Fortinet NSE4_FGT-6.2 Free Practice Questions

NEW QUESTION 1
How does FortiGate verify the login credentials of a remote LDAP user?

• A. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.
• B. FortiGate sends the user-entered credentials to the LDAP server for authentication.
• C. FortiGate queries the LDAP server for credentials.
• D. FortiGate queries its own database for credentials.

Answer: B

Explanation:
You can configure Fortigate to point to an LDAP server for server-based password authentication throught the LDAP Server (Security Study Guide, 187)

NEW QUESTION 2
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. Browsers can be configured to retrieve this PAC file from the FortiGate.
• B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• D. Any web request fortinet.com is allowed to bypass the proxy.

Answer: AD

NEW QUESTION 3
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could resolve this problem? (Choose two.)

• A. Enable Allow Invalid SSL Certificates for the relevant security profile.
• B. Change web browsers to one that does not support HPKP.
• C. Exempt those web sites that use HPKP from full SSL inspection.
• D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers.

Answer: BC

NEW QUESTION 4
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: BD

NEW QUESTION 5
An administrator is running the following sniffer command:
diagnose sniffer packet any “host 10.0.2.10” 3
What information will be included in the sniffer output? (Choose three.)

• A. IP header
• B. Ethernet header
• C. Packet payload
• D. Application header
• E. Interface name

Answer: ABC

NEW QUESTION 6
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

• A. Implement a web filter category override for the specified website.
• B. Implement web filter authentication for the specified website
• C. Implement web filter quotas for the specified website.
• D. Implement DNS filter for the specified website.

Answer: A

NEW QUESTION 7
On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose two.)

• A. hourly
• B. real time
• C. on-demand
• D. store-and-upload

Answer: BD

Explanation:
Configure logging options:* store-and-upload (CLI configuration only)—>only available to Fortigate with an internal hard drive* Real Time* Every minute* Every 5 minutes (default)

NEW QUESTION 8
Which of the following services can be inspected by the DLP profile? (Choose three.)

• A. NFS
• B. FTP
• C. IMAP
• D. CIFS
• E. HTTP-POST

Answer: BCE

NEW QUESTION 9
How can you block or allow to Twitter using a firewall policy?

• A. Configure the Destination field as Internet Service objects for Twitter.
• B. Configure the Action field as Learn and select Twitter.
• C. Configure the Service field as Internet Service objects for Twitter.
• D. Configure the Source field as Internet Service objects for Twitter.

Answer: A

NEW QUESTION 10
View the exhibit.

Why is the administrator getting the error shown in the exhibit?

• A. The administrator must first enter the command edit global.
• B. The administrator admin does not have the privileges required to configure global settings.
• C. The global settings cannot be configured from the root VDOM context.
• D. The command config system global does not exist in FortiGate.

Answer: C

NEW QUESTION 11
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

• A. A.-192.168.3.0/24B.192.168.2.0/24C.192.168.1.0/24D.192.168.0.0/8

Answer: B

NEW QUESTION 12
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

• A. Traffic to botnetservers
• B. Traffic to inappropriate web sites
• C. Server information disclosure attacks
• D. Credit card data leaks
• E. SQL injection attacks

Answer: ACE

NEW QUESTION 13
An administrator is investigating a report of users having intermittent issues with browsing the web. The administrator ran diagnostics and received the output shown in the exhibit.

Examine the diagnostic output shown exhibit. Which of the following options is the most likely cause of this issue?

• A. NAT port exhaustion
• B. High CPU usage
• C. High memory usage
• D. High session timeout value

Answer: A

NEW QUESTION 14
Which Statements about virtual domains (VDOMs) arc true? (Choose two.)

• A. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.
• B. Each VDOM can be configured with different system hostnames.
• C. Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.
• D. Each VDOM has its own routing table.

Answer: CD

NEW QUESTION 15
View the exhibit:

The client cannot connect to the HTTP web server. The administrator ran the FortiGate built-in sniffer and got the following output:

What should be done next to troubleshoot the problem?

• A. Run a sniffer in the web server.
• B. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”.
• C. Capture the traffic using an external sniffer connected to port1.
• D. Execute a debug flow.

Answer: D

Explanation:
Step 1: Routing table check (in NAT mode)Step 2: Verify is services are opened (if access to the FortiGate)Step 3: Sniffer traceStep 4: Debug flowStep 5: Session list

NEW QUESTION 16
How do you format the FortiGate flash disk?

• A. Load a debug FortiOS image.
• B. Load the hardware test (HQIP) image.
• C. Execute the CLI command execute formatlogdisk.
• D. Select the format boot device option from the BIOS menu.

Answer: D

NEW QUESTION 17
When using WPAD DNS method, which FQDN format do browsers use to query the DNS server?

• A. srv_proxy.<local-domain>/wpad.dat
• B. srv_tcp.wpad.<local-domain>
• C. wpad.<local-domain>
• D. proxy.<local-domain>.wpad

Answer: C

Explanation:
https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/600_Objects/607_Web-pr

NEW QUESTION 18
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

• A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
• B. Client > secondary FortiGate> web server.
• C. Clinet >secondary FortiGate> primary FortiGate> web server.
• D. Client> primary FortiGate> secondary FortiGate> web server.

Answer: D

NEW QUESTION 19
Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

• A. 10.200.1.10
• B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
• C. 10.200.1.1
• D. 10.0.1.254

Answer: C

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.

NEW QUESTION 20
An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best practices to do so? (Choose three.)

• A. Configure split tunneling for content inspection.
• B. Configure host restrictions by IP or MAC address.
• C. Configure two-factor authentication using security certificates.
• D. Configure SSL offloading to a content processor (FortiASIC).
• E. Configure a client integrity check (host-check).

Answer: BCE

NEW QUESTION 21
View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 22
Which one of the following processes is involved in updating IPS from FortiGuard?

• A. FortiGate IPS update requests are sent using UDP port 443.
• B. Protocol decoder update requests are sent to service.fortiguard.net.
• C. IPS signature update requests are sent to update.fortiguard.net.
• D. IPS engine updates can only be obtained using push updates.

Answer: C

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/07-FortiGuard.htm

NEW QUESTION 23
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

• A. A CRL
• B. A person
• C. A subordinate CA
• D. A root CA

Answer: D

NEW QUESTION 24
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

What are the expected actions if traffic matches this IPS sensor? (Choose two.)

• A. The sensor will gather a packet log for all matched traffic.
• B. The sensor will not block attackers matching the A32S.Botnet signature.
• C. The sensor will block all attacks for Windows servers.
• D. The sensor will reset all connections that match these signatures.

Answer: BC

NEW QUESTION 25
A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?

• A. Different SSL VPN realms for each group.
• B. Two separate SSL VPNs in different interfaces mapping the same ssl.root.
• C. Two firewall policies with different captive portals.
• D. Different virtual SSL VPN IP addresses for each group.

Answer: A

NEW QUESTION 26
......