Fortinet NSE 4 - FortiOS 7.6 Administrator

Refer to the exhibit. Which two behaviors result from this full (deep) SSL configuration? (Choose two.). A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted. The browser bypasses all certificate warnings and allows the connection. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.

Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.). Aggressive mode supports XAuth, while main mode does not. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode. Main mode cannot be used for dialup VPNs, while aggressive mode can.

Which type of traffic inspection requires FortiGate to act as a CA?. SSL traffic inspection when protecting a local SSL server. SSL certificate inspection when protecting multiple clients connecting to multiple servers. SSL traffic inspection when protecting multiple clients connecting to multiple servers. SSL certificate inspection when protecting a local SSL server.

Refer to the exhibit. A user at 192.168.32.15 is trying to access the web server at 172.16.32.254. Strict RPF check will deny the traffic. Strict RPF check will allow the traffic. Loose RPF check will allow the traffic. Loose RPF check will deny the traffic.

An administrator suspects that the Collector Agent is not forwarding login events to FortiGate. What is the most effective troubleshooting step?. Verify if DC agent is enabled on the FortiGate. Restart the domain controller to refresh authentication services. Verify if FortiGate is set to use LDAP authentication instead of FSSO. Check if TCP port 8000 is open between the collector agent and FortiGate.

Refer to the exhibit. Which route will be selected when trying to reach 10.20.30.254?. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0].

Refer to the exhibits. A web filter profile configuration and firewall policy configuration are shown. You are trying to access www. facebook.com, but you are redirected to a FortiGuard web filtering block page. The web rating override configuration is incorrect. The web filter profile feature set is configured incorrectly. The firewall policy inspection mode is incorrect. For www.facebook.com the URL filter action is incorrect.

An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN. How can this be achieved?. Using web-only mode. Assigning public IP addresses to SSL-VPN users. Configuring web bookmarks. Disabling split tunneling.

Which two settings can be configured when a FortiGate is deployed as the root FortiGate in a Security Fabric topology? (Choose two.). FortiManager IP address. Fabric name. FortiAnalyzer IP address. Pre-authorize downstream FortiGate devices.

What must you configure to enable TCP session failover?. You do not need to configure anything because all TCP sessions are automatically failed over. You must configure "session-pickup enable" under configure system HA. You must configure "ha-configuration sync" under configure system HA. You must configure "session-pickup-connectionless enable" under configure system HA.

Refer to the exhibits. Which statement about the configuration settings is true?. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.). Trusted host. Trusted authentication. SSH. FortiTelemetry. HTTPS.

Which statement about firewall policy NAT is true?. DNAT is not supported. SNAT can automatically apply to multiple firewall policies, based on SNAT policies. You must configure SNAT for each firewall policy. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.

Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.). An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional. A zone can be chosen as the outgoing interface. Only the any interface can be chosen as an incoming interface. Multiple interfaces can be selected as incoming and outgoing interfaces.

Which three methods can you use to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.). Email. Instant message app. SMS text message. FortiToken Mobile. Voicemail message.

You have hired contractors for your company, created user accounts for them, and added them to the contractors group. The contractors receive a certificate warning error when they attempt to access the FortiGate GUI. Employees can access the portal without any errors. Which changes must you make to allow the contractors to access the FortiGate GUI? (Choose two.). Import the Fortinet_CA_SSL certificate on the contractor's browser. Disable full SSL inspection on FortiGate to prevent warning errors. Install the company CA certificate on FortiGate. Create a local-in firewall policy and add contractors as a source group.

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt. What is the most likely reason for this situation. The user is using a guest account profile. The user was authenticated using passive authentication. No matching user account exists for this user. The user is using a super admin account.

Which two statements about advanced AD access mode for the FSSO collector, agent are true? (Choose two.). FortiGate can act as an LDAP client to configure the group filters. It is only supported if DC agents are deployed. It supports monitoring of nested groups. It uses the Windows convention for naming; that is, Domain\Username.

Refer to the exhibit. Which route will be selected when trying to reach 10.20.30.254?. The default route on port2 is the preferred route. The port3 default route is an inactive route. Both default routes have different administrative distances. All of the entries in the routing database table are installed in the FortiGate routing table.

Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?. It captures the user IP address and workstation name and forwards them to FortiGate. It captures the login events and forwards them to FortiGate. It captures the login events and forwards them to the collector agent. It captures the login and logoff events and forwards them to the collector agent.

Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.). One-to-one. Fixed port range. Overload. Port block allocation.

Refer to the exhibits. You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits. You cannot access any of the Google applications, but you are able to access www.fortinet.com. What would you do to resolve this issue?. Add *Google*.com to the URL category in the security profile. Change Inspection mode to Flow-based. Move up Google in the Application and Filter Overrides section to set its priority to 1. Set SSL inspection to certificate-inspection.

Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?. To set up a RADIUS server Secret. To authenticate Any FortiGate user groups. To authenticate and match the Training OU on the RADIUS server. To authenticate only the Training user group.

A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?. LDAP. TACASC+. Kerberos. DNS.

An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set number of times during a specific time period. How can the administrator achieve the objective?. Use IPS group signatures, set rate-mode 60. Use IPS packet logging option with periodical filter option. Use IPS filter, rate-mode periodical option. Use IPS filter with rate-count and rate-duration to define the threshold window.

What is the primary FortiGate election process when the HA override setting is enabled?. Connected monitored ports > Priority > HA uptime > FortiGate serial number. Connected monitored ports > Priority > System uptime > FortiGate serial number. Connected monitored ports > HA uptime > Priority > FortiGate serial number. Connected monitored ports > System uptime > Priority > FortiGate serial number.

Refer to the exhibit. Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.). Administrators cannot change the configuration. FortiGate skips quarantine actions. Administrators must restart FortiGate to allow new session. FortiGate drops new sessions requiring inspection.

Refer to the exhibit. The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to answer this specific request from the NOC team?. Move NOC_Access to the top of the list to ensure all profile settings take effect. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access. Increase the admintimeout value under config system accprofile NOC_Access.

Refer to the exhibit. The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit. For which two reasons are these web categories exempted? (Choose two.). The FortiGate temporary certificate denies the browser's access to websites that use HTTP Strict Transport Security. These websites are in an allowlist of reputable domain names maintained by FortiGuard. The resources utilization is optimized because these websites are in the trusted domain list on FortiGate. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

Refer to the exhibit. As an administrator you have created an IPS profile, but it is not performing as expected. While testing you got the output as shown in the exhibit. What could be the possible reason of the diagnose output shown in the exhibit?. There is no firewall policy configured with an IPS security profile. FortiGate entered into IPS fail open state. Administrator entered the command diagnose test application ipsmonitor 5. Administrator entered the command diagnose test application ipsmonitor 99.

A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View. The policies appear in a different order in each view. Why is the policy order different in these two views?. Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator's manual ordering. By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs. The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.

A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode. Which step is NOT part of the expected process?. The DC agent sends login event data directly to FortiGate. The user logs into the windows domain. The collector agent forwards login event data to FortiGate. FortiGate determines user identity based on the IP address in the FSSO list.

Refer to the exhibit. What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?. FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields. FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields. FortiGate will close the connection if the SNI does not match the CN or SAN fields. FortiGate will close the connection if the SNI does not match the CN and SAN fields.

You have configured the below commands on a FortiGate. What would be the impact of this configuration on FortiGate?. FortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks. Port1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF. The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.). The selected SSL inspection profile has certificate inspection enabled. The website is exempted from SSL inspection. The El CAR test file exceeds the protocol options oversize limit. The browser does not trust the FortiGate self-signed CA certificate.

Which two statements are true about an HA cluster? (Choose two.). An HA cluster cannot have both in-band and out-of-band management interfaces at the same time. Link failover triggers a failover if the administrator sets the interface down on the primary device. When sniffing the heartbeat interface, the administrator must see the IP address 169.254.0.2. HA incremental synchronization includes FIB entries and IPsec SAs.

Which three statements about SD-WAN performance SLAs are true? (Choose three.). They rely on session loss and jitter. They can be measured actively or passively. They are applied in a SD-WAN rule lowest cost strategy. They monitor the state of the FortiGate device. All the SLA targets can be configured.

Which two statements describe characteristics of automation stitches? (Choose two.). Actions involve only devices included in the Security Fabric. An automation stitch can have multiple triggers. Multiple actions can run in parallel. Triggers can involve external connectors.

Refer to the exhibit. An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times. Why are there no logs generated under security logs for ABC.Com?. The ABC.Com Type is set as Application instead of Filter. The ABC.Com is configured under application profile, which must be configured as a web filter profile. The ABC.Com Action is set to Allow. The ABC.Com is hitting the category Excessive-Bandwidth.

Refer to the exhibit. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page. Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?. Change the Feature set of Web Filter Profile as Proxy-based. Set the Action as Exempt for www.facebook.com in the Static URL Filter. Change the type as Simple in the Static URL Filter section. Set the Social Networking action as warning in the FortiGuard Category Based Filter.

A remote user reports slow SSL VPN performance and frequent disconnections. The user is located in an area with poor internet connectivity. What setting should the administrator adjust to improve the user's experience?. Enable split tunneling to reduce VPN traffic. Change the SSL VPN port to a non-standard port. Increase the session timeout for inactive sessions. Configure the DTLS timeout to accommodate high-latency connections.

When configuring firewall policies which of the following is true regarding the policy ID?. It is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CLI. A firewall policy ID identifies the order of policy execution in firewall policies. You can create a policy in CLI with policy ID 0. A policy ID cannot be edited once a policy is created.

You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked. What FortiGate settings should you check to resolve this issue?. FortiGuard category ratings. Application and Filter Overrides. Network Protocol Enforcement. Replacement Messages for UDP-based Applications.

You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment. In which two ways can you effectively resolve the problem? (Choose two.). You can turn off IKE fragmentation to fix large certificate negotiation problems. You should use IPsec to solve issues with fragment drops and large certificate exchanges. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500). You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.

When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface?. To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails. To make sure all sessions without source NAT enabled always use the primary WAN link. To improve security by forcing users to authenticate again when the WAN link changes. To ensure that existing SSL VPN connections remain on the same interface even if route changes occur.

Refer to the exhibit. An administrator has created a new firewall address to use as the destination for a static route. Why is the administrator not able to select the new address in the Destination field of the new static route?. In the new static route, the administrator must first set the interface to port2. In the new firewall address, Routing configuration must be enabled. In the new firewall address, the FQDN address must first be resolved. In the new static route, the administrator must select Named Address.

An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues. What should the administrator check first?. Ensure that the affected users are using the correct port number. Ensure that user traffic is hitting the firewall policy. Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN. Ensure that the HTTPS service is enabled on SSL VPN tunnel interface.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.). On BR1-FGT, set Seconds to 43200. On HQ-NGFW, enable Diffie-Hellman Group 2. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0. On HQ-NGFW, set Encryption to AES256.

Refer to the exhibits. An administrator wants to add HQ-ISFW-2 in the Security Fabric. HQ-ISFW-2 is in the same subnet as HQ-ISFW. After configuring the Security Fabric settings on HQ-ISFW-2, the status stays Pending. What can be the two possible reasons? (Choose two.). Upstream FortiGate IP must be set to 10.0.11.254. SAML Single Sign-On must be set to Manual. HQ-ISFW-2 must be authorized on HQ-ISFW. Management IP must be set to 10.0.13.254.

Refer to the exhibits. An administrator has observed the performance status outputs on an HA cluster for 55 seconds. Which FortiGate is the primary?. HQ-NGFW-2 with the parameter memory-failover-threshold setting. HQ-NGFW-2 with the parameter priority setting. HQ-NGFW-1 with the parameter memory-failover-flip-timeout setting. HQ-NGFW-1 with the parameter override setting.

You have configured the FortiGate device for FSSO. A user is successful in log-in to windows, but their access to the internet is denied. What should the administrator check first?. Whether the user is assigned to the correct AD group. The FortiGate firewall policy settings for SSL decryption. The FortiGate FSSO active users list for user's IP address. The windows event viewer for failed login attempts.

There are multiple dialup IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels. Which phase 1 setting you can configure to match the user to the tunnel. Local Gateway. Dead Peer Detection. Peer ID. IKE Mode Config.

What are two characteristics of HA cluster heartbeat IP addresses in a FortiGate device? (Choose two.). Heartbeat IP addresses are used to distinguish between cluster members. The heartbeat interface of the primary device in the cluster is always assigned IP address 169.254.0.1. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster. Heartbeat interfaces have virtual IP addresses that are manually assigned.

Refer to the exhibit. Based on the routing table shown in the exhibit, which two statements are true? (Choose two.). A packet with the source IP address 10.0.13.10 arriving on port2 is allowed if strict RPF is disabled. A packet with the source IP address 10.100.110.10 arriving on port2 is allowed if strict RPF is enabled. A packet with the source IP address 10.100.110.10 arriving on port3 is allowed if strict RPF is disabled. A packet with the source IP address 10.10.10.10 arriving on port2 is allowed if strict RPF is enabled.