NSE4_FGT-7.2 Practice Test Questions

168 Questions


Which two statements are true about the RPF check? (Choose two.)


A. The RPF check is run on the first sent packet of any new session. 


B. The RPF check is run on the first reply packet of any new session.


C. The RPF check is run on the first sent and reply packet of any new session. 


D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks. 





A.   The RPF check is run on the first sent packet of any new session. 

D.   RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks. 

Reference: https://www.programmersought.com/article/16383871634/

Which two configuration settings are synchronized when FortiGate devices are in an activeactive HA cluster? (Choose two.)


A. FortiGuard web filter cache


B. FortiGate hostname


C. NTP


D. DNS





C.   NTP

D.   DNS

In the 7.2 Infrastructure Guide (page 306) the list of configuration settings that are NOT synchronized includes both 'FortiGate host name' and 'Cache' 

An employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure? 


A.  idle-timeout 


B. login-timeout


C. udp-idle-timer


D. session-ttl





B.   login-timeout

FortiGate Infrastructure 7.2 Study Guide (p.222): 
"When connected to SSL VPN over high latency connections, FortiGate can time out the client before the client can finish the negotiation process, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added to address this. The first command allows you to set up the login timeout, replacing the previous hard timeout value. The second command allows you to set up the maximum DTLS hello timeout for SSL VPN connections." 

Which two types of traffic are managed only by the management VDOM? (Choose two.)


A. FortiGuard web filter queries


B. PKI


C. Traffic shaping


D. DNS





A.   FortiGuard web filter queries

D.   DNS

FortiGate Infrastructure 7.2 Study Guide (p.73): "What about traffic originating from FortiGate? Some system daemons, such as NTP and FortiGuard updates, generate traffic coming from FortiGate. Traffic coming from FortiGate to those global services originates from the management VDOM. One, and only one, of the VDOMs on a FortiGate device is assigned the role of the management VDOM. It is important to note that the management VDOM designation is solely for traffic originated by FortiGate, such as FortiGuard updates, and has no effect on traffic passing through FortiGa

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)


A. Warning


B. Exempt


C. Allow


D. Learn 





A.   Warning

C.   Allow

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?


A. The strict RPF check is run on the first sent and reply packet of any new session. 


B. Strict RPF checks the best route back to the source using the incoming interface.


C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface. 


D. Strict RPF allows packets back to sources with all active routes.





B.   Strict RPF checks the best route back to the source using the incoming interface.

Strict Reverse Path Forwarding (RPF) is a security feature that is used to detect and prevent IP spoofing attacks on a network. It works by checking the routing information for incoming packets to ensure that they are coming from the source address that is indicated in the packet's header. In strict RPF mode, the firewall will check the best route back to the source of the incoming packet using the incoming interface. If the packet's source address does not match the route back to the source, the packet is dropped. This helps to prevent attackers from spoofing their IP address and attempting to access the network. 

Reference: https://kb.fortinet.com/kb/documentLink .do?externalID=FD33955

Which two statements are correct about NGFW Policy-based mode? (Choose two.)


A. NGFW policy-based mode does not require the use of central source NAT policy 


B. NGFW policy-based mode can only be applied globally and not on individual VDOMs


C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy


D. NGFW policy-based mode policies support only flow inspection





C.   NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

D.   NGFW policy-based mode policies support only flow inspection

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel? 


A. FortiGate automatically negotiates different local and remote addresses with the remote peer. 


B. FortiGate automatically negotiates a new security association after the existing security association expires. 


C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.


D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.





D.   FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

FortiGate Infrastructure 7.2 Study Guide (p.264): "...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Autonegotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away." "Another benefit of enabling Autonegotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled."

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?


A. Subject Key Identifier value


B. SMMIE Capabilities value


C. Subject value


D. Subject Alternative Name value





A.   Subject Key Identifier value

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?


A. To remove the NAT operation.


B. To generate logs


C. To finish any inspection operations.


D. To allow for out-of-order packets that could arrive after the FIN/ACK packets.





D.   To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Which statement about the policy ID number of a firewall policy is true?


A. It is required to modify a firewall policy using the CLI. 


B.  It represents the number of objects used in the firewall policy. 


C. . It changes when firewall policies are reordered. 


D. It defines the order in which rules are processed.





A.   It is required to modify a firewall policy using the CLI. 

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?


A. The administrator can register the same FortiToken on more than one FortiGate.


B. The administrator must use a FortiAuthenticator device


C. The administrator can use a third-party radius OTP server.


D. The administrator must use the user self-registration server.





B.   The administrator must use a FortiAuthenticator device


Page 6 out of 14 Pages
Previous