NSE4 prueba

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy. Create an Interface Group that includes port1 and port2 to create a single firewall policy. Select port1 and port2 subnets in a single firewall policy. Replace port1 and port2 with the any interface in a single firewall policy.

A partial cloud topology is shown. You deployed a FortiGate Cloud-Native Firewall (CNF) in AWS for FortiGate CNF policy enforcement for EC2 instance traffic. Which path does the EC2 traffic take from the EC2 instance to the internet?. EC2 instance → Internet gateway (IGW) → gateway load balancer (GWLB) → FortiGate CNF → Internet. EC2 instance → GWLB endpoint (GWLBe) → FortiGate CNF → IGW → Internet. EC2 instance → GWLBe → FortiGate CNF → GWLBe → IGW → Internet. EC2 instance → FortiGate CNF → GWLB → GWLBe → IGW → Internet.

Refer to the exhibit, which shows a partial configuration from the remote authentication server. To authenticate only the Training user group. To set up a RADIUS server Secret. To authenticate and match the Training OU on the RADIUS server. To authenticate Any FortiGate user groups.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile. An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. What are two solutions for satisfying the requirement? (Choose two.). Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address. Set the Freeware and Software Downloads category Action to Warning. Configure a web override rating for download.com and select Malicious Websites as the subcategory. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details. Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?. Apple FaceTime will be allowed, based on the Video/Audio category configuration. Apple FaceTime will be allowed, based on the Apple filter configuration. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

What is the primary FortiGate election process when the HA override setting is enabled?. Connected monitored ports > Priority > HA uptime > FortiGate serial number. Connected monitored ports > Priority > System uptime > FortiGate serial number. Connected monitored ports > HA uptime > Priority > FortiGate serial number. Connected monitored ports > System uptime > Priority > FortiGate serial number.

An administrator suspects that the Collector Agent is not forwarding login events to FortiGate. What is the most effective troubleshooting step?. Verify if DC agent is enabled on the FortiGate. Restart the domain controller to refresh authentication services. Verify if FortiGate is set to use LDAP authentication instead of FSSO. Check if TCP port 8000 is open between the collector agent and FortiGate.

What are three key routing principles in SD-WAN? (Choose three.). By default, SD-WAN rules are skipped if the included SD-WAN members do not have a valid route to the destination. SD-WAN rules have precedence over any other type of routes. Regular policy routes have precedence over SD-WAN rules. By default, SD-WAN rules are skipped if only one route to the destination is available. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.). If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.

The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit. For which two reasons are these web categories exempted? (Choose two.). The FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security (HSTS. These websites are in an allowlist of reputable domain names maintained by FortiGuard. The resource utilization is optimized because these websites are in the trusted domain list on FortiGate. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

You are configuring FortiAnalyzer on FortiGate. Which step must you take to connect FortiAnalyzer to FortiGate?. Authorize FortiGate on FortiAnalyzer. Enable disk logging on FortiGate. Verify the FortiAnalyzer serial number. Configure UDP port 514 on FortiGate.

How can the administrator view the log messages shown in the exhibit? (Choose two.). Filtering by Policy UUID and Application Name in the log entry. Through the Security event log page. Through FortiGate CLI command diagnose log test. By right clicking the Implicit deny policy.

An administrator has created a new firewall address to use as the destination for a static route. Why is the administrator not able to select the new address in the Destination field of the new static route?. In the new static route, the administrator must select Named Address. In the new firewall address, the FQDN address must first be resolved.

An administrator has created a new firewall address to use as the destination for a static route. Why is the administrator not able to select the new address in the Destination field of the new static route?. In the new static route, the administrator must select Named Address. In the new firewall address, the FQDN address must first be resolved. In the new static route, the administrator must first set the interface to port2. In the new firewall address, Routing configuration must be enabled.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver?. Disable match-vip in the Allow_access policy. Configure a One-to-One IP Pool object in a new policy. Set the Destination address as Webserver in the Deny policy. Set the Destination address as Deny_IP in the Allow_access policy.

Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.). Administrators cannot change the configuration. FortiGate skips quarantine actions. Administrators must restart FortiGate to allow new sessions. FortiGate drops new sessions requiring inspection.

You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits. You cannot access any of the Google applications, but you are able to access www.fortinet.com. What would you do to resolve this issue?. Change the inspection mode to Proxy-based. Move up Google in the Application and Filter Overrides section to set its priority to 1. Set SSL inspection to deep-content-inspection. Add "Google".com to the URL category in the security profile.

You are onboarding an agentless, secure web gateway (SWG) endpoint for Secure Internet Access (SIA). What will happen to the user's nonweb traffic?. The endpoint will use split tunneling to redirect nonweb traffic to FortiSASE. FortiSASE will use SWG to redirect nonweb traffic to FortiExtender. All the nonweb traffic will bypass FortiSASE. FortiSASE will use Firewall-as-a-Service (FWaaS) to redirect nonweb traffic.

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged. Extended authentication (XAuth) to request the remote peer to provide a username and password. No certificate is required on the remote peer when you set the certificate signature as the authentication method. Pre-shared key and certificate signature as authentication methods.

You have configured the FortiGate device for FSSO. A user is successful in log-in to Windows, but their access to the internet is denied. What should the administrator check first?. Whether the user is assigned to the correct AD group. The FortiGate firewall policy settings for SSL decryption. The FortiGate FSSO active users list for the user's IP address. The Windows Event Viewer for failed login attempts.

Which three statements explain a flow-based antivirus profile? (Choose three.). FortiGate buffers the whole file but transmits to the client at the same time. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. If a virus is detected, the last packet is delivered to the client. Flow-based inspection optimizes performance compared to proxy-based inspection. The IPS engine handles the process as a standalone.

A FortiGate firewall policy is configured with active authentication; however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?. ICMP. DNS. DHCP. LDAP.