[Sep 08, 2023] Valid NSE4_FGT-7.0 Test Answers & Fortinet NSE4_FGT-7.0 Exam PDF [Q12-Q34]

[Sep 08, 2023] Valid NSE4_FGT-7.0 Test Answers & Fortinet NSE4_FGT-7.0 Exam PDF

Realistic NSE4_FGT-7.0 Exam Dumps with Accurate & Updated Questions

NEW QUESTION # 12
An administrator wants to configure timeouts for users. Regardless of the user's behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

A. soft-timeout
B. idle-timeout
C. new-session
D. hard-timeout
E. auth-on-demand

Answer: D

NEW QUESTION # 13
Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

A. Administrators cannot change the configuration.
B. Administrators can access FortiGate only through the console port.
C. FortiGate will start sending all files to FortiSandbox for inspection.
D. FortiGate has entered conserve mode.

Answer: A,D

Explanation:
Reference: https://www.skillfulist.com/fortigate/fortigate-conserve-mode-how-to-stop-it-and-what-it-means/

NEW QUESTION # 14
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

A. On HQ-FortiGate, set Encryption to AES256.
B. On Remote-FortiGate, set Seconds to 43200.
C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
D. On HQ-FortiGate, enable Auto-negotiate.

Answer: A

Explanation:
Reference:
Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

NEW QUESTION # 15
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

A. FortiTelemetry
B. SSH
C. FTM
D. HTTPS

Answer: B,D

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

NEW QUESTION # 16
Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

A. FortiGate will load balance all traffic across both routes.
B. FortiGate will route twice as much traffic to the port2 route
C. FortiGate will use the port1 route as the primary candidate.
D. FortiGate will only actuate the port1 route in the routing table

Answer: C

Explanation:
"If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path."

NEW QUESTION # 17
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

A. The Services field is used when you need to bundle several VIPs into VIP groups.
B. The Services field removes the requirement to create multiple VIPs for different services.
C. The Services field prevents SNAT and DNAT from being combined in the same policy.
D. The Services field prevents multiple sources of traffic from using multiple services to connect to a single

Answer: B

NEW QUESTION # 18
Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

A. FortiGate supports pre-shared key and signature as authentication methods.
B. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password
C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
D. A certificate is not required on the remote peer when you set the signature as the authentication method.

Answer: A,B

NEW QUESTION # 19
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

A. remote user's public IP address
B. The internal IP address of the FortiGate device.
C. The remote user's virtual IP address.
D. The public IP address of the FortiGate device.

Answer: B

Explanation:
Source IP seen by the remote resources is FortiGate's internal IP address and not the user's IP address

NEW QUESTION # 20
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

A. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.
B. The firewall policy performs the full content inspection on the file.
C. The flow-based inspection is used, which resets the last packet to the user.
D. The volume of traffic being inspected is too high for this model of FortiGate.

Answer: C

Explanation:
Explanation
* "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately
* When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file.
Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened.
The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement message cannot be displayed. If the file is attempted to download again the block message will be shown.

NEW QUESTION # 21
Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading an infected file for the first time?

A. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.
B. The firewall policy performs the full content inspection on the file.
C. The flow-based inspection is used, which resets the last packet to the user.
D. The volume of traffic being inspected is too high for this model of FortiGate.

Answer: C

Explanation:
* "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately
* When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
In flow mode, the FortiGate drops the last packet killing the file. But because of that the block replacement message cannot be displayed. If the file is attempted to download again the block message will be shown.

NEW QUESTION # 22
Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A. The sensor will gather a packet log for all matched traffic.
B. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
C. The sensor will block all attacks aimed at Windows servers.
D. The sensor will reset all connections that match these signatures.

Answer: B,C

NEW QUESTION # 23
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

A. The strict RPF check is run on the first sent and reply packet of any new session.
B. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
C. Strict RPF checks the best route back to the source using the incoming interface.
D. Strict RPF allows packets back to sources with all active routes.

Answer: C

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955

NEW QUESTION # 24
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A. The primary device in the cluster is always assigned IP address 169.254.0.1.
B. Virtual IP addresses are used to distinguish between cluster members.
C. Heartbeat interfaces have virtual IP addresses that are manually assigned.
D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Answer: A,D

NEW QUESTION # 25
Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.
Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

A. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
B. The Detection Mode setting is not set to Passive.
C. The configured participants are not SD-WAN members.
D. The Enable probe packets setting is not enabled.

Answer: A,D

NEW QUESTION # 26
Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

A. Traffic is blocked because Action is set to DENY in the firewall policy.
B. Traffic belongs to the root VDOM.
C. This is a security log.
D. Log severity is set to error on FortiGate.

Answer: A,C

NEW QUESTION # 27
Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

A. Additional application signatures are required to add to the security policy.
B. Add Facebook in the URL category in the security policy.
C. Force access to Facebook using the HTTP service.
D. The SSL inspection needs to be a deep content inspection.

Answer: D

Explanation:
The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required.

NEW QUESTION # 28
Refer to the exhibit, which contains a radius server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?

A. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
B. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
D. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

Answer: D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/634373/authentication-servers

NEW QUESTION # 29
Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

A. 10.200.1.149
B. 10.200.1.49
C. 10.200.1.99
D. 10.200.1.1

Answer: C

Explanation:
Explanation
Ping is ICMP protocol - protocol number = 1 => SNAT policy ID 1 is policy that used. => Translated address is "SNAT-Remote1" that 10.200.1.99

NEW QUESTION # 30
Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A. Antivirus in flow-based inspection
B. DNS filter
C. Web filter in flow-based inspection
D. Application control
E. Web application firewall

Answer: A,C,D

NEW QUESTION # 31
When configuring a firewall virtual wire pair policy, which following statement is true?

A. Exactly two virtual wire pairs need to be included in each policy.
B. Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.
C. Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
D. Only a single virtual wire pair can be included in each policy.

Answer: B

NEW QUESTION # 32
Which statement about the policy ID number of a firewall policy is true?

A. It represents the number of objects used in the firewall policy.
B. It changes when firewall policies are reordered.
C. It defines the order in which rules are processed.
D. It is required to modify a firewall policy using the CLI.

Answer: D

NEW QUESTION # 33
Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)