NSE4_FGT-7.2 Practice Test Questions

168 Questions


Which two statements explain antivirus scanning modes? (Choose two.)


A. In proxy-based inspection mode, files bigger than the buffer size are scanned. 


B.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.


C.

In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.


D.

In flow-based inspection mode, files bigger than the buffer size are scanned.





B.   
In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.


C.   
In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.


An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM- something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

FortiGate Security 7.2 Study Guide (p.350 & 352): "In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. Because the file is ransmitted simultaneously, flow-based mode consumes more CPU cycles than proxy-based." "Each protocol’s proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is reached) before scanning. The client must wait for the scanning to finish." 

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?


A. 192. 168.3.0/24


B. 192. 168.2.0/24


C. 192. 168. 1.0/24


D. 192. 168.0.0/8





B.   192. 168.2.0/24

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)


A. SSH


B. HTTPS


C. FTM


D. FortiTelemetry





A.   SSH

B.   HTTPS

Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-yourfortigate/995103/buildingsecurity-into-fortios 

Which statement about video filtering on FortiGate is true?


A. Video filtering FortiGuard categories are based on web filter FortiGuard categories. 


B. It does not require a separate FortiGuard license.


C. Full SSL inspection is not required.


D. its available only on a proxy-based firewall policy.





D.   its available only on a proxy-based firewall policy.

FortiGate Security 7.2 Study Guide (p.279): "To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must enable full SSL inspection on the firewall policy."

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/860867/filteringbased-on-fortiguard-categories

What are two functions of the ZTNA rule? (Choose two.)


A. It redirects the client request to the access proxy.


B. It applies security profiles to protect traffic.


C. It defines the access proxy. 


D. It enforces access control.





B.   It applies security profiles to protect traffic.

D.   It enforces access control.

A ZTNA rule is a policy that enforces access control and applies security profiles to protect traffic between the client and the access proxy1. A ZTNA rule defines the following parameters1:
Incoming interface: The interface that receives the client request.
Source: The address and user group of the client.
ZTNA tag: The tag that identifies the domain that the client belongs to.

ZTNA server: The server that hosts the access proxy.
Destination: The address of the application that the client wants to access.
Action: The action to take for the traffic that matches the rule. It can be accept, deny, or redirect.
Security profiles: The security features to apply to the traffic, such as antivirus, web filter, application control, and so on.
A ZTNA rule does not redirect the client request to the access proxy. That is the function of a policy route that matches the ZTNA tag and sends the traffic to the ZTNA server2. A ZTNA rule does not define the access proxy. That is done by creating a ZTNA server object that specifies the IP address, port, and certificate of the access proxy3. FortiGate Infrastructure 7.2 Study Guide (p.177): "A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust rolebased access. To create a rule, type a rule name, and add IP addresses and ZTNA tags or tag groups that are allowed or blocked access. You also select the ZTNA server as the destination. You can also apply security profiles to protect this traffic." 

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?


A. Static IP Address


B. Dialup User


C. Dynamic DNS


D. Pre-shared Key





B.   Dialup User

Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS 

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.) 


A. The firmware image must be manually uploaded to each FortiGate.


B. Only secondary FortiGate devices are rebooted.


C. Uninterruptable upgrade is enabled by default.


D. Traffic load balancing is temporally disabled while upgrading the firmware.





C.   Uninterruptable upgrade is enabled by default.

D.   Traffic load balancing is temporally disabled while upgrading the firmware.

Which of statement is true about SSL VPN web mode?


A. The tunnel is up while the client is connected. 


B. It supports a limited number of protocols. 


C. The external network application sends data through the VPN.


D. It assigns a virtual IP address to the client.





B.   It supports a limited number of protocols. 

FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.

An administrator wants to simplify remote access without asking users to provide user credentials. Which access control method provides this solution?


A. ZTNA IP/MAC filtering mode 


B. ZTNA access proxy


C.  SSL VPN


D. L2TP





B.   ZTNA access proxy

FortiGate Infrastructure 7.2 Study Guide (p.165): "ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by eliminating the use of VPNs."

This is true because ZTNA access proxy is a feature that allows remote users to access internal applications without requiring VPN or user credentials. ZTNA access proxy uses a secure tunnel between the user’s device and the FortiGate, and authenticates the user based on device identity and context. The user only needs to install a lightweight agent on their device, and the FortiGate will automatically assign them to the appropriate application group based on their device profile. This simplifies remote access and enhances security by reducing the attack surface12

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used? 


A. The Services field prevents SNAT and DNAT from being combined in the same policy. 


B. The Services field is used when you need to bundle several VIPs into VIP groups. 


C. The Services field removes the requirement to create multiple VIPs for different services.


D. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer. 





C.   The Services field removes the requirement to create multiple VIPs for different services.

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection. 


Which FortiGate configuration can achieve this goal? 


A. SSL VPN bookmark 


B.  SSL VPN tunnel


C. Zero trust network access


D. SSL VPN quick connection





B.    SSL VPN tunnel

FortiGate Infrastructure 7.2 Study Guide (p.198): "Tunnel mode requires FortiClient to connect to FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user’s PC. This virtual adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is SSL/TLS encapsulated. The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send traffic through the tunnel."

An SSL VPN tunnel allows remote users to establish a secure and encrypted Virtual Private Network (VPN) connection to the private network using the SSL/TLS protocol1. An SSL VPN tunnel can provide access to network resources such as FTP servers, as well as external applications running on the user’s PC1. 

An SSL VPN bookmark is a web link that provides access to network resources through the SSL VPN web portal1. It does not support external applications running on the user’s PC. Zero trust network access (ZTNA) is a security model that provides role-based application access to remote users without exposing the private network to the internet2. It does not use SSL/TLS protocol, but rather a proprietary ZTNA protocol.

SSL VPN quick connection is a feature that allows users to connect to an SSL VPN tunnel without installing FortiClient or any other software on their PC3. It requires a web browser that supports Java or ActiveX. It does not support external applications running on the user’s PC. 

Which statement correctly describes the use of reliable logging on FortiGate?


A. Reliable logging is enabled by default in all configuration scenarios.


B. Reliable logging is required to encrypt the transmission of logs.


C. Reliable logging can be configured only using the CLI. 


D. Reliable logging prevents the loss of logs when the local disk is full.





B.   Reliable logging is required to encrypt the transmission of logs.

FortiGate Security 7.2 Study Guide (p.192): "if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI."


Page 4 out of 14 Pages
Previous