Free Exam/Cram Practice Materials - Best Exam Practice Materials

IT Certification Guaranteed, The Easy Way!

NO.1 A network administrator has enabled full SSL inspection and web filtering on FortiGate. When
visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP
websites, the browser does not report errors.
What is the reason for the certificate warning errors?
A. There are network connectivity issues.
B. The browser requires a software update.
C. FortiGate does not support full SSL inspection when web filtering is enabled.
D. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
Answer: D

NO.2 Which two inspection modes can you use to configure a firewall policy on a profile-based next-
generation firewall (NGFW)? (Choose two.)
A. Full Content inspection
B. Flow-based inspection
C. Proxy-based inspection
D. Certificate inspection
Answer: B,C

NO.3 Which engine handles application control traffic on the next-generation firewall (NGFW)
FortiGate?
A. Antivirus engine
B. Detection engine
C. Intrusion prevention system engine
D. Flow engine
Answer: C
Explanation:
http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

NO.4 An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?
A. Disable the RPF check at the FortiGate interface level for the reply check .
B. Enable asymmetric routing, so the RPF check will be bypassed.
C. Disable the RPF check at the FortiGate interface level for the source check.
D. Enable asymmetric routing at the interface level.
Answer: C

NO.5 A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using
two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two
key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
A. Enable Dead Peer Detection.

Get Latest & Valid NSE4_FGT-7.2 Exam's Question and2Answers from Freecram.net. 1
https://www.freecram.net/exam/NSE4_FGT-7.2-fortinet-nse-4-fortios-7.2-e14589.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
C. Configure a high distance on the static route for the primary tunnel, and a lower distance on the
static route for the secondary tunnel.
D. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.
Answer: A,D
Explanation:
Study Guide - IPsec VPN - IPsec configuration - Phase 1 Network.
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring
it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have
redundant paths to the same destination, and you want to failover to a backup connection when the
primary connection fails to keep the connectivity between the sites up.
There are three DPD modes. On demand is the default mode.
Study Guide - IPsec VPN - Redundant VPNs.
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.
Add at least one phase 2 definition for each phase 1.
Add one static route for each path. Use distance or priority to select primary routes over backup
routes (routes for the primary VPN must have a lower distance or lower priority than the backup).
Alternatively, use dynamic routing.
Configure FW policies for each IPsec interface.

NO.6 Which statement about the IP authentication header (AH) used by IPsec is true?
A. AH provides strong data integrity but weak encryption.
B. AH does not support perfect forward secrecy.
C. AH provides data integrity bur no encryption.
D. AH does not provide any data integrity or encryption.
Answer: C

NO.7 Which two policies must be configured to allow traffic on a policy-based next-generation
firewall (NGFW) FortiGate? (Choose two.)
A. SSL inspection and authentication policy
B. Security policy
Answer: A,B

NO.8 Refer to the exhibit.

Get Latest & Valid NSE4_FGT-7.2 Exam's Question and3Answers from Freecram.net. 2
https://www.freecram.net/exam/NSE4_FGT-7.2-fortinet-nse-4-fortios-7.2-e14589.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

Which contains a session diagnostic output. Which statement is true about the session diagnostic
output?
A. The session is in SYN_SENT state.
B. The session is in ESTABLISHED state.
C. The session is in FTN_WAIT state.
D. The session is in FIN_ACK state.
Answer: A
Explanation:
Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2)
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NO.9 Which two protocols are used to enable administrator access of a FortiGate device? (Choose
two.)
A. SSH
B. HTTPS
C. FTM
D. FortiTelemetry
Answer: A,B
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-
fortigate/995103/buildingsecurity-into-fortios

NO.10 FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN)
subinterfaces added to the same physical interface.
In this scenario, which statement about VLAN IDs is true?
A. The two VLAN subinterfaces must have different VLAN IDs.
B. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same
subnet.
C. The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs.

Get Latest & Valid NSE4_FGT-7.2 Exam's Question and4Answers from Freecram.net. 3
https://www.freecram.net/exam/NSE4_FGT-7.2-fortinet-nse-4-fortios-7.2-e14589.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different
subnets.
Answer: B,D

NO.11 Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.
Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true?
(Choose two.)
A. The traffic sourced from the client and destined to the server is sent to FGT-1.
B. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them

Get Latest & Valid NSE4_FGT-7.2 Exam's Question and5Answers from Freecram.net. 4
https://www.freecram.net/exam/NSE4_FGT-7.2-fortinet-nse-4-fortios-7.2-e14589.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

to the secondary.
C. The cluster can load balance ICMP connections to the secondary.
D. For non-load balanced connections, packets forwarded by the cluster to the server contain the
virtual MAC address of port2 as source.
Answer: A,D

NO.12 An administrator needs to configure VPN user access for multiple sites using the same soft
FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this
objective?
A. The administrator can register the same FortiToken on more than one FortiGate.
B. The administrator must use the user self-registration server.
C. The administrator must use a FortiAuthenticator device
D. The administrator can use a third-party radius OTP server.
Answer: C

NO.13 Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds. Based on the system performance output, which two
statements are correct? (Choose two.)
A. FortiGate will start sending all files to FortiSandbox for inspection.
B. FortiGate has entered conserve mode.
C. Administrators can access FortiGate only through the console port.
D. Administrators cannot change the configuration.
Answer: B,D

Get Latest & Valid NSE4_FGT-7.2 Exam's Question and6Answers from Freecram.net. 5
https://www.freecram.net/exam/NSE4_FGT-7.2-fortinet-nse-4-fortios-7.2-e14589.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Conserve-mode-changes/ta-p/198502
configurable thresholds Though it is recommended to keep the default memory threshold, a new CLI
command has been added to allow administrators to adjust the thresholds.
Default values are :
- red : 88% of total memory is considered "used memory"
- extreme : 95% of total memory is considered "used memory"
- green : 82% of total memory is considered "used memory"

NO.14 FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web
filtering and application control directly on the security policy. Which two other security profiles can
you apply to the security policy? (Choose two.)
A. Antivirus scanning
B. Intrusion prevention
C. File filter
D. DNS filter
Answer: A,B

NO.15 Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose
two.)
A. FortiGate points the collector agent to use a remote LDAP server.
B. FortiGate uses the AD server as the collector agent.
C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
D. FortiGate queries AD by using the LDAP to retrieve user group information.
Answer: C,D
Explanation:
Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

Get Latest & Valid NSE4_FGT-7.2 Exam's Question and7Answers from Freecram.net. 6
https://www.freecram.net/exam/NSE4_FGT-7.2-fortinet-nse-4-fortios-7.2-e14589.html