[Mar 23, 2023] Step by Step Guide to Prepare for NSE4_FGT-7.0 Exam BrainDumps [Q75-Q97]

Mar 23, 2023 Step by Step Guide to Prepare for NSE4_FGT-7.0 Exam BrainDumps

Fortinet NSE 4 NSE4_FGT-7.0 Real Exam Questions and Answers FREE Updated on 2023

NEW QUESTION 75
Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

A. Policy rule
B. Security policy
C. Firewall policy
D. SSL inspection and authentication policy

Answer: B,D

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode

NEW QUESTION 76
Which two statements about antivirus scanning mode are true? (Choose two.)

A. In flow-based inspection mode, files bigger than the buffer size are scanned.
B. In proxy-based inspection mode, files bigger than the buffer size are scanned.
C. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

Answer: C,D

Explanation:
An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM-something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

NEW QUESTION 77
Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?

A. A bridge CA
B. A root CA
C. A user
D. A subordinate

Answer: C

NEW QUESTION 78
Which two statements are true about the FGCP protocol? (Choose two.)

A. Is used to discover FortiGate devices in different HA groups
B. Elects the primary FortiGate device
C. Not used when FortiGate is in Transparent mode
D. Runs only over the heartbeat links

Answer: B,D

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-clustering-protocol

NEW QUESTION 79
Which two statements are true about collector agent advanced mode? (Choose two.)

A. Advanced mode supports nested or inherited groups
B. Advanced mode uses Windows convention-NetBios: Domain\Username.
C. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate
D. Security profiles can be applied only to user groups, not individual users.

Answer: A,C

NEW QUESTION 80
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

A. The administrator must use the user self-registration server.
B. The administrator can register the same FortiToken on more than one FortiGate.
C. The administrator must use a FortiAuthenticator device.
D. The administrator can use a third-party radius OTP server.

Answer: C

NEW QUESTION 81
Which three statements are true regarding session-based authentication? (Choose three.)

A. It requires more resources.
B. It is not recommended if multiple users are behind the source NAT
C. IP sessions from the same source IP address are treated as a single user.
D. It can differentiate among multiple clients behind the same source IP address.
E. HTTP sessions are treated as a single user.

Answer: A,D,E

NEW QUESTION 82
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

A. FortiGate does not support full SSL inspection when web filtering is enabled.
B. The browser requires a software update.
C. There are network connectivity issues.
D. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

Answer: D

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41394

NEW QUESTION 83
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

A. diagnose wad session list | grep "hook=pre"&"hook=out"
B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list

Answer: D

NEW QUESTION 84
Which two statements are true about the RPF check? (Choose two.)

A. The RPF check is run on the first sent packet of any new session.
B. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.
C. The RPF check is run on the first sent and reply packet of any new session.
D. The RPF check is run on the first reply packet of any new session.

Answer: A,B

Explanation:
Reference: https://www.programmersought.com/article/16383871634/

NEW QUESTION 85
Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

A. Destination NAT is disabled in the firewall policy.
B. One-to-one NAT IP pool is used in the firewall policy.
C. Port block allocation IP pool is used in the firewall policy.
D. Overload NAT IP pool is used in the firewall policy.

Answer: B

Explanation:
Explanation
FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.

NEW QUESTION 86
Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

A. The action on the firewall policy must be set to deny.
B. The firewall policy does not apply deep content inspection.
C. Web filter should be enabled on the firewall policy to complement the antivirus profile.
D. The firewall policy must be configured in proxy-based inspection mode.

Answer: B

NEW QUESTION 87
Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A. There will be eight routes active in the routing table.
B. The port1 and port2 default routes are active in the routing table.
C. The port3 default route has the highest distance.
D. The port3 default route has the lowest metric.

Answer: B,C

NEW QUESTION 88
An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

A. The number of logs generated by denied traffic is reduced.
B. A session for denied traffic is created.
C. Device detection on all interfaces is enforced for 30 minutes.
D. Denied users are blocked for 30 minutes.

Answer: A,B

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

NEW QUESTION 89
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

A. The two VLAN sub interfaces must have different VLAN IDs.
B. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
C. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
D. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

Answer: A

Explanation:
Explanation
FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf -
"Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID"

NEW QUESTION 90
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

A. It matched the default implicit firewall policy.
B. It failed the RPF check.
C. It matched an explicitly configured firewall policy with the action DENY.
D. The next-hop IP address is unreachable.

Answer: A

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900

NEW QUESTION 91
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

A. SSH
B. FTM
C. HTTPS
D. FortiTelemetry

Answer: A,C

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/buildingsecurity-into-fortios

NEW QUESTION 92
When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?

A. Sequence ID
B. Universally Unique Identifier
C. Policy ID
D. Log ID

Answer: B

NEW QUESTION 93
Which statement about video filtering on FortiGate is true?

A. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
B. It is available only on a proxy-based firewall policy.
C. Full SSL Inspection is not required.
D. It inspects video files hosted on file sharing services.

Answer: B

NEW QUESTION 94
Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

A. Security Posture
B. Optimization
C. Automated Response
D. Fabric Coverage

Answer: A

NEW QUESTION 95
Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)