Copy and Edit

NS4

Description

Quiz on NS4, created by Carlos Garcia on 27/04/2021.
Carlos Garcia
Quiz by Carlos Garcia, updated more than 1 year ago
Carlos Garcia
Created by Carlos Garcia almost 3 years ago
268
0
1

Resource summary

Question 1

Question
Which configuration objects can be selected for the Source field of a firewall policy? (Choose two.)
Answer
  • Firewall service
  • User or user group
  • IP Pool
  • FQDN address

Question 2

Question
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?
Answer
  • The Services field prevents SNAT and DNAT from being combined in the same policy.
  • The Services field is used when you need to bundle several VIPs into VIP groups.
  • The Services field removes the requirement to create multiple VIPs for different services.
  • The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

Question 3

Question
Which of the following statements about central NAT are true? (Choose two.)
Answer
  • IP tool references must be removed from existing firewall policies before enabling central NAT.
  • Central NAT can be enabled or disabled from the CLI only.
  • Source NAT, using central NAT, requires at least one central SNAT policy.
  • Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Question 4

Question
Examine the exhibit, which shows the partial output of an IKE real-time debug. Which of the following statement about the output is true?
Image:
Imagen (binary/octet-stream)
Answer
  • The VPN is configured to use pre-shared key authentication.
  • Extended authentication (XAuth) was successful.
  • Remote is the host name of the remote IPsec peer.
  • Phase 1 went down.

Question 5

Question
An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy Options is not listed under Security Profiles on the GUI. What can cause this issue?
Answer
  • FortiGate needs to be switched to NGFW mode.
  • Proxy options section is hidden by default and needs to be enabled from the Feature Visibility menu.
  • Proxy options are no longer available starting in FortiOS 5.6.
  • FortiGate is in flow-based inspection mode.

Question 6

Question
Which of the following services can be inspected by the DLP profile? (Choose three.)
Answer
  • NFS
  • FTP
  • IMAP
  • CIFS
  • HTTP-POST

Question 7

Question
Examine the following web filtering log. Which statement about the log message is true?
Image:
Imagen (binary/octet-stream)
Answer
  • The action for the category Games is set to block.
  • The usage quota for the IP address 10.0.1.10 has expired
  • The name of the applied web filter profile is default.
  • The web site miniclip.com matches a static URL filter whose action is set to Warning.

Question 8

Question
Which of the following static routes are not maintained in the routing table?
Answer
  • Named Address routes
  • Dynamic routes
  • ISDB routes
  • Policy routes

Question 9

Question
An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is configured with a web filter and an SSL inspection profile configured for deep inspection. Which of the following are possible actions to eliminate the certificate error generated by deep inspection? (Choose two.)
Answer
  • Implement firewall authentication for all users that need access to fortinet.com.
  • Manually install the FortiGate deep inspection certificate as a trusted CA.
  • Configure fortinet.com access to bypass the IPS engine.
  • Configure an SSL-inspection exemption for fortinet.com.

Question 10

Question
If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate take?
Answer
  • It notifies the administrator by sending an email.
  • It provides a DLP block replacement page with a link to download the file.
  • It blocks all future traffic for that IP address for a configured interval.
  • It archives the data for that IP address.

Question 11

Question
An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?
Answer
  • tcp_port_scan
  • ip_dst_session
  • udp_flood
  • ip_src_session

Question 12

Question
View the certificate shown to the exhibit, and then answer the following question: The CA issued this certificate to which entity?
Image:
Imagen (binary/octet-stream)
Answer
  • A root CA
  • A person
  • A bridge CA
  • A subordinate CA

Question 13

Question
What information is flushed when the chunk-size value is changed in the config dlp settings?
Answer
  • The database for DLP document fingerprinting
  • The supported file types in the DLP filters
  • The archived files and messages
  • The file name patterns in the DLP filters

Question 14

Question
View the exhibit. VDOM1 is operating in transparent mode VDOM2 is operating in NAT Route mode. There is an inteface VDOM link between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is connected to port2. A web server with the IP address 10.200.1.2/24 is connected to port1. What is required in the FortiGate configuration to route and allow connections from the client workstation to the web server? (Choose two.)
Image:
Imagen (binary/octet-stream)
Answer
  • A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination.
  • A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination.
  • One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the destination interface.
  • One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the destination interface.

Question 15

Question
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
Answer
  • Log downloads from the GUI are limited to the current filter view
  • Log backups from the CLI cannot be restored to another FortiGate.
  • Log backups from the CLI can be configured to upload to FTP as a scheduled time
  • Log downloads from the GUI are stored as LZ4 compressed files.

Question 16

Question
Examine the routing database shown in the exhibit, and then answer the following question: Which of the following statements are correct? (Choose two.)
Image:
Imagen (binary/octet-stream)
Answer
  • The port3 default route has the highest distance.
  • The port3 default route has the lowest metric.
  • There will be eight routes active in the routing table.
  • The port1 and port2 default routes are active in the routing table.

Question 17

Question
Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?
Answer
  • FG-traffic VDOM
  • Root VDOM
  • Customer VDOM
  • Global VDOM

Question 18

Question
Examine the exhibit, which contains a session diagnostic output. Which of the following statements about the session diagnostic output is true?
Image:
Imagen (binary/octet-stream)
Answer
  • The session is in ESTABLISHED state.
  • The session is in LISTEN state.
  • The session is in TIME_WAIT state.
  • The session is in CLOSE_WAIT state.

Question 19

Question
Examine the network diagram shown in the exhibit, and then answer the following question: A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes will satisfy this requirement on FGT1? (Choose two.)
Image:
Imagen (binary/octet-stream)
Answer
  • 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]
  • 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]
  • 172.20.2.0/24 (1/150) via 10.10.1.2, port3 [10/0]
  • 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]

Question 20

Question
Examine this FortiGate configuration: config system global ser av-failopen pass end Examine the output of the following debug command: Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?
Image:
Imagen (binary/octet-stream)
Answer
  • It is allowed, but with no inspection
  • It is allowed and inspected as long as the inspection is flow based
  • It is dropped.
  • It is allowed and inspected, as long as the only inspection required is antivirus.

Question 21

Question
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could resolve this problem? (Choose two.)
Answer
  • Enable Allow Invalid SSL Certificates for the relevant security profile.
  • Change web browsers to one that does not support HPKP.
  • Exempt those web sites that use HPKP from full SSL inspection.
  • Install the CA certificate (that is required to verify the web server certificate) stores of users' computers.

Question 22

Question
Examine the exhibit, which shows the output of a web filtering real time debug. Why is the site www.bing.com being blocked?
Image:
Imagen (binary/octet-stream)
Answer
  • The web site www.bing.com is categorized by FortiGuard as Malicious Websites.
  • The user has not authenticated with the FortiGate yet.
  • The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites.
  • The rating for the web site www.bing.com has been locally overridden to a category that is being blocked.

Question 23

Question
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface. Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
Answer
  • The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
  • The two VLAN sub interfaces must have different VLAN IDs.
  • The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
  • The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Question 24

Question
Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then answer the following question: An administrator has added the following static route on FGTI. DESTINATION: 172.20.1.0/244 GATEWAY: 172.11.12.1 INTERFACE: port1 ADMINISTARTIVE DISTANCE: 10 Since the change, the new static route is not showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?
Image:
Imagen (binary/octet-stream)
Answer
  • The new route's destination subnet overlaps an existing route.
  • The new route's Distance value should be higher than 10.
  • The Gateway IP address is not in the same subnet as port1.
  • The Priority is 0, which means that this route will remain inactive.

Question 25

Question
Which of the following statements about NTLM authentication are correct? (Choose two.)
Answer
  • It is useful when users log in to DCs that are not monitored by a collector agent.
  • It takes over as the primary authentication method when configured alongside FSSO.
  • Multi-domain environments require DC agents on every domain controller.
  • NTLM-enabled web browsers are required.

Question 26

Question
Examine the exhibit, which contains a virtual IP and firewall policy configuration. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
Image:
2021 04 28 08 19 Nse4 62 Valido.Pdf (binary/octet-stream)
Answer
  • 10.200.1.10
  • Any available IP address in the WAN (port1) subnet 10.200.1.0/24
  • 10.200.1.1
  • 10.0.1.254

Question 27

Question
Which statements about antivirus scanning mode are true? (Choose two.)
Answer
  • In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to the client.
  • In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol option profiles.
  • In proxy-based inspection mode, if a virus is detected, a replacement message may not be displayed immediately.
  • In quick scan mode, you can configure antivirus profiles to use any of the available signature data bases.

Question 28

Question
Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two.)
Answer
  • If the DHCP method fails, browsers will try the DNS method.
  • The browser needs to be preconfigured with the DHCP server's IP address.
  • The browser sends a DHCPONFORM request to the DHCP server.
  • The DHCP server provides the PAC file for download.

Question 29

Question
Which statements correctly describe transparent mode operation? (Choose three.)
Answer
  • All interfaces of the transparent mode FortiGate device must be on different IP subnets.
  • Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
  • The transparent FortiGate is visible to network hosts in an IP traceroute.
  • It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
  • FortiGate acts as transparent bridge and forwards traffic at Layer 2.

Question 30

Question
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?
Answer
  • Implement a web filter category override for the specified website.
  • Implement web filter authentication for the specified website
  • Implement web filter quotas for the specified website.
  • Implement DNS filter for the specified website.

Question 31

Question
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below. An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic. What is a possible reason for this?
Image:
2021 04 28 08 24 Nse4 62 Valido.Pdf (binary/octet-stream)
Answer
  • The IPS filter is missing the Protocol: HTTPS option.
  • The HTTPS signatures have not been added to the sensor.
  • A DoS policy should be used, instead of an IPS sensor.
  • A DoS policy used, instead of an IPS sensor.
  • The firewall policy is not using a full SSL inspection profile.

Question 32

Question
View the exhibit. Why is the administrator getting the error shown in the exhibit?
Image:
Imagen (binary/octet-stream)
Answer
  • The administrator must first enter the command edit global.
  • The administrator admin does not have the privileges required to configure global settings.
  • The global settings cannot be configured from the root VDOM context.
  • The command config system global does not exist in FortiGate.

Question 33

Question
View the exhibit. Based on this output, which statements are correct? (Choose two.)
Image:
Imagen (binary/octet-stream)
Answer
  • The all VDOM is not synchronized between the primary and secondary FortiGate devices.
  • The root VDOM is not synchronized between the primary and secondary FortiGate devices.
  • The global configuration is synchronized between the primary and secondary FortiGate devices.
  • The FortiGate devices have three VDOMs.

Question 34

Question
A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups. What is required in the SSL VPN configuration to meet these requirements?
Answer
  • Different SSL VPN realms for each group.
  • Two separate SSL VPNs in different interfaces mapping the same ssl.root.
  • Two firewall policies with different captive portals.
  • Different virtual SSL VPN IP addresses for each group.

Question 35

Question
View the exhibit. Which of the following statements are correct? (Choose two.)
Image:
Imagen (binary/octet-stream)
Answer
  • This setup requires at least two firewall policies with the action set to IPsec.
  • Dead peer detection must be disabled to support this type of IPsec setup.
  • The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
  • This is a redundant IPsec setup.

Question 36

Question
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
Answer
  • Traffic to botnetservers
  • Traffic to inappropriate web sites
  • Server information disclosure attacks
  • Credit card data leaks
  • SQL injection attacks

Question 37

Question
An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field?
Answer
  • A VIP group
  • The mapped IP address object of the VIP object
  • A VIP object
  • An IP pool

Question 38

Question
Examine this output from a debug flow: Why did the FortiGate drop the packet?
Image:
Imagen (binary/octet-stream)
Answer
  • The next-hop IP address is unreachable.
  • It failed the RPF check.
  • It matched an explicitly configured firewall policy with the action DENY.
  • It matched the default implicit firewall policy.

Question 39

Question
View the exhibit. What does this raw log indicate? (Choose two.)
Image:
2021 04 28 08 44 Nse4 Fgt 6.2+V12.75 Valid (binary/octet-stream)
Answer
  • FortiGate blocked the traffic.
  • type indicates that a security event was recorded.
  • 10.0.1.20 is the IP address for lavito.tk.
  • policyid indicates that traffic went through the IPS firewall policy.

Question 40

Question
View the exhibit. Which of the following statements is true regarding the configuration settings?
Image:
Imagen (binary/octet-stream)
Answer
  • When a remote user accesses https://11.200.1.1:443, the FortiGate login page appears.
  • When a remote user accesses https://10.200.1.1:443, the FortiGate login page appears.
  • When a remote user accesses http: //10.200.1.1 :443, the FortiGate login page appears.
  • When a remote user accesses http: /110.200.1.1:443, the SSL VPN login page appears.
  • The settings are invalid. The administrator settings and the SSL VPN settings cannot use the same port.

Question 41

Question
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?
Answer
  • Subject Key Identifier value
  • SMMIE Capabilities value
  • Subject value
  • Subject Alternative Name value

Question 42

Question
To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?
Answer
  • FortiManager
  • Root FortiGate
  • FortiAnalyzer
  • Downstream FortiGate

Question 43

Question
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
Answer
  • It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
  • ADVPN is only supported with IKEv2.
  • Tunnels are negotiated dynamically between spokes.
  • Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 44

Question
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?
Answer
  • The public key of the web server certificate must be installed on the browser.
  • The web-server certificate must be installed on the browser.
  • The CA certificate that signed the web-server certificate must be installed on the browser.
  • The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Question 45

Question
View the exhibit. Based on the configuration shown in the exhibit, what statements about application control behavior are true?
Image:
Imagen (binary/octet-stream)
Answer
  • Access to all unknown applications will be allowed.
  • Access to browser-based Social.Media applications will be blocked.
  • Access to mobile social media applications will be blocked.
  • Access to all applications in Social.Media category will be blocked.

Question 46

Question
An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark Port Forward. What step is required for this configuration?
Answer
  • Configure an SSL VPN realm for clients to use the port forward bookmark.
  • Configure the client application to forward IP traffic through FortiClient.
  • Configure the virtual IP address to be assigned t the SSL VPN users.
  • Configure the client application to forward IP traffic to a Java applet proxy.

Question 47

Question
A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true?
Answer
  • It can create administrator accounts with access to the same VDOM.
  • It cannot have access to more than one VDOM.
  • It can reset the password for the admin account.
  • It can upgrade the firmware on the FortiGate device.

Question 48

Question
When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster?
Answer
  • Connected monitored ports > HA uptime > priority > serial number
  • Priority > Connected monitored ports > HA uptime > serial number
  • Connected monitored ports > priority > HA uptime > serial number
  • HA uptime > priority > Connected monitored ports > serial number

Question 49

Question
Which Statements about virtual domains (VDOMs) arc true? (Choose two.)
Answer
  • Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.
  • Each VDOM can be configured with different system hostnames.
  • Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.
  • Each VDOM has its own routing table.

Question 50

Question
Which of the following conditions are required for establishing an IPSec VPN between two FortiGate devices? (Choose two.)
Answer
  • If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer.
  • If the VPN is configured as route-based, there must be at least one firewall policy with the action set to IPSec.
  • If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or Dynamic DNS in the other peer.
  • If the VPN is configured as a policy-based in one peer, it must also be configured as policy-based in the other peer.
Show full summary Hide full summary

Want to create your own Quizzes for free with GoConqr? Learn more.

Similar

General Knowledge Quiz
Andrea Leyden
Basic Physics Concepts
Andrea Leyden
Statistics Key Words
Culan O'Meara
GCSE CHEMISTRY UNIT 2 STRUCTURE AND BONDING
ktmoo.poppypoo
The Digestive system
Elena Cade
Health and Social Care Flashcards
Kelsey Phillips
An Timpeallacht (Foclóir)
Sarah Egan
French Revolution quiz
Sarah Egan
Biology - B2 - AQA - GCSE - Exam Style Questions
Josh Anderson
regular preterite tense conjugation -ar verbs
Pamela Dentler
CST Module 6a
Jane Foltz
Browse Library