Fortinet Exam Practice

100% Valid and Newest Version NSE4_FGT-7.
0 Questions & Answers shared by Certleader

https://www.certleader.com/NSE4_FGT-7.0-dumps.html (172 Q&As)
NSE4_FGT-7.0 Dumps
Fortinet NSE 4 - FortiOS 7.0
https://www.certleader.com/NSE4_FGT-7.0-dumps.html
The Leader of IT Certification visit - https://www.certleader.com

100% Valid and Newest Version NSE4_FGT-7.0 Questions & Answers shared by Certleader
NEW QUESTION 1
- (Exam Topic 1)
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. System time
B. FortiGuaid update servers
C. Operating mode
D. NGFW mode
Answer: CD
Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-
base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide
NEW QUESTION 2
- (Exam Topic 1)
Refer to the exhibit.
Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor
profile?
A. The signature setting uses a custom rating threshold.

B. The signature setting includes a group of other signatures.
C. Traffic matching the signature will be allowed and logged.
D. Traffic matching the signature will be silently dropped and logged.
Answer: D
Explanation:
Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.
NEW QUESTION 3
- (Exam Topic 1)
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B. Enable Dead Peer Detection.
C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Answer: BC
Explanation:
B - because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine
a failover for the next tunnel after a specific amount of time of not receiving a response from its peer.
C - remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen.
So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel will be chosen to route packets towards their destination.

NEW QUESTION 4
- (Exam Topic 1)
Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)
A. Proxy-based inspection
B. Certificate inspection
C. Flow-based inspection
D. Full Content inspection
Answer: AC
NEW QUESTION 5
- (Exam Topic 1)
An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1
servers? (Choose two.)
A. The Detection Mode setting is not set to Passive.

B. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
C. The configured participants are not SD-WAN members.
D. The Enable probe packets setting is not enabled.
Answer: BD
NEW QUESTION 6
- (Exam Topic 1)
Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)
A. The port3 default route has the highest distance.

B. The port3 default route has the lowest metric.
C. There will be eight routes active in the routing table.
D. The port1 and port2 default routes are active in the routing table.
Answer: AD
NEW QUESTION 7
- (Exam Topic 1)
Refer to the exhibit showing a debug flow output.
Which two statements about the debug flow output are correct? (Choose two.)
A. The debug flow is of ICMP traffic.

B. A firewall policy allowed the connection.
C. A new traffic session is created.

D. The default route is required to receive a reply.
Answer: AC
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
NEW QUESTION 8
- (Exam Topic 1)
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?
A. Policy lookup will be disabled.

B. By Sequence view will be disabled.
C. Search option will be disabled
D. Interface Pair view will be disabled.
Answer: D
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47821
NEW QUESTION 9
- (Exam Topic 1)
Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?
A. get system status

B. get system performance status
C. diagnose sys top
D. get system arp
Answer: D
Explanation:
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."
NEW QUESTION 10
- (Exam Topic 1)
Refer to the exhibits.
The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?
A. Change the SSL VPN port on the client.

B. Change the Server IP address.
C. Change the idle-timeout.
D. Change the SSL VPN portal to the tunnel.
Answer: A
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/150494
NEW QUESTION 10
- (Exam Topic 1)
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with
internet access and is directly connected to ISP modem.
With this configuration, which statement is true?
A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
B. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
Answer: A
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46542

NEW QUESTION 15
- (Exam Topic 1)
Which contains a session list output. Based on the information shown in the exhibit, which statement is true?
A. Destination NAT is disabled in the firewall policy.

B. One-to-one NAT IP pool is used in the firewall policy.
C. Overload NAT IP pool is used in the firewall policy.
D. Port block allocation IP pool is used in the firewall policy.
Answer: B
Explanation:
FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.
NEW QUESTION 17
- (Exam Topic 1)
Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)
A. There are five devices that are part of the security fabric.
B. Device detection is disabled on all FortiGate devices.
C. This security fabric topology is a logical topology view.
D. There are 19 security recommendations for the security fabric.
Answer: CD
Explanation:
References: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/761085/results
https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/736125/security-fabric-topology
NEW QUESTION 21
- (Exam Topic 1)
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For

site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
A. 192.168.1.0/24
B. 192.168.0.0/24
C. 192.168.2.0/24
D. 192.168.3.0/24
Answer: C
NEW QUESTION 22
- (Exam Topic 1)
Which two statements are correct about SLA targets? (Choose two.)
A. You can configure only two SLA targets per one Performance SLA.
B. SLA targets are optional.
C. SLA targets are required for SD-WAN rules with a Best Quality strategy.
D. SLA targets are used only when referenced by an SD-WAN rule.
Answer: BD
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/382233/performance-sla-sla-targets
NEW QUESTION 25
- (Exam Topic 1)
An administrator has configured the following settings:
What are the two results of this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30 minutes.

B. Denied users are blocked for 30 minutes.
C. A session for denied traffic is created.
D. The number of logs generated by denied traffic is reduced.
Answer: CD
Explanation:
NEW QUESTION 27
- (Exam Topic 1)
Exhibit A.
Exhibit B.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the
downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
A. Change the csf setting on Local-FortiGate (root) to sec configuration-sync local.

B. Change the csf setting on ISFW (downstream) to sec configuracion-sync local.
C. Change the csf setting on Local-FortiGate (root) to sec fabric-objecc-unificacion defaulc.
D. Change the csf setting on ISFW (downstream) to sec fabric-objecc-unificacion defaulc.
Answer: A
Explanation:

NEW QUESTION 29
- (Exam Topic 1)
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or
other types of posts.
Which part of the policy configuration must you change to resolve the issue?
A. The SSL inspection needs to be a deep content inspection.

B. Force access to Facebook using the HTTP service.
C. Additional application signatures are required to add to the security policy.
D. Add Facebook in the URL category in the security policy.
Answer: A
Explanation:
The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required.
NEW QUESTION 33
- (Exam Topic 1)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
A. NGFW policy-based mode does not require the use of central source NAT policy
B. NGFW policy-based mode can only be applied globally and not on individual VDOMs
C. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
D. NGFW policy-based mode policies support only flow inspection
Answer: CD
NEW QUESTION 37
- (Exam Topic 1)
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which CLI command will cause FortiGate to use an
unreliable protocol to communicate with FortiGuard
servers for live web filtering?

A. set fortiguard-anycast disable

B. set webfilter-force-off disable
C. set webfilter-cache disable
D. set protocol tcp
Answer: A
Explanation:
NEW QUESTION 38
- (Exam Topic 1)
The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)
A. FortiGate SN FGVM010000065036 HA uptime has been reset.

B. FortiGate devices are not in sync because one device is down.
C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
D. FortiGate SN FGVM010000064692 has the higher HA priority.
Answer: AD
Explanation:
* 1. Override is disable by default - OK
* 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary"
The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab
NEW QUESTION 39
- (Exam Topic 1)
Examine the intrusion prevention system (IPS) diagnostic command.

Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
A. The IPS engine was inspecting high volume of traffic.

B. The IPS engine was unable to prevent an intrusion attack.
C. The IPS engine was blocking all traffic.
D. The IPS engine will continue to run in a normal state.
Answer: A
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/232929/troubleshooting-high-cpu-usage

NEW QUESTION 41
- (Exam Topic 1)
An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)
A. Interface name
B. Ethernet header
C. IP header
D. Application header
E. Packet payload
Answer: ACE
Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186
NEW QUESTION 42
- (Exam Topic 2)
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)
A. FortiGate points the collector agent to use a remote LDAP server.

B. FortiGate uses the AD server as the collector agent.
C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
D. FortiGate queries AD by using the LDAP to retrieve user group information.
Answer: CD
Explanation:
Fortigate Infrastructure 7.0 Study Guide P.272-273 https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732
NEW QUESTION 45
- (Exam Topic 2)
What devices form the core of the security fabric?

A. Two FortiGate devices and one FortiManager device

B. One FortiGate device and one FortiManager device
C. Two FortiGate devices and one FortiAnalyzer device
D. One FortiGate device and one FortiAnalyzer device
Answer: C
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/425100/components
NEW QUESTION 48
- (Exam Topic 2)
In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true
about consolidated IPv4 and IPv6 policy configuration? (Choose three.)
A. The IP version of the sources and destinations in a firewall policy must be different.
B. The Incoming Interfac
C. Outgoing Interfac
D. Schedule, and Service fields can be shared with both IPv4 and IPv6.
E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
F. The IP version of the sources and destinations in a policy must match.
G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.
Answer: BDE
NEW QUESTION 53
- (Exam Topic 2)
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
A. A CRL
B. A person
C. A subordinate CA
D. A root CA
Answer: D
NEW QUESTION 58
- (Exam Topic 2)
Which two statements are true about the RPF check? (Choose two.)
A. The RPF check is run on the first sent packet of any new session.
B. The RPF check is run on the first reply packet of any new session.
C. The RPF check is run on the first sent and reply packet of any new session.
D. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.
Answer: AD
Explanation:
Reference: https://www.programmersought.com/article/16383871634/
NEW QUESTION 59
- (Exam Topic 2)
The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)
A. Disable match-vip in the Deny policy.

B. Set the Destination address as Deny_IP in the Allow-access policy.
C. Enable match vip in the Deny policy.
D. Set the Destination address as Web_server in the Deny policy.
Answer: CD
NEW QUESTION 61
- (Exam Topic 2)
An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?
A. Configure Source IP Pools.

B. Configure split tunneling in tunnel mode.
C. Configure different SSL VPN realms.
D. Configure host check.
Answer: D

NEW QUESTION 64
- (Exam Topic 2)
Refer to the exhibit, which contains a session diagnostic output.
Which statement is true about the session diagnostic output?
A. The session is a UDP unidirectional state.

B. The session is in TCP ESTABLISHED state.
C. The session is a bidirectional UDP connection.
D. The session is a bidirectional TCP connection.
Answer: C
NEW QUESTION 68
- (Exam Topic 2)
A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration
option is the most effective way to support this request?
A. Implement a web filter category override for the specified website

B. Implement a DNS filter for the specified website.
C. Implement web filter quotas for the specified website
D. Implement web filter authentication for the specified website.
Answer: D
NEW QUESTION 72
- (Exam Topic 2)
Refer to the exhibit to view the application control profile.
Based on the configuration, what will happen to Apple FaceTime?
A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

B. Apple FaceTime will be allowed, based on the Apple filter configuration.
C. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
D. Apple FaceTime will be allowed, based on the Categories configuration.

Answer: A
NEW QUESTION 74
- (Exam Topic 2)
The exhibit contains a network diagram, central SNAT policy, and IP pool configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1). Central NAT is enabled, so NAT settings from matching Central SNAT
policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?
A. 10.200.1.149
B. 10.200.1.1
C. 10.200.1.49
D. 10.200.1.99
Answer: D
NEW QUESTION 77
- (Exam Topic 2)
Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)
A. diagnose sys top

B. execute ping
C. execute traceroute
D. diagnose sniffer packet any
E. get system arp
Answer: BCD
NEW QUESTION 78
- (Exam Topic 2)
Which of the following statements about central NAT are true? (Choose two.)

A. IP tool references must be removed from existing firewall policies before enabling central NAT.
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
Answer: AB
NEW QUESTION 83
- (Exam Topic 2)
In which two ways can RPF checking be disabled? (Choose two )
A. Enable anti-replay in firewall policy.

B. Disable the RPF check at the FortiGate interface level for the source check
C. Enable asymmetric routing.
D. Disable strict-arc-check under system settings.
Answer: CD
Explanation:
NEW QUESTION 87
- (Exam Topic 2)
Based on the raw log, which two statements are correct? (Choose two.)
A. Traffic is blocked because Action is set to DENY in the firewall policy.

B. Traffic belongs to the root VDOM.
C. This is a security log.
D. Log severity is set to error on FortiGate.
Answer: AC
NEW QUESTION 92
- (Exam Topic 2)
Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)
A. Web filter in flow-based inspection

B. Antivirus in flow-based inspection
C. DNS filter
D. Web application firewall
E. Application control
Answer: ABE
NEW QUESTION 93
- (Exam Topic 2)
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
A. Traffic to botnetservers
B. Traffic to inappropriate web sites
C. Server information disclosure attacks
D. Credit card data leaks
E. SQL injection attacks
Answer: CDE

NEW QUESTION 95
- (Exam Topic 2)
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning
errors. When visiting HTTP websites, the browser
does not report errors.
What is the reason for the certificate warning errors?
A. The browser requires a software update.

B. FortiGate does not support full SSL inspection when web filtering is enabled.
C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
D. There are network connectivity issues.
Answer: C
Explanation:
NEW QUESTION 100

- (Exam Topic 2)
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)
A. This is known as many-to-one NAT.

B. Source IP is translated to the outgoing interface IP.
C. Connections are tracked using source port and source MAC address.
D. Port address translation is not used.
Answer: BD
NEW QUESTION 104

- (Exam Topic 2)
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?
A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
Answer: D
NEW QUESTION 108

- (Exam Topic 2)
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
A. Log downloads from the GUI are limited to the current filter view
B. Log backups from the CLI cannot be restored to another FortiGate.
C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
D. Log downloads from the GUI are stored as LZ4 compressed files.
Answer: AB
NEW QUESTION 112

- (Exam Topic 2)
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?
A. Subject Key Identifier value

B. SMMIE Capabilities value
C. Subject value
D. Subject Alternative Name value
Answer: A

NEW QUESTION 117

- (Exam Topic 2)
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine

whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
A. The IPS filter is missing the Protocol: HTTPS option.

B. The HTTPS signatures have not been added to the sensor.
C. A DoS policy should be used, instead of an IPS sensor.
D. A DoS policy should be used, instead of an IPS sensor.
E. The firewall policy is not using a full SSL inspection profile.
Answer: E
NEW QUESTION 118

- (Exam Topic 2)
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
A. Warning
B. Exempt
C. Allow
D. Learn
Answer: AC
NEW QUESTION 119

- (Exam Topic 2)
Which two statements ate true about the Security Fabric rating? (Choose two.)
A. It provides executive summaries of the four largest areas of security focus.

B. Many of the security issues can be fixed immediately by clicking Apply where available.
C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
D. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Answer: BC
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/292634/security-rating
NEW QUESTION 120

- (Exam Topic 2)
The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?
A. ‘host 192.168.0.2 and port 8080’

B. ‘host 10.0.0.50 and port 80’
C. ‘host 192.168.0.1 and port 80’
D. ‘host 10.0.0.50 and port 8080’
Answer: A
NEW QUESTION 122

- (Exam Topic 2)
According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?
A. A user
B. A root CA
C. A bridge CA
D. A subordinate
Answer: A
NEW QUESTION 125

- (Exam Topic 2)
Which three statements are true regarding session-based authentication? (Choose three.)
A. HTTP sessions are treated as a single user.

B. IP sessions from the same source IP address are treated as a single user.
C. It can differentiate among multiple clients behind the same source IP address.
D. It requires more resources.

E. It is not recommended if multiple users are behind the source NAT
Answer: ACD
NEW QUESTION 129

- (Exam Topic 2)
Examine the following web filtering log.
Which statement about the log message is true?
A. The action for the category Games is set to block.

B. The usage quota for the IP address 10.0.1.10 has expired
C. The name of the applied web filter profile is default.
D. The web site miniclip.com matches a static URL filter whose action is set to Warning.
Answer: C
NEW QUESTION 134

- (Exam Topic 2)
Examine the two static routes shown in the exhibit, then answer the following question.
Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?
A. FortiGate will load balance all traffic across both routes.

B. FortiGate will use the port1 route as the primary candidate.
C. FortiGate will route twice as much traffic to the port2 route
D. FortiGate will only actuate the port1 route in the routing table
Answer: B
Explanation:
“If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.”
NEW QUESTION 136

......

Thank You for Trying Our Product
* 100% Pass or Money Back

All our products come with a 90-day Money Back Guarantee.
* One year free update
You can enjoy free update one year. 24x7 online support.
* Trusted by Millions
We currently serve more than 30,000,000 customers.
* Shop Securely
All transactions are protected by VeriSign!
100% Pass Your NSE4_FGT-7.0 Exam with Our Prep Materials Via below:
https://www.certleader.com/NSE4_FGT-7.0-dumps.html

Powered by TCPDF (www.tcpdf.org)

Fortinet Exam Practice

Uploaded by

Copyright:

Available Formats

Fortinet Exam Practice

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortinet Exam Practice

Uploaded by

Copyright:

Available Formats

100% Valid and Newest Version NSE4_FGT-7.

0 Questions & Answers shared by Certleader

Fortinet NSE 4 - FortiOS 7.0

The Leader of IT Certification visit - https://www.certleader.com

A. The signature setting uses a custom rating threshold.

The Leader of IT Certification visit - https://www.certleader.com

A. The Detection Mode setting is not set to Passive.

A. The port3 default route has the highest distance.

A. The debug flow is of ICMP traffic.

The Leader of IT Certification visit - https://www.certleader.com

D. The default route is required to receive a reply.

A. Policy lookup will be disabled.

A. get system status

A. Change the SSL VPN port on the client.

The Leader of IT Certification visit - https://www.certleader.com

A. Destination NAT is disabled in the firewall policy.

The Leader of IT Certification visit - https://www.certleader.com

What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 minutes.

A. Change the csf setting on Local-FortiGate (root) to sec configuration-sync local.

The Leader of IT Certification visit - https://www.certleader.com

A. The SSL inspection needs to be a deep content inspection.

The Leader of IT Certification visit - https://www.certleader.com

A. set fortiguard-anycast disable

A. FortiGate SN FGVM010000065036 HA uptime has been reset.

Examine the intrusion prevention system (IPS) diagnostic command.

A. The IPS engine was inspecting high volume of traffic.

The Leader of IT Certification visit - https://www.certleader.com

An administrator is running a sniffer command as shown in the exhibit.

A. FortiGate points the collector agent to use a remote LDAP server.

The Leader of IT Certification visit - https://www.certleader.com

A. Two FortiGate devices and one FortiManager device

A. Disable match-vip in the Deny policy.

A. Configure Source IP Pools.

The Leader of IT Certification visit - https://www.certleader.com

Which statement is true about the session diagnostic output?

A. The session is a UDP unidirectional state.

A. Implement a web filter category override for the specified website

Based on the configuration, what will happen to Apple FaceTime?

A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration

The Leader of IT Certification visit - https://www.certleader.com

A. diagnose sys top

The Leader of IT Certification visit - https://www.certleader.com

A. Enable anti-replay in firewall policy.

A. Traffic is blocked because Action is set to DENY in the firewall policy.

A. Web filter in flow-based inspection

The Leader of IT Certification visit - https://www.certleader.com

A. The browser requires a software update.

NEW QUESTION 100

A. This is known as many-to-one NAT.

NEW QUESTION 104

NEW QUESTION 108

NEW QUESTION 112

A. Subject Key Identifier value

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 117

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine

A. The IPS filter is missing the Protocol: HTTPS option.

NEW QUESTION 118