• Home
  • Articles
  • (2024) NSE4_FGT-7.2 Dumps and Practice Test (183 Questions) [Q38-Q59]

(2024) NSE4_FGT-7.2 Dumps and Practice Test (183 Questions) [Q38-Q59]

Share

(2024) NSE4_FGT-7.2 Dumps and Practice Test (183 Questions)

Guide (New 2024) Actual Fortinet NSE4_FGT-7.2 Exam Questions

NEW QUESTION # 38
Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

  • A. port1 is a native VLAN.
  • B. Traffic between port2 and port2-vlan1 is allowed by default.
  • C. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
  • D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Answer: A,D

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883


NEW QUESTION # 39
Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

  • A. The signature setting includes a group of other signatures.
  • B. Traffic matching the signature will be silently dropped and logged.
  • C. Traffic matching the signature will be allowed and logged.
  • D. The signature setting uses a custom rating threshold.

Answer: B

Explanation:
Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.
FortiGate Security 7.2 Study Guide (p.394): "Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of the signatures." "If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature." Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.


NEW QUESTION # 40
Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.
Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

  • A. The Detection Mode setting is not set to Passive.
  • B. The Enable probe packets setting is not enabled.
  • C. The configured participants are not SD-WAN members.
  • D. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

Answer: B,D


NEW QUESTION # 41
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  • A. NGFW mode
  • B. Operating mode
  • C. System time
  • D. FortiGuaid update servers

Answer: A,B

Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide


NEW QUESTION # 42
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  • A. FortiGate queries AD by using the LDAP to retrieve user group information.
  • B. FortiGate uses the AD server as the collector agent.
  • C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  • D. FortiGate points the collector agent to use a remote LDAP server.

Answer: A,C

Explanation:
Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732


NEW QUESTION # 43
Which three statements are true regarding session-based authentication? (Choose three.)

  • A. HTTP sessions are treated as a single user.
  • B. It requires more resources.
  • C. It is not recommended if multiple users are behind the source NAT
  • D. IP sessions from the same source IP address are treated as a single user.
  • E. It can differentiate among multiple clients behind the same source IP address.

Answer: A,B,E


NEW QUESTION # 44
Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
Which two statements are true? (Choose two.)

  • A. FortiGate devices are not in sync because one device is down.
  • B. FortiGate SN FGVM010000065036 HA uptime has been reset.
  • C. FortiGate SN FGVM010000064692 has the higher HA priority.
  • D. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

Answer: B,C

Explanation:
1. Override is disable by default - OK
2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab


NEW QUESTION # 45
An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

  • A. Redundant interface
  • B. Software Switch interface
  • C. Aggregate interface
  • D. VLAN interface

Answer: C


NEW QUESTION # 46
Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

  • A. The first reply packet for Student failed the RPF check .
    This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
  • B. The first packet sent from Student failed the RPF check.
    This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
  • C. The first packet sent from Student failed the RPF check.
    This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
  • D. The first reply packet for Student failed the RPF check.
    This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

Answer: C


NEW QUESTION # 47
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

  • A. On Remote-FortiGate, set Seconds to 43200.
  • B. On HQ-FortiGate, enable Auto-negotiate.
  • C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
  • D. On HQ-FortiGate, set Encryption to AES256.

Answer: D


NEW QUESTION # 48
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  • A. NGFW mode
  • B. Operating mode
  • C. System time
  • D. FortiGuaid update servers

Answer: A,B

Explanation:
Explanation
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of


NEW QUESTION # 49
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

  • A. The name of the firewall policy is all_users_web.
  • B. Access to the social networking web filter category was explicitly blocked to all users.
  • C. The action on firewall policy ID 1 is set to warning.
  • D. Social networking web filter category is configured with the action set to authenticate.

Answer: D


NEW QUESTION # 50
Refer to the exhibit.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

  • A. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
  • B. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
  • C. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
  • D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Answer: B


NEW QUESTION # 51
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

  • A. FortiGuard category filter and rating filter
  • B. Static domain filter, SSL inspection filter, and external connectors filters
  • C. Static URL filter, FortiGuard category filter, and advanced filters
  • D. DNS-based web filter and proxy-based web filter

Answer: C


NEW QUESTION # 52
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

  • A. new-session
  • B. auth-on-demand
  • C. idle-timeout
  • D. hard-timeout
  • E. soft-timeout

Answer: D

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Firewall/ta-p/189423 Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221#:~:text=Hard%20timeout%3A%20User%20


NEW QUESTION # 53
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

  • A. FortiGate generates a system event log for every port block allocation made per user.
  • B. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
  • C. FortiGate allocates 128 port blocks per user.
  • D. FortiGate allocates port blocks on a first-come, first-served basis.

Answer: B,C


NEW QUESTION # 54
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  • A. FortiGate automatically negotiates a new security association after the existing security association expires.
  • B. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  • C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
  • D. FortiGate automatically negotiates different local and remote addresses with the remote peer.

Answer: B

Explanation:
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=12069


NEW QUESTION # 55
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

  • A. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
  • B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
  • C. The client FortiGate requires a manually added route to remote subnets.
  • D. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

Answer: A,B

Explanation:
https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-ssl-vpn-client


NEW QUESTION # 56
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  • A. FortiGate automatically negotiates a new security association after the existing security association expires.
  • B. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  • C. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
  • D. FortiGate automatically negotiates different local and remote addresses with the remote peer.

Answer: B

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=12069
FortiGate Infrastructure 7.2 Study Guide (p.264): "...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away." "Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled."


NEW QUESTION # 57
Refer to the exhibits.
Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and Apple filter details.


Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

  • A. Apple FaceTime will be allowed, based on the Categories configuration.
  • B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
  • C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
  • D. Apple FaceTime will be allowed, based on the Apple filter configuration.

Answer: B

Explanation:
FortiGate Security 7.2 Study Guide (p.310): "Then, FortiGate scans packets for matches, in this order, for the application control profile: 1. Application and filter overrides: If you have configured any application overrides or filter overrides, the application control profile considers those first. It looks for a matching override starting at the top of the list, like firewall policies. 2. Categories: Finally, the application control profile applies the action that you've configured for applications in your selected categories."


NEW QUESTION # 58
Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

  • A. FortiGate directs the collector agent to use a remote LDAP server.
  • B. FortiGate uses the AD server as the collector agent.
  • C. FortiGate does not support workstation check .
  • D. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

Answer: C,D

Explanation:
You can deploy FSSO w/o installing an agent. FG polls the DCs directly, instead of receiving logon info indirectly from a collector agent.
Because FG collects all of the data itself, agentless polling mode requires greater system resources, and it doesn't scale as easily.
Agentless polling mode operates in a similar way to WinSecLog, but with only two event IDs: 4768 and 4769. Because there's no collector agent, FG uses the SMB protocol to read the event viewer logs from the DCs.
FG acts as a collector. It 's responsible for polling on top of its normal FSSO tasks but does not have all the extra features, such as workstation checks, that are available with the external collector agent.
Reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349


NEW QUESTION # 59
......


Fortinet is a leading provider of network security solutions that enable businesses and organizations to protect their critical information and networks from cyber threats. One of the key products in the Fortinet portfolio is FortiOS, a powerful operating system that provides advanced security features and capabilities. To ensure that IT professionals have the necessary skills and knowledge to effectively manage and secure networks using FortiOS, Fortinet offers a comprehensive certification program that includes the NSE4_FGT-7.2 exam.

 

NSE4_FGT-7.2 Exam Dumps Pass with Updated 2024 Certified Exam Questions: https://testking.vceprep.com/NSE4_FGT-7.2-latest-vce-prep.html

Related Articles

more
Fortinet NSE4_FGT-7.2 Certification Practice Exam