NSE4_7.2v2

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?. diagnose wad session list. diagnose wad session list | grep hook-pre&&hook-out. diagnose wad session list | grep hook=pre&&hook=out. diagnose wad session list | grep "hook=pre"&"hook=out".

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?. Fabric Coverage. Automated Response. Security Posture. Optimization.

In which two ways can RPF checking be disabled? (Choose two ). Enable anti-replay in firewall policy. Disable the RPF check at the FortiGate interface level for the source check. Enable asymmetric routing. Disable strict-arc-check under system settings.

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.). FortiGate points the collector agent to use a remote LDAP server. FortiGate uses the AD server as the collector agent. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. FortiGate queries AD by using the LDAP to retrieve user group information.

What are two features of collector agent advanced mode? (Choose two.). In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. In advanced mode, security profiles can be applied only to user groups, not individual users. Advanced mode uses the Windows convention—NetBios: Domain\Username. Advanced mode supports nested or inherited groups.

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?. Full Content inspection. Proxy-based inspection. Certificate inspection. Flow-based inspection.

Which statement regarding the firewall policy authentication timeout is true?. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?. The Services field prevents SNAT and DNAT from being combined in the same policy. The Services field is used when you need to bundle several VIPs into VIP groups. The Services field removes the requirement to create multiple VIPs for different services. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?. FortiGate automatically negotiates different local and remote addresses with the remote peer. FortiGate automatically negotiates a new security association after the existing security association expires. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile. An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. What are two solutions for satisfying the requirement? (Choose two.). Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address. Configure a web override rating for download.com and select Malicious Websites as the subcategory. Set the Freeware and Software Downloads category Action to Warning. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option. What is the impact of using the Include in every user group option in a RADIUS configuration?. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?. It always authorizes the traffic without requiring authentication. It drops the traffic. It authenticates the traffic using the authentication scheme SCHEME2. It authenticates the traffic using the authentication scheme SCHEME1.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?. Destination NAT is disabled in the firewall policy. One-to-one NAT IP pool is used in the firewall policy. Overload NAT IP pool is used in the firewall policy. Port block allocation IP pool is used in the firewall policy.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?. DNS-based web filter and proxy-based web filter. Static URL filter, FortiGuard category filter, and advanced filters. Static domain filter, SSL inspection filter, and external connectors filters. FortiGuard category filter and rating filter.

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?. It uses UDP 8888. It uses UDP 53. It uses DNS over HTTPS. It uses DNS overTLS.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.). To detect intermediary NAT devices in the tunnel path. To dynamically change phase 1 negotiation mode aggressive mode. To encapsulation ESP packets in UDP packets using port 4500. To force a new DH exchange with each phase 2 rekey.

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?. The public key of the web server certificate must be installed on the browser. The web-server certificate must be installed on the browser. The CA certificate that signed the web-server certificate must be installed on the browser. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of diagnose sys virtual-wan-link health-check . Which interface will be selected as an outgoing interface?. port2. port4. port3. port1.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.). Heartbeat interfaces have virtual IP addresses that are manually assigned. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster. Virtual IP addresses are used to distinguish between cluster members. The primary device in the cluster is always assigned IP address 169.254.0.1.

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?. Subject Key Identifier value. SMMIE Capabilities value. Subject value. Subject Alternative Name value.

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server. An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout. The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN. What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.). Set the maximum session TTL value for the TELNET service object. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes. Create a new service object for TELNET and set the maximum session TTL. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Which three protocols can a client use to authenticate against a FortiGate configured as transparent web proxy? (Choose three.). SMTP. SSH. HTTP. SOCKS5. FTP.

Which two statements regarding the SD-WAN feature on FortiGate are true? (Choose two.). FortiGate supports only one SD-WAN interface per VDOM. Each member interface requires its own firewall policy to allow traffic. SD-WAN provides route failover protection, but cannot load-balance traffic. An SD-WAN static route does not require a next-hop gateway IP address.

Which firewall authentication methods does FortiGate support?. Local password authentication. Out-of-band authentication. Server-based password authentication. Two-factor authentication. Biometric authentication.

An administrator configured antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only. What is causing this issue?. The test file is larger than the oversize limit. HTTPS protocol is not enabled under Inspected Protocols. Hardware acceleration is in use. Full-content inspection for HTTPS is disabled.

Examine the following log message attributes: hostname=www.youtube.com profiletype=""Webfilter_Profile"" profile=""default"" status=""passthrough""msg=""URL belongs to a category with warnings enabled"" Which two statements about the log are correct? (Choose two.). The user was prompted to decide whether to proceed or go back. The user failed authentication. The website was allowed on the first attempt. The category action was set to warning.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. The override setting is enable for the FortiGate with SN FGVM010000064692. Which two statements are true? (Choose two.). FortiGate SN FGVM010000065036 HA uptime has been reset. FortiGate devices are not in sync because one device is down. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime. FortiGate SN FGVM010000064692 has the higher HA priority.

An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?. Interface Pair view will be disabled. Search option will be disabled. Policy lookup will be disabled. By Sequence view will be disabled.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. With this configuration, which statement is true?. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Which two statements are true about the RPF check? (Choose two.). The RPF check is run on the first reply packet of any new session. The RPF check is run on the first sent packet of any new session. The RPF check is run on the first sent and reply packet of any new session. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.). Log downloads from the GUI are limited to the current filter view. Log backups from the CLI can be configured to upload to FTP as a scheduled time. Log downloads from the GUI are stored as LZ4 compressed files. Log backups from the CLI cannot be restored to another FortiGate.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?. Enable asymmetric routing, so the RPF check will be bypassed. Disable the RPF check at the FortiGate interface level for the reply check . Disable the RPF check at the FortiGate interface level for the source check. Enable asymmetric routing at the interface level.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?. Custom permission for Network. Read/Write permission for Log & Report. CLI diagnostics commands permission. Read/Write permission for Firewall.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. Apple FaceTime will be allowed, based on the Apple filter configuration. Apple FaceTime will be allowed, based on the Categories configuration. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

Which two types of traffic are managed only by the management VDOM? (Choose two.). PKI. Traffic shaping. FortiGuard web filter queries. DNS.

Which of the following statements are correct? (Choose two.). This setup requires at least two firewall policies with the action set to IPsec. Dead peer detection must be disabled to support this type of IPsec setup. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down. This is a redundant IPsec setup.

What is the primary FortiGate election process when the HA override setting is disabled?. Connected monitored ports > System uptime > Priority > FortiGate Serial number. Connected monitored ports > HA uptime > Priority > FortiGate Serial number. Connected monitored ports > Priority > HA uptime > FortiGate Serial number. Connected monitored ports > Priority > System uptime > FortiGate Serial number.

Based on the raw log, which two statements are correct? (Choose two.). Traffic is blocked because Action is set to DENY in the firewall policy. Traffic belongs to the root VDOM. This is a security log. Log severity is set to error on FortiGate.

Which statements best describe auto discovery VPN (ADVPN). (Choose two.). It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes. ADVPN is only supported with IKEv2. Tunnels are negotiated dynamically between spokes. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

In which two ways can RPF checking be disabled? (Choose two ). Enable anti-replay in firewall policy. Disable the RPF check at the FortiGate interface level for the source. Enable asymmetric routing. Disable strict-arc-check under system settings.

An administrator wants to block https://www.example.com/videos and allow all other URLs on the website. What are two configuration changes that the administrator can make to satisfy the requirement? (Choose two.). Configure web override for the URL and select a blocked FortiGuard subcategory. Enable full SSL inspection. Configure a static URL filter entry for the URL and select Block as the action. Configure a video filter profile to block the URL.

Which statement about traffic flow in an active-active HA cluster is true?. The SYN packet from the client always arrives at the primary device first. The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client. The ACK from the client is received on the physical MAC address of the primary device. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.

Based on the diagnostic outputs above, how is FortiGate handling new packets that require IPS inspection?. They are allowed and inspected. They are dropped. They are allowed and inspected, as long as no additional proxy-based inspection is required. They are allowed, but with no inspection.

Which two IP pool types enable you to identify user connections without having to log user traffic? (Choose two.). Overload. Port block allocation. Fixed port range. One-to-one.

Which three actions are valid for static URL filtering? (Choose three.). Block. Exempt. Shape. Allow. Warning.

An administrator configured the antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only. What is causing this issue?. Hardware acceleration is in use. Full SSL inspection is disabled. The test file is larger than the oversize limit. HTTPS protocol is not enabled under Inspected Protocols.

What two things does this raw log indicate? (Choose two.). The traffic originated from 66.171.121.44. The traffic matches the webfilter profile on firewall policy ID 2. 192.168.1.24 is the IP address for www.fortinet.com. FortiGate allowed the traffic to pass.

Which are two benefits of using SD-WAN? (Choose two.). WAN is used effectively. Firewall policies are not required. Application steering is available. FortiGate performs per-packet distribution across multiple SD-WAN members.

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt. What is the most likely reason for this situation?. No matching user account exists for this user. The user is using a super admin account. The user was authenticated using passive authentication. The user is using a guest account profile.

View the exhibit. A user at 192.168.32.15 is trying to access the web server at 172.16.32.254. Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two.). Loose RPF check will deny the traffic. Strict RPF check will allow the traffic. Loose RPF check will allow the traffic. Strict RPF check will deny the traffic.

What does the command diagnose debug fsso-polling refresh-user do?. It refreshes user group information from any servers connected to FortiGate using a collector agent. It refreshes all users learned through agentless polling. It displays status information and some statistics related to the polls done by FortiGate on each DC. It enables agentless polling mode real-time debug.

Which statement about the HA override setting in FortiGate HA clusters is true?. It enables monitored ports. It reboots FortiGate. It synchronizes device priority on all cluster members. You must configure override settings manually and separately for each cluster member.

Which statement about the configuration settings is true?. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.). Warning. Exempt. Allow. Learn.