Fortinet NSE4_FGT-7.0 시험

Question No : 1

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

• A.The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
• B.The client FortiGate requires a manually added route to remote subnets.
• C.The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VP
• D.Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

답을 확인하기

정답:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificate-authentication

Question No : 2

Refer to the exhibit.



An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.
Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

• A.The Detection Mode setting is not set to Passive.
• B.Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
• C.The configured participants are not SD-WAN members.
• D.The Enable probe packets setting is not enabled.

답을 확인하기

정답:

Question No : 3

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

• A.The collector agent uses a Windows API to query DCs for user logins.
• B.NetAPI polling can increase bandwidth usage in large networks.
• C.The collector agent must search security event logs.
• D.The NetSession Enum function is used to track user logouts.

답을 확인하기

정답:
Explanation:
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=210966035&stateId=1%2 00%20210968009%27)

Question No : 4

Refer to the exhibit.



Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

• A.The IPS engine was inspecting high volume of traffic.
• B.The IPS engine was unable to prevent an intrusion attack.
• C.The IPS engine was blocking all traffic.
• D.The IPS engine will continue to run in a normal state.

답을 확인하기

정답:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage

Question No : 5

Refer to the exhibit.



Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

• A.The port3 default route has the highest distance.
• B.The port3 default route has the lowest metric.
• C.There will be eight routes active in the routing table.
• D.The port1 and port2 default routes are active in the routing table.

답을 확인하기

정답:

Question No : 6

An administrator wants to configure timeouts for users. Regardless of the user™s behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

• A.auth-on-demand
• B.soft-timeout
• C.idle-timeout
• D.new-session
• E.hard-timeout

답을 확인하기

정답:
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout%3A%20User%20entry%20will,(5%20minutes%20by%20default)

Question No : 7

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

• A.Static IP Address
• B.Dialup User
• C.Dynamic DNS
• D.Pre-shared Key

답을 확인하기

정답:
Explanation:
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

Question No : 8

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

• A.SSH
• B.HTTPS
• C.FTM
• D.FortiTelemetry

답을 확인하기

정답:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

Question No : 9

Which statement about the policy ID number of a firewall policy is true?

• A.It is required to modify a firewall policy using the CL
• B.It represents the number of objects used in the firewall policy.
• C.It changes when firewall policies are reordered.
• D.It defines the order in which rules are processed.

답을 확인하기

정답:

Question No : 10

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

• A.Proxy-based inspection
• B.Certificate inspection
• C.Flow-based inspection
• D.Full Content inspection

답을 확인하기

정답:

Question No : 11

Refer to the exhibits.
Exhibit A.



Exhibit B.



The SSL VPN connection fails when a user attempts to connect to it.
What should the user do to successfully connect to SSL VPN?
A. Change the SSL VPN port on the client.
B. Change the Server IP address.
C. Change the idle-timeout.
D. Change the SSL VPN portal to the tunnel.

답을 확인하기

정답: A
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/150494

Question No : 12

Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).
Exhibit A.



Exhibit B.



Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?
A. The firewall policy performs the full content inspection on the file.
B. The flow-based inspection is used, which resets the last packet to the user.
C. The volume of traffic being inspected is too high for this model of FortiGate.
D. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.

답을 확인하기

정답: B
Explanation:
• "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately
• When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement message cannot be displayed. If the file is attempted to download again the block message will be shown.

Question No : 13

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

• A.Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
• B.Enable Dead Peer Detection.
• C.Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
• D.Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

답을 확인하기

정답:
Explanation:
B - because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer.
C - remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel
will be chosen to route packets towards their destination.

Question No : 14

Refer to the exhibit showing a debug flow output.



Which two statements about the debug flow output are correct? (Choose two.)

• A.The debug flow is of ICMP traffic.
• B.A firewall policy allowed the connection.
• C.A new traffic session is created.
• D.The default route is required to receive a reply.

답을 확인하기

정답:
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

Question No : 15

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

• A.FortiGate uses the AD server as the collector agent.
• B.FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
• C.FortiGate does not support workstation check.
• D.FortiGate directs the collector agent to use a remote LDAP server.

답을 확인하기

정답:
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732