NSE4_FGT-7.2 Practice Test Questions

168 Questions


An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick mode selector is 192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?


A. 192. 168. 1.0/24


B. 192. 168.0.0/24


C. 192. 168.2.0/24


D. 192. 168.3.0/24





C.   192. 168.2.0/24

For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B.

To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A. 

Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)


A. Web filter in flow-based inspection


B. Antivirus in flow-based inspection


C. DNS filter


D. Web application firewall


E. Application control





A.   Web filter in flow-based inspection

B.   Antivirus in flow-based inspection

E.   Application control

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/739623/dnsfilter-handled-by-ips engine-in-flow-mode 

An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?


A. auth-on-demand


B. soft-timeout


C. idle-timeout


D. new-session


E. hard-timeout





E.   hard-timeout

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeouttypes-for-Firewall/ta-p/189423

Reference:

https://kb.fortinet.com/kb/documentLink.doexternalID=FD37221#:~:text=Hard-timeout%3A-User-

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)


A.

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.


B. Enable Dead Peer Detection.


C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.


D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.





B.   Enable Dead Peer Detection.

C.   Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network.

When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.

There are three DPD modes. On demand is the default mode.

Study Guide – IPsec VPN – Redundant VPNs.

Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.

Add at least one phase 2 definition for each phase 1.

Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing. Configure FW policies for each IPsec interface.

Which statement describes a characteristic of automation stitches?


A. They can have one or more triggers.


B. They can be run only on devices in the Security Fabric.


C. They can run multiple actions simultaneously.


D. They can be created on any device in the fabric.





C.   They can run multiple actions simultaneously.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creatingautomation-stitches

Reference:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/139441/automation-stitches

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces? 


A. VLAN interface


B. Software Switch interface


C. Aggregate interface


D. Redundant interface





C.   Aggregate interface

An aggregate interface is a logical interface that combines two or more physical interfaces into one virtual interface1. An aggregate interface can increase network bandwidth and provide redundancy by distributing traffic across multiple physical interfaces using a load balancing algorithm1. An aggregate interface can also support link aggregation control protocol (LACP) to negotiate the link aggregation settings with the connected device1.

Reference: https://forum.fortinet.com/tm .aspx?m=120324
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/567758/aggregation-andredundancy

The IPS engine is used by which three security features? (Choose three.) 


A. Antivirus in flow-based inspection


B. Web filter in flow-based inspection


C. Application control


D. DNS filter


E. Web application firewall





A.   Antivirus in flow-based inspection

B.   Web filter in flow-based inspection

C.   Application control

FortiGate Security 7.2 Study Guide (p.385): "The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It’s also responsible for application control, flow-based antivirus protection, web filtering, and email filtering."

Which timeout setting can be responsible for deleting SSL VPN associated sessions?


A. SSL VPN idle-timeout


B. SSL VPN http-request-body-timeout


C. SSL VPN login-timeout


D. SSL VPN dtls-hello-timeout





A.   SSL VPN idle-timeout

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPNdisconnection-issues-when connected with/tap/207851#:~:text=By-default%2C-a-SSL%2DVPN,hours-due-to-auth%2Dtimeout

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Which feature in the Security Fabric takes one or more actions based on event triggers?


A. Fabric Connectors


B. Automation Stitches


C. Security Rating


D. Logical Topology





B.   Automation Stitches

Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/286973/fortinetsecurity-fabric

On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?


A. System event logs


B. Forward traffic logs


C. Local traffic logs


D. Security logs





C.   Local traffic logs

Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

FortiGate Security 7.2 Study Guide (p.176): "Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries."

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?


A. IP address


B. Once Internet Service is selected, no other object can be added


C. User or User Group


D. FQDN address





B.   Once Internet Service is selected, no other object can be added

Reference: https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-servicein-policy

Which three statements explain a flow-based antivirus profile? (Choose three.)


A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.


B. If a virus is detected, the last packet is delivered to the client.


C. The IPS engine handles the process as a standalone.


D. FortiGate buffers the whole file but transmits to the client at the same time.


E. Flow-based inspection optimizes performance compared to proxy-based inspection.





A.   Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

D.   FortiGate buffers the whole file but transmits to the client at the same time.

E.   Flow-based inspection optimizes performance compared to proxy-based inspection.

Reference: https://forum .fortinet.com/tm .aspx?m=192309


Page 3 out of 14 Pages
Previous