Fortinet NSE 4 - FortiOS 7.2 Exam Practice Questions

Questions and Answers

What order must FortiGate use when the web filter profile has features enabled, such as safe search?

Static URL filter, FortiGuard category filter, and advanced filters

Based on the information shown in the exhibit, which statement is true?

One-to-one NAT IP pool is used in the firewall policy

Reliable logging on FortiGate is required to encrypt the transmission of logs.

False

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure due to a high-latency internet connection?

Change the login timeout

Which attribute is added to a firewall policy to support recording logs to FortiAnalyzer or FortiManager and improves functionality when integrated with these devices?

Universally Unique Identifier

FortiGate operates in NAT mode and when configured with two VLAN subinterfaces on the same physical interface, the VLAN subinterfaces must have ______________ VLAN IDs.

different

FortiGate can overwrite logs when the local disk is full and generates a warning when log disk usage reaches 95%.

True

What inspection mode does FortiGate use if configured as a policy-based next-generation firewall (NGFW)?

Proxy-based inspection

Which purposes are served by NAT traversal in IPsec?

To detect intermediary NAT devices in the tunnel path

Which statement is correct regarding the use of application control for inspecting web applications?

Application control can identity child and parent applications, and perform different actions on them.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, split tunneling is enabled.

Which inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)?

Proxy-based inspection

What change can the administrator make to allow Twitter while blocking all other social networking sites?

C

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA?

TWAMP

Which of the following conditions must be met for a web browser to trust a web server certificate signed by a third-party CA?

The CA certificate that signed the web-server certificate must be installed on the browser.

An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Disable the RPF check at the FortiGate interface level for the source check.

Which feature in the Security Fabric takes one or more actions based on event triggers?

Automation Stitches

What interface will be selected as an outgoing interface based on the given information?

port1

Which three security features require the intrusion prevention system (IPS) engine to function?

Web application firewall

Which two statements are true about the FGCP protocol?

FGCP elects the primary FortiGate device.

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

The collector agent uses a Windows API to query DCs for user logins.

Policy lookup will be disabled in a firewall policy if outgoing Interface any is configured.

False

Which two actions can you perform only from the root FortiGate in a Security Fabric?

Ban or unban compromised hosts.

What changes can the administrator make to resolve the issue without affecting services running through FortiGate?

Decrease the SSL VPN connection timeout

What is the correct statement about B.ADVPN?

It is only supported with IKEv2.

Which DPD mode on FortiGate meets the requirement of sending DPD probes only when no traffic is observed in the tunnel?

On Idle

What permission is required to run the diagnose firewall auth list CLI command on FortiGate?

CLI diagnostics commands permission

What is the correct statement about the Services field in a Virtual IP (VIP)?

It removes the requirement to create multiple VIPs for different services.

What two changes can the administrator make to deny Webserver access for Remote-User2?

Set the Destination address as Web_server in the Deny policy.

What two statements are true about the traffic passing through the FortiGate HA cluster?

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

What will happen to Apple FaceTime based on the application control profile?

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

Which two types of traffic are managed only by the management VDOM?

FortiGuard web filter queries

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Which two SD-WAN load balancing methods use interface weight value to distribute traffic?

Volume

Which two statements are correct about a software switch on FortiGate?

Can act as a Layer 2 switch as well as a Layer 3 router.

Which two types of traffic are managed only by the management VDOM?

DNS

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

A root CA

Which two statements are correct about NGFW Policy-based mode?

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.

Which timeout option should be configured on FortiGate for users?

new-session

What two statements are correct about system performance and conserve mode?

FortiGate has entered conserve mode.

Which two statements are correct about SLA targets?

SLA targets are optional.

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Subject Key Identifier value

What are the reasons why the port1 interface cannot be configured with an IP address?

The operation mode is transparent.

What is the correct statement about video filtering on FortiGate?

It is available only on a proxy-based firewall policy.

Why did the FortiGate drop the packet?

It matched the default implicit firewall policy.

What configuration change will bring phase 2 up?

On HQ-FortiGate, set Encryption to AES256.

What subnet must the administrator configure for the local quick mode selector for site B?

192. 168. 2.0/24

Which three options are the remote log storage options you can configure on FortiGate? (Choose three)

FortiAnalyzer

Which two statements about the debug flow output are correct? (Choose two)

A new traffic session is created.

Which statement about the session diagnostic output is true?

The session is in SYN_SENT state.

Which statement about video filtering on FortiGate is true?

It is available only on a proxy-based firewall policy.

Based on the given exhibit, what configuration change must the administrator make to fix the connectivity issue when accessing the web server public address (203.0.113.2) from the internet?

In the VIP configuration, enable arp-reply.

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

Which three pieces of information are included in the sniffer output? (Choose three)

IP header

SSL VPN web mode assigns a virtual IP address to the client.

False

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate?

Security policy, SSL inspection and authentication policy

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates a new security association after the existing security association expires.

Which statements about VLAN sub interfaces with the same VLAN ID are correct?

The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

Which two key configuration changes are needed on FortiGate to set up redundant IPsec VPN tunnels effectively? (Choose two)

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

What is the limitation of using a URL list and application control on the same firewall policy in NGFW policy-based mode?

It limits the scanning of application traffic to the application category only.

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two)

Operating mode

Regarding the inspection of services by web applications embedded in third-party websites, which statement is correct?

FortiGate can inspect sub-application traffic regardless where it was originated.

Based on the raw log, which two statements are correct?

Traffic belongs to the root VDOM.

Which statements best describe auto discovery VPN (ADVPN)?

Tunnels are negotiated dynamically between spokes.

Which two statements are true based on the output of the CLI command: diagnose sys ha dump-by vcluster?

FortiGate SN FGVM010000064692 has the higher HA priority.

If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage, what does this indicate?

The IPS engine was inspecting high volume of traffic.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

10.200.1.100

In which two ways can RPF checking be disabled?

Disable the RPF check at the FortiGate interface level for the source check.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers?

Administrator didn't configure a gateway for the SD-WAN members or configured gateway is not valid.

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection?

The CA extension must be set to TRUE.

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

get system arp

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scope of application control to scan application traffic using parent signatures only.

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic and does not support dynamic DNS update service. What type of remote gateway should the administrator configure?

Dialup User

Examine this PAC file configuration. Which of the following statements are true?

Browsers can be configured to retrieve this PAC file from the FortiGate.

Which of the following statements are correct?

This is a redundant IPsec setup.

Which two statements are true when FortiGate is in transparent mode?

By default, all interfaces are part of the same broadcast domain.

Given the interfaces shown in the exhibit, which two statements are true?

port1 is a native VLAN.

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list

An administrator is running the following sniffer command. Which three pieces of information will be included in the sniffer output?

Packet payload

An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add user accounts to the Ignore User List.

Examine this FortiGate configuration. How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

It authenticates the traffic using the authentication scheme SCHEME1.

An administrator has configured the following settings. What are the two results of this configuration? (Choose two)

A session for denied traffic is created.

Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?

On HQ-FortiGate, set Encryption to AES256.

Which two statements explain antivirus scanning modes? (Choose two)

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Change the SSL VPN port on the client.

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two)

NTP

Which statement regarding the firewall policy authentication timeout is true?

It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

Which contains a network diagram and routing table output. The Student is unable to access Webserver. What is the cause of the problem and what is the solution for the problem?

The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem. With this configuration, which statement is true?

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

Which statement describes a characteristic of automation stitches?

They can have one or more triggers.

Which three statements explain a flow-based antivirus profile? (Choose three)

Optimized performance compared to proxy-based inspection.

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

SSL VPN idle-timeout

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match. Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two)

On HQ-FortiGate, set IKE mode to Main (ID protection).

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two)

The primary device in the cluster is always assigned IP address 169.254.0.1.

Which three authentication timeout types are availability for selection on FortiGate? (Choose three)

Idle-timeout

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three)

The policy table in the GUI can be filtered to display policies with IPv4, IPv6, or IPv4 and IPv6 sources and destinations.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

User or User Group

Which of the following statements about central NAT are true? (Choose two.)

IP tool references must be removed from existing firewall policies before enabling central NAT.

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

Root FortiGate

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure host check.

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Based on the raw logs shown in the exhibit, which statement is correct?

The action on firewall policy ID 1 is set to warning.

Which scanning technique on FortiGate can be enabled only on the CLI?

Heuristics scan

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

Strict RPF checks the best route back to the source using the incoming interface.

If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

10.200.3.1, 10.0.1.10, and 443, respectively

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

Antivirus scanning

Which three methods are used by the collector agent for AD polling? (Choose three.)

NetAPI

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

diagnose wad session list

An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?

Aggregate interface

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option. What is the impact of using the Include in every user group option in a RADIUS configuration?

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

set fortiguard-anycast disable

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

The administrator must use a FortiAuthenticator device

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

execute ping

Which two types of traffic are managed only by the management VDOM? (Choose two.)

PKI

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

Study Notes

FortiGate NSE 4 - FortiOS 7.2

Auto Discovery VPN (ADVPN)

• Auto Discovery VPN (ADVPN) requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
• Tunnels are negotiated dynamically between spokes.

HA Uptime

• HA uptime is used to determine which FortiGate device becomes the primary.
• If the HA uptime of a device is at least 5 minutes more than the HA uptime of other FortiGate devices, it becomes the primary.

IPS Diagnostic Command

• Option 5 of the IPS diagnostic command decreases CPU usage.
• The IPS engine was inspecting a high volume of traffic.

NAT and Source IP

• In a network configuration, the source IP address used to source NAT internet traffic coming from a workstation is determined by the IP pool or VIP configuration.

RPF Checking

• RPF checking can be disabled in two ways:
  • By disabling the RPF check at the FortiGate interface level for the source check.
  • By disabling strict-arc-check under system settings.

Performance SLA

• To generate traffic in a performance SLA, a gateway must be configured for the SD-WAN members, and the enable probe packets setting must be enabled.

SSL Inspection

• For a certificate to be used as a CA certificate on SSL inspection, it must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.

Troubleshooting Layer 2 Issues

• The get system arp command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict.

URL List and Application Control

• When using a URL list and application control on the same firewall policy in NGFW policy-based mode, the scope of application control is limited to scan application traffic using parent signatures only.

IPsec VPN

• In IPsec VPN, the dialup user type is used when the remote peer's IP address is unknown.
• Dead peer detection must be disabled to support IPsec setup with multiple tunnels.

FortiGate in Transparent Mode

• When FortiGate is in transparent mode, all interfaces are part of the same broadcast domain.
• FortiGate forwards frames without changing the MAC address.

VLAN Configuration

• Port1-vlan and port2-vlan can be assigned to the same VDOM or to different VDOMs.
• Port1 is a native VLAN.

CLI Commands

• diagnose sys ha dump-by vcluster command displays the HA uptime and priority of FortiGate devices.
• get system arp command is used to troubleshoot Layer 2 issues.
• diagnose wad session list command displays sessions from the client to the proxy and from the proxy to the servers.

Log Storage Options

• The three remote log storage options available on FortiGate are:
  • FortiSIEM
  • FortiAnalyzer
  • FortiCloud

Debug Flow Output

• The debug flow output shows the packet flow and can be used to troubleshoot issues.
• The debug flow output can be used to identify the state of a session.

Session Diagnostic Output

• The session diagnostic output shows the current state of a session.
• The session diagnostic output can be used to identify the state of a session.

Video Filtering

• Video filtering on FortiGate is available only on a proxy-based firewall policy.
• Video filtering inspects video files hosted on file sharing services.

TCP Sessions

• FortiGate keeps TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session.
• This is to allow for out-of-order packets that could arrive after the FIN/ACK packets.

SSL VPN Web Mode

• SSL VPN web mode requires only a web browser, but supports a limited number of protocols.
• SSL VPN web mode does not assign a virtual IP address to the client.

Policy-Based Next-Generation Firewall (NGFW)

• Two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate:
  • Security policy
  • SSL inspection and authentication policy### Redundant VPNs
• Redundant VPNs can be used to keep connectivity between sites up when the primary connection fails
• Three DPD (Dead Peer Detection) modes are available: On demand, Periodic, and Bidirectional
• DPD should be enabled on both ends
• Add one phase 1 configuration for each tunnel
• Add at least one phase 2 definition for each phase 1
• Add one static route for each path
• Use distance or priority to select primary routes over backup routes

NGFW Policy-Based Mode

• In NGFW policy-based mode, URL list and application control can be used together to control traffic
• However, the URL list is limited to inspecting traffic at the URL level, while application control can inspect traffic at a deeper level
• Application control is more comprehensive and can provide more granular control over specific applications

VDOM Settings

• Operating mode and NGFW mode can be configured separately per VDOM on a FortiGate device
• This allows for combining transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate

Inspection of Web Applications

• FortiGate can inspect sub-application traffic regardless of where it was originated
• Application control can identify child and parent applications, and perform different actions on them based on the configuration
• SSL inspection is not required to identify web applications

SSL VPN Settings

• By default, split tunneling is enabled for SSL VPN
• The admin GUI and SSL VPN portal use the same HTTPS port

Firewall Virtual Wire Pair Policy

• Only a single virtual wire pair can be included in each policy
• This allows for granular control over the specific traffic that can traverse each virtual wire pair

Session-Based Authentication

• HTTP sessions are treated as a single user
• IP sessions from the same source IP address are treated as a single user
• It can differentiate among multiple clients behind the same source IP address
• It requires more resources

Security Fabric Ratings

• Provides executive summaries of the four largest areas of security focus
• Many of the security issues can be fixed immediately by clicking Apply where available
• The Security Fabric rating must be run on the root FortiGate device in the Security Fabric
• The Security Fabric rating is a free service that comes bundled with all FortiGate devices

IPS Signature

• The IPS signature setting uses a custom rating threshold
• The signature setting includes a group of other signatures
• Traffic matching the signature will be silently dropped and logged

FSSO Agentless Polling Mode

• FortiGate uses the AD server as the collector agent
• FortiGate uses the SMB protocol to read the event viewer logs from the DCs
• It doesn't point the collector agent to use a remote LDAP server nor does it directly query AD using LDAP to retrieve user group information### Security Fabric Rating
• Security Fabric Rating is a feature that helps to visualize, measure, and improve the security posture of a network.
• When issues are detected, they are presented with an 'Apply' button which can help to fix many of these security issues immediately.
• Security Fabric Rating is a built-in feature in FortiGate devices and does not require an additional purchase.

FortiGate Device Configuration

• FortiGate devices can be configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
• In this scenario, the two VLAN subinterfaces must have different VLAN IDs.
• Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Firewall Policy

• A firewall policy can be configured to allow destinations from LAN to WAN.
• Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

FortiGuard Category-Based Filter

• FortiGuard category-based filter can be used in a web filter profile UI proxy-based inspection mode.
• Valid actions for FortiGuard category-based filter include Warning, Allow, and Exempt.

NAT Traversal in IPsec

• NAT traversal in IPsec is used to detect intermediary NAT devices in the tunnel path.
• It encapsulates ESP packets in UDP packets using port 4500.

Policy-Based Next-Generation Firewall (NGFW)

• FortiGate uses proxy-based inspection mode if it is configured as a policy-based next-generation firewall (NGFW).
• This mode supports creating applications and web filtering categories directly in a firewall policy.

Auto Discovery VPN (ADVPN)

• ADVPN requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
• Tunnels are negotiated dynamically between spokes.

Dead Peer Detection (DPD)

• DPD is used to detect dead tunnels in IPsec VPN.
• DPD can be configured to send probes only when no traffic is observed in the tunnel (On Idle mode).

Virtual IP (VIP)

• VIP is used to bundle several VIPs into VIP groups.
• The Services field in VIP configuration is used to prevent SNAT and DNAT from being combined in the same policy.

High Availability (HA) Cluster

• An HA cluster can be configured to perform proxy-based inspection on traffic.
• The cluster can load balance ICMP connections to the secondary.

Application Control Profile

• An application control profile can be used to block or allow specific applications.
• The profile can be configured to allow Apple FaceTime based on the Excessive-Bandwidth filter configuration.

SD-WAN Load Balancing

• SD-WAN load balancing can be configured to use interface weight value to distribute traffic.
• The Spillover and Volume methods of SD-WAN load balancing use interface weight values to distribute traffic.

Software Switch

• A software switch on FortiGate can be configured to group physical interfaces.
• It can act as a Layer 2 switch as well as a Layer 3 router.

Digital Certificate

• A digital certificate can be used to identify the issuer and the subject.
• If the Issuer and Subject values are the same in a digital certificate, the certificate was issued to a root CA.

NGFW Policy-Based Mode

• NGFW policy-based mode does not require the use of central source NAT policy.
• NGFW policy-based mode can be applied globally and not on individual VDOMs.

Timeouts

• Timeouts can be configured for users on FortiGate.
• The hard-timeout option starts the timer as soon as the user authenticates and expires after the configured value.

System Performance

• FortiGate has a conserve mode that is triggered when the system memory usage reaches a certain threshold.
• In conserve mode, FortiGate starts to drop packets and limits the functionality.

SLA Targets

• SLA targets are used to determine the performance of a network.
• SLA targets are optional and can be configured for SD-WAN rules with a Best Quality strategy.

Video Filtering

• Video filtering on FortiGate uses FortiGuard categories.
• It does not require a separate FortiGuard license.

Debug Flow

• Debug flow is a tool used to troubleshoot packet flow on FortiGate.
• It can be used to determine why a packet was dropped.

IPsec Tunnel

• IPsec tunnel is a secure way to establish a connection between two FortiGate devices.
• The encryption and authentication algorithm needs to match in order for IPsec to be successfully established.

Description

Practice questions for the Fortinet NSE 4 - FortiOS 7.2 certification exam, covering Fortinet technology and security features.