet.com/kb/viewAttachment.do? attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&documentID=FD33113

NEW QUESTION 5

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

• A. System time
• B. FortiGuaid update servers
• C. Operating mode
• D. NGFW mode

Answer: CD

Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide

NEW QUESTION 6

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

• A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
• B. FortiGate supports pre-shared key and signature as authentication methods.
• C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
• D. A certificate is not required on the remote peer when you set the signature as the authentication method.

Answer: AB

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/913287/ipsec-vpn-authenticating-aremote-fortigate

NEW QUESTION 7

Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

NEW QUESTION 8

Which three statements are true regarding session-based authentication? (Choose three.)

• A. HTTP sessions are treated as a single user.
• B. IP sessions from the same source IP address are treated as a single user.
• C. It can differentiate among multiple clients behind the same source IP address.
• D. It requires more resources.
• E. It is not recommended if multiple users are behind the source NAT

Answer: ACD

NEW QUESTION 9

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

• A. Add the support of NTLM authentication.
• B. Add user accounts to Active Directory (AD).
• C. Add user accounts to the FortiGate group fitter.
• D. Add user accounts to the Ignore User List.

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

NEW QUESTION 10

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

• A. The collector agent uses a Windows API to query DCs for user logins.
• B. NetAPI polling can increase bandwidth usage in large networks.
• C. The collector agent must search security event logs.
• D. The NetSession Enum function is used to track user logouts.

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906 https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&sliceId=1

NEW QUESTION 11

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

• A. Interface name
• B. Ethernet header
• C. IP header
• D. Application header
• E. Packet payload

Answer: ACE

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

NEW QUESTION 12

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 13

Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

• A. Change password
• B. Enable restrict access to trusted hosts
• C. Change Administrator profile
• D. Enable two-factor authentication

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD34502

NEW QUESTION 14

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

• A. get system status
• B. get system performance status
• C. diagnose sys top
• D. get system arp

Answer: D

Explanation:
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."

NEW QUESTION 15

Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

• A. FortiGate will load balance all traffic across both routes.
• B. FortiGate will use the port1 route as the primary candidate.
• C. FortiGate will route twice as much traffic to the port2 route
• D. FortiGate will only actuate the port1 route in the routing table

Answer: B

Explanation:
“If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.”

NEW QUESTION 16

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

• A. diagnose sys top
• B. execute ping
• C. execute traceroute
• D. diagnose sniffer packet any
• E. get system arp

Answer: BCD

NEW QUESTION 17
......