Independence Day Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Examstrust Logo
examstrust mcafee
  1. Home
  2. Fortinet
  3. NSE4
  4. NSE4_FGT-6.4 - Fortinet NSE 4 - FortiOS 6.4

Fortinet NSE4_FGT-6.4 Fortinet NSE 4 - FortiOS 6.4 Exam Practice Test

Page: 1 / 17
Total 165 questions
Get NSE4_FGT-6.4 Full Access Download NSE4_FGT-6.4 PDF

Fortinet NSE 4 - FortiOS 6.4 Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$36  $119.99
Add to Cart

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$51  $169.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$31.5  $104.99
Add to Cart
Question 1

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.

Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

Options:

A.

The IPS engine was inspecting high volume of traffic.

B.

The IPS engine was unable to prevent an intrusion attack.

C.

The IPS engine was blocking all traffic.

D.

The IPS engine will continue to run in a normal state.

Question 2

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

Options:

A.

On HQ-FortiGate, enable Auto-negotiate.

B.

On Remote-FortiGate, set Seconds to 43200.

C.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

D.

On HQ-FortiGate, set Encryption to AES256.

Question 3

Which statement about the policy ID number of a firewall policy is true?

Options:

A.

It is required to modify a firewall policy using the CLI.

B.

It represents the number of objects used in the firewall policy.

C.

It changes when firewall policies are reordered.

D.

It defines the order in which rules are processed.

Question 4

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

Options:

A.

Proxy-based inspection

B.

Certificate inspection

C.

Flow-based inspection

D.

Full Content inspection

Question 5

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

Options:

A.

Application control is not enabled

B.

SSL/SSH Inspection profile is incorrect

C.

Antivirus profile configuration is incorrect

D.

Antivirus definitions are not up to date

Question 6

Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.

How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

Options:

A.

If there is a full-through policy in place, users will not be prompted for authentication.

B.

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

C.

Authentication is enforced at a policy level; all users will be prompted for authentication.

D.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

Question 7

An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

Options:

A.

Enable asymmetric routing, so the RPF check will be bypassed.

B.

Disable the RPF check at the FortiGate interface level for the source check.

C.

Disable the RPF check at the FortiGate interface level for the reply check.

D.

Enable asymmetric routing at the interface level.

Question 8

Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server?

Options:

A.

172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]

B.

0.0.0.0/0 [20/0] via 10.4.200.2, port2

C.

10.4.200.0/30 is directly connected, port2

D.

172.16.32.0/24 is directly connected, port1

Question 9

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

Options:

A.

Denial of Service

B.

Web application firewall

C.

Antivirus

D.

Application control

Question 10

In an explicit proxy setup, where is the authentication method and database configured?

Options:

A.

Proxy Policy

B.

Authentication Rule

C.

Firewall Policy

D.

Authentication scheme

Question 11

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

Options:

A.

By default, FortiGate uses WINS servers to resolve names.

B.

By default, the SSL VPN portal requires the installation of a client’s certificate.

C.

By default, split tunneling is enabled.

D.

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Question 12

Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)

Options:

A.

Firewall policy

B.

Policy rule

C.

Security policy

D.

SSL inspection and authentication policy

Question 13

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Options:

A.

It limits the scanning of application traffic to the DNS protocol only.

B.

It limits the scanning of application traffic to use parent signatures only.

C.

It limits the scanning of application traffic to the browser-based technology category only.

D.

It limits the scanning of application traffic to the application category only.

Question 14

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

Options:

A.

get router info routing-table all

B.

get internet service route list

C.

get router info routing-table database

D.

diagnose firewall proute list

Question 15

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

Options:

A.

VLAN interface

B.

Software Switch interface

C.

Aggregate interface

D.

Redundant interface

Question 16

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

Options:

A.

Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

B.

An SA never expires.

C.

A phase 1 SA is bidirectional, while a phase 2 SA is directional.

D.

Phase 2 SA expiration can be time-based, volume-based, or both.

E.

Both the phase 1 SA and phase 2 SA are bidirectional.

Question 17

View the exhibit.

A user behind the FortiGate is trying to go to (Addicting Games). Based on this configuration, which statement is true?

Options:

A.

Addicting.Games is allowed based on the Application Overrides configuration.

B.

Addicting.Games is blocked on the Filter Overrides configuration.

C.

Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.

D.

Addcting.Games is allowed based on the Categories configuration.

Question 18

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

Options:

A.

The subject field in the server certificate

B.

The serial number in the server certificate

C.

The server name indication (SNI) extension in the client hello message

D.

The subject alternative name (SAN) field in the server certificate

E.

The host field in the HTTP header

Question 19

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

Options:

A.

The next-hop IP address is unreachable.

B.

It failed the RPF check.

C.

It matched an explicitly configured firewall policy with the action DENY.

D.

It matched the default implicit firewall policy.

Question 20

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Options:

A.

Subject Key Identifier value

B.

SMMIE Capabilities value

C.

Subject value

D.

Subject Alternative Name value

Question 21

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

Options:

A.

Disabled

B.

On Demand

C.

Enabled

D.

On Idle

Question 22

Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

Options:

A.

Lookup is done on the first packet from the session originator

B.

Lookup is done on the last packet sent from the responder

C.

Lookup is done on every packet, regardless of direction

D.

Lookup is done on the trust reply packet from the responder

Question 23

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

Options:

A.

Device detection on all interfaces is enforced for 30 minutes.

B.

Denied users are blocked for 30 minutes.

C.

A session for denied traffic is created.

D.

The number of logs generated by denied traffic is reduced.

Question 24

Which three methods are used by the collector agent for AD polling? (Choose three.)

Options:

A.

FortiGate polling

B.

NetAPI

C.

Novell API

D.

WMI

E.

WinSecLog

Load More NSE4_FGT-6.4 Questions
Page: 1 / 17
Total 165 questions
Get NSE4_FGT-6.4 Full Access Download NSE4_FGT-6.4 PDF