• Home
  • Articles
  • Released Fortinet NSE4_FGT-7.0 Updated Questions PDF [Q89-Q114]

Released Fortinet NSE4_FGT-7.0 Updated Questions PDF [Q89-Q114]

Share

Released Fortinet NSE4_FGT-7.0 Updated Questions PDF

NSE4_FGT-7.0 Dumps and Practice Test (175 Exam Questions)


Passing the Fortinet NSE4_FGT-7.0 exam is a significant achievement for network professionals who work with Fortinet security solutions. Fortinet NSE 4 - FortiOS 7.0 certification demonstrates that the candidate has the knowledge and skills required to configure, manage, and troubleshoot Fortinet security products effectively. Fortinet NSE 4 - FortiOS 7.0 certification is also an excellent way to advance your career and open up new opportunities in the field of network security.

 

NEW QUESTION # 89
Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

  • A. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
  • B. Apple FaceTime will be allowed, based on the Categories configuration.
  • C. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration
  • D. Apple FaceTime will be allowed, based on the Apple filter configuration.

Answer: C


NEW QUESTION # 90
View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

  • A. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
  • B. Addicting.Games is allowed based on the Application Overrides configuration.
  • C. Addcting.Games is allowed based on the Categories configuration.
  • D. Addicting.Games is blocked on the Filter Overrides configuration.

Answer: B


NEW QUESTION # 91
Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

  • A. Global VDOM
  • B. Customer VDOM
  • C. Root VDOM
  • D. FG-traffic VDOM

Answer: C


NEW QUESTION # 92
Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

  • A. Capture the traffic using an external sniffer connected to port1.
  • B. Run a sniffer on the web server.
  • C. Execute a debug flow.
  • D. Execute another sniffer in the FortiGate, this time with the filter "host 10.0.1.10"

Answer: C


NEW QUESTION # 93
Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  • A. To finish any inspection operations
  • B. To remove the NAT operation
  • C. To allow for out-of-order packets that could arrive after the FIN/ACK packets
  • D. To generate logs

Answer: C

Explanation:
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.


NEW QUESTION # 94
Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

  • A. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
  • B. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
  • C. port1 is a native VLAN.
  • D. Traffic between port2 and port2-vlan1 is allowed by default.

Answer: B,C

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interface/ta-p/197640?externalID=FD31639
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883


NEW QUESTION # 95
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

  • A. It matched an explicitly configured firewall policy with the action DENY.
  • B. It failed the RPF check.
  • C. It matched the default implicit firewall policy.
  • D. The next-hop IP address is unreachable.

Answer: C

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900


NEW QUESTION # 96
How do you format the FortiGate flash disk?

  • A. Load the hardware test (HQIP) image.
  • B. Execute the CLI command execute formatlogdisk.
  • C. Select the format boot device option from the BIOS menu.
  • D. Load a debug FortiOS image.

Answer: C

Explanation:
Explanation
https://kb.fortinet.com/kb/viewContent.do?externalId=10338


NEW QUESTION # 97
Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

  • A. The firewall policy does not apply deep content inspection.
  • B. Web filter should be enabled on the firewall policy to complement the antivirus profile.
  • C. The action on the firewall policy must be set to deny.
  • D. The firewall policy must be configured in proxy-based inspection mode.

Answer: A

Explanation:
Without deep inspection, you would never find a virus in HTTPS traffic. You will only catch a virus when it is send to you via HTTP or FTP with these settings.


NEW QUESTION # 98
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  • A. FortiGate points the collector agent to use a remote LDAP server.
  • B. FortiGate uses the AD server as the collector agent.
  • C. FortiGate queries AD by using the LDAP to retrieve user group information.
  • D. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

Answer: C,D

Explanation:
Explanation
Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732


NEW QUESTION # 99
Which two statements are true about the FGCP protocol? (Choose two.)

  • A. Runs only over the heartbeat links
  • B. Elects the primary FortiGate device
  • C. Not used when FortiGate is in Transparent mode
  • D. Is used to discover FortiGate devices in different HA groups

Answer: A,B


NEW QUESTION # 100
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

  • A. HTTPS
  • B. FortiTelemetry
  • C. FTM
  • D. SSH

Answer: A,D

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios


NEW QUESTION # 101
Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

  • A. IP header
  • B. Interface name
  • C. Ethernet header
  • D. Application header
  • E. Packet payload

Answer: A,B,E


NEW QUESTION # 102
Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

  • A. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
  • B. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
  • C. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
  • D. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.

Answer: A


NEW QUESTION # 103
An organization's employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

  • A. Change the login timeout.
  • B. Change the session-ttl.
  • C. Change the idle-timeout.
  • D. Change the udp idle timer.

Answer: A

Explanation:
Explanation
FortiGate_Security_7.0 page 607


NEW QUESTION # 104
Which two statements are true about the RPF check? (Choose two.)

  • A. The RPF check is run on the first sent and reply packet of any new session.
  • B. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.
  • C. The RPF check is run on the first reply packet of any new session.
  • D. The RPF check is run on the first sent packet of any new session.

Answer: B,D


NEW QUESTION # 105
Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings.
In this scenario, which statement is true?

  • A. Apple FaceTime belongs to the custom monitored filter.
  • B. Apple FaceTime belongs to the custom blocked filter.
  • C. The category of Apple FaceTime is being monitored.
  • D. The category of Apple FaceTime is being blocked.

Answer: B


NEW QUESTION # 106
What is the primary FortiGate election process when the HA override setting is disabled?

  • A. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
  • B. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
  • C. Connected monitored ports > Priority > System uptime > FortiGate Serial number
  • D. Connected monitored ports > System uptime > Priority > FortiGate Serial number

Answer: A


NEW QUESTION # 107
An administrator has a requirement to keep an application session from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

  • A. Create a new service object for HTTP service and set the session TTL to never
  • B. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
  • C. Set the session TTL on the HTTP policy to maximum
  • D. Set the TTL value to never under config system-ttl

Answer: A,D


NEW QUESTION # 108
Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

  • A. 10.200.1.10
  • B. 10.200.3.1
  • C. 10.200.1.1
  • D. 10.200.1.100

Answer: D


NEW QUESTION # 109
An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

  • A. Add user accounts to Active Directory (AD).
  • B. Add user accounts to the Ignore User List.
  • C. Add user accounts to the FortiGate group fitter.
  • D. Add the support of NTLM authentication.

Answer: B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828


NEW QUESTION # 110
If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

  • A. FQDN address
  • B. User or User Group
  • C. IP address
  • D. No other object can be added

Answer: C


NEW QUESTION # 111
Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

  • A. The application signature database inspects traffic only from the original web application server.
  • B. The security actions applied on the web applications will also be explicitly applied on the third-party websites.
  • C. FortiGuard maintains only one signature of each web application that is unique.
  • D. FortiGate can inspect sub-application traffic regardless where it was originated.

Answer: D


NEW QUESTION # 112
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  • A. Pre-shared Key
  • B. Dynamic DNS
  • C. Dialup User
  • D. Static IP Address

Answer: C

Explanation:
Explanation
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS


NEW QUESTION # 113
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

  • A. The two VLAN sub interfaces must have different VLAN IDs.
  • B. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
  • C. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
  • D. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

Answer: A

Explanation:
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf -> page 147
"Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID"


NEW QUESTION # 114
......

NSE4_FGT-7.0 Exam Dumps Pass with Updated 2023 Certified Exam Questions: https://www.vceprep.com/NSE4_FGT-7.0-latest-vce-prep.html

Guide (New 2023) Actual Fortinet NSE4_FGT-7.0 Exam Questions: https://drive.google.com/open?id=1lJplwf0ccrbKe3eS-M5s9lKr_Y6MaDyg

Related Articles

more
Fortinet NSE4_FGT-7.0 Certification Practice Exam