NSE4_FGT-7.2 Practice Test Questions

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

A. By default, all interfaces are part of the same broadcast domain.

B. The existing network IP schema must be changed when installing a transparent mode.

C. Static routes are required to allow traffic to the next hop.

D. FortiGate forwards frames without changing the MAC address.

A. By default, all interfaces are part of the same broadcast domain.

D. FortiGate forwards frames without changing the MAC address.

Reference: https://kb.fortinet.com/kb/viewAttachment.doattachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&do cumentID=FD33113

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?

A. The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

B. The two VLAN subinterfaces must have different VLAN IDs.

C. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

C. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.

D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Reference: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans

Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

A. Source defined as Internet Services in the firewall policy.

B. Destination defined as Internet Services in the firewall policy.

C. Highest to lowest priority defined in the firewall policy.

D. Services defined in the firewall policy.

E. Lowest to highest policy ID number.

A.   Source defined as Internet Services in the firewall policy.

B.   Destination defined as Internet Services in the firewall policy.

D.   Services defined in the firewall policy.

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects:

• Incoming Interface

• Outgoing Interface

• Source: IP address, user, internet services

• Destination: IP address or internet services

• Service: IP protocol and port number

• Schedule: Applies during configured times

Reference: https://kb.fortinet.com/kb/documentLink .do?externalID=FD47435

Which two types of traffic are managed only by the management VDOM? (Choose two.)

A. FortiGuard web filter queries

B. PKI

C. Traffic shaping

D. DNS

A. FortiGuard web filter queries

D. DNS

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

A. The matching firewall policy is set to proxy inspection mode.

B.

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

C.

The full SSL inspection feature does not have a valid license.

D.

The browser does not trust the certificate used by FortiGate for SSL inspection.

D.

The browser does not trust the certificate used by FortiGate for SSL inspection.

FortiGate Security 7.2 Study Guide (p.235): "If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."

Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

A. Browsers can be configured to retrieve this PAC file from the FortiGate.

B. Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

C. All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.

D. Any web request fortinet.com is allowed to bypass the proxy.

A. Browsers can be configured to retrieve this PAC file from the FortiGate.

D. Any web request fortinet.com is allowed to bypass the proxy.

What inspection mode does FortiGate use if it is configured as a policy-based nextgeneration firewall (NGFW)?

A. Full Content inspection

B. Proxy-based inspection

C. Certificate inspection

D. Flow-based inspection

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

A. IP address

B. No other object can be added

C. FQDN address

D. User or User Group

B. No other object can be added

FortiGate Security 7.2 Study Guide (p.59): "When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded."

This is true because Internet Service is a special type of destination object that can only be used alone in a firewall policy. Internet Service is a feature that allows FortiGate to identify and filter traffic based on the internet service or application that it belongs to, such as Facebook, YouTube, Skype, etc. Internet Service uses a database of IP addresses and ports that are associated with each internet service or application, and updates it regularly from FortiGuard. When Internet Service is selected as the destination in a firewall policy, FortiGate will match the traffic to the corresponding internet service or application, and apply the appropriate action and security profiles to it. However, Internet Service cannot be combined with any other destination object, such as IP address, FQDN address, user or user group, etc., as this would create a conflict or ambiguity in the firewall policy. Therefore, no other object can be added if Internet Service is already selected as the destination in a firewall policy

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

A. Log ID

B. Universally Unique Identifier

C. Policy ID

D. Sequence ID

B. Universally Unique Identifier

FortiGate Security 7.2 Study Guide (p.67): "When creating firewall objects or policies, a universally unique identifier (UUID) attribute is added so that logs can record these UUIDs and improve functionality when integrating with FortiManager or FortiAnalyzer."

Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewallpolicies

An administrator is running the following sniffer command:

Which three pieces of Information will be Included in me sniffer output? {Choose three.)

A. Interface name

B. Packet payload

C. Ethernet header

D. IP header

E. Application header

A.   Interface name

B.   Packet payload

D.   IP header

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

A. To detect intermediary NAT devices in the tunnel path.

B. To dynamically change phase 1 negotiation mode aggressive mode.

C. To encapsulation ESP packets in UDP packets using port 4500.

D. To force a new DH exchange with each phase 2 rekey.

A. To detect intermediary NAT devices in the tunnel path.

C. To encapsulation ESP packets in UDP packets using port 4500.