This page was exported from Exam for engine [ http://blog.test4engine.com ] Export date:Mon Nov 18 2:20:17 2024 / +0000 GMT ___________________________________________________ Title: Fortinet NSE4_FGT-7.2 Real Exam Questions Test Engine Dumps Training With 175 Questions [Q24-Q40] --------------------------------------------------- Fortinet NSE4_FGT-7.2 Real Exam Questions Test Engine Dumps Training With 175 Questions NSE4_FGT-7.2 Actual Questions Answers PDF 100% Cover Real Exam Questions NEW QUESTION 24An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?  Configure Source IP Pools.  Configure split tunneling in tunnel mode.  Configure different SSL VPN realms.  Configure host check . NEW QUESTION 25Which statement correctly describes NetAPI polling mode for the FSSO collector agent?  The collector agent uses a Windows API to query DCs for user logins.  NetAPI polling can increase bandwidth usage in large networks.  The collector agent must search security event logs.  The NetSession Enum function is used to track user logouts. ExplanationFortiGate_Infrastructure_7.0 page 270: “NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function in Windows.”NEW QUESTION 26Which of the following SD-WAN load balancing method use interface weight value to distribute traffic? (Choose two.)  Source IP  Spillover  Volume  Session https://docs.fortinet.com/document/fortigate/6.0.0/handbook/49719/configuring-sd-wan-load-balancingNEW QUESTION 27An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?  Add the support of NTLM authentication.  Add user accounts to Active Directory (AD).  Add user accounts to the FortiGate group fitter.  Add user accounts to the Ignore User List. NEW QUESTION 28Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection?(Choose two.)  The keyUsage extension must be set to keyCertSign.  The common name on the subject field must use a wildcard name.  The issuer must be a public CA.  The CA extension must be set to TRUE. Explanation“In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.”NEW QUESTION 29An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)  The interface has been configured for one-arm sniffer.  The interface is a member of a virtual wire pair.  The operation mode is transparent.  The interface is a member of a zone.  Captive portal is enabled in the interface. Explanationhttps://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htmNEW QUESTION 30An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?  The administrator can register the same FortiToken on more than one FortiGate.  The administrator must use a FortiAuthenticator device  The administrator can use a third-party radius OTP server.  The administrator must use the user self-registration server. NEW QUESTION 31Refer to the exhibit, which contains a session diagnostic output.Which statement is true about the session diagnostic output?  The session is a UDP unidirectional state.  The session is in TCP ESTABLISHED state.  The session is a bidirectional UDP connection.  The session is a bidirectional TCP connection. Explanationhttps://kb.fortinet.com/kb/viewContent.do?externalId=FD30042NEW QUESTION 32Refer to the exhibit.Which contains a session diagnostic output. Which statement is true about the session diagnostic output?  The session is in SYN_SENT state.  The session is in FIN_ACK state.  The session is in FTN_WAIT state.  The session is in ESTABLISHED state. ExplanationIndicates TCP (proto=6) session in SYN_SENT state (proto=state=2)https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042NEW QUESTION 33Refer to the exhibits.Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.The WAN (port1) interface has the IP address 10.200.1.1/24.The LAN (port3) interface has the IP address 10.0.1.254/24.If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?  10.0.1.254, 10.0.1.10, and 443, respectively  10.0.1.254, 10.200.1.10, and 443, respectively  10.200.3.1, 10.0.1.10, and 443, respectively  10.0.1.254, 10.0.1.10, and 10443, respectively The host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, which is the external IP address of the VIP object named VIP in Exhibit B1. The VIP object maps the external IP address and port to the internal IP address and port of the server 10.0.1.10 and 443, respectively1. The VIP object also enables NAT, which means that the source address of the packet will be translated to the IP address of the outgoing interface2.The firewall policy ID 1 in Exhibit B allows traffic from WAN (port1) to LAN (port3) with the destination address of VIP and the service of HTTPS1. The policy also enables NAT, which means that the source address of the packet will be translated to the IP address of the outgoing interface2.Therefore, after FortiGate forwards the packet to the destination, the source address, destination address, and destination port of the packet will be 10.200.3.1, 10.0.1.10, and 443, respectively.You can find more information about VIP objects and firewall policies in the Fortinet DocumentationNEW QUESTION 34Refer to the exhibit.The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)  FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.  FortiGate allocates port blocks on a first-come, first-served basis.  FortiGate generates a system event log for every port block allocation made per user.  FortiGate allocates 128 port blocks per user. NEW QUESTION 35On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?  System event logs  Forward traffic logs  Local traffic logs  Security logs NEW QUESTION 36A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.What is the reason for the failed virus detection by FortiGate?  The website is exempted from SSL inspection.  The EICAR test file exceeds the protocol options oversize limit.  The selected SSL inspection profile has certificate inspection enabled.  The browser does not trust the FortiGate self-signed CA certificate. https traffic requires SSL decryption. Check the ssh inspection profileNEW QUESTION 37Refer to the exhibit.Based on the raw log, which two statements are correct? (Choose two.)  Traffic is blocked because Action is set to DENY in the firewall policy.  Traffic belongs to the root VDOM.  This is a security log.  Log severity is set to error on FortiGate. NEW QUESTION 38Examine this PAC file configuration.Which of the following statements are true? (Choose two.)  Browsers can be configured to retrieve this PAC file from the FortiGate.  Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.  All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.  Any web request fortinet.com is allowed to bypass the proxy. NEW QUESTION 39If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?  IP address  Once Internet Service is selected, no other object can be added  User or User Group  FQDN address Reference:https://docs.fortinet.com/document/fortigate/6.2.5/cookbook/179236/using-internet-service-in-policyNEW QUESTION 40An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?  The strict RPF check is run on the first sent and reply packet of any new session.  Strict RPF checks the best route back to the source using the incoming interface.  Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.  Strict RPF allows packets back to sources with all active routes. Strict Reverse Path Forwarding (RPF) is a security feature that is used to detect and prevent IP spoofing attacks on a network. It works by checking the routing information for incoming packets to ensure that they are coming from the source address that is indicated in the packet’s header. In strict RPF mode, the firewall will check the best route back to the source of the incoming packet using the incoming interface. If the packet’s source address does not match the route back to the source, the packet is dropped. This helps to prevent attackers from spoofing their IP address and attempting to access the network. Loading … Test4Engine NSE4_FGT-7.2 Exam Practice Test Questions: https://www.test4engine.com/NSE4_FGT-7.2_exam-latest-braindumps.html --------------------------------------------------- Images: https://blog.test4engine.com/wp-content/plugins/watu/loading.gif https://blog.test4engine.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2024-03-02 11:26:40 Post date GMT: 2024-03-02 11:26:40 Post modified date: 2024-03-02 11:26:40 Post modified date GMT: 2024-03-02 11:26:40