NSE 4 6.2 Set 1

What FortiGate configuration is required to actively prompt users for credentials?

You must enable one or more protocols that support active authentication on a firewall policy.

one-to-one IP pool

allows ARP replies

proxy-based inspection mode

antivirus buffers the whole file for scarring before sending it to the client.

FSSO collector agent timers

dead entry timeout interval is used to age out entries with an unverified status.

root VDOM

is the management VDOM by default

VDOMs

maintain there own routing table

An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?

tcp_port_scan

When using WPAD DNS method, which FQDN format do browsers use to query the DNS server?

wpad.<local-domain>

flow-based inspection mode

you can use the CLI to configure antivirus profiles to use protocol option profiles.

Which of the following statements describe WMI polling mode for the FSSO collector agent?

- The collector agent uses a Windows API to query DCs for user logins. - The collector agent do not need to search any security event logs.

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that?

- The interface has been configured for one-arm sniffer. - The interface is a member of a virtual wire pair. - The operation mode is transparent.

Which of the following statements about policy-based IPsec tunnels are true?

- They can be configured in both NAT/Route and transparent operation modes. - They support L2TP-over-IPsec.

Which statements about DNS filter profiles are true?

- They can redirect blocked requests to a specific portal. - They can block DNS requests to known botnet command and control servers

Which of the following are purposes of NAT traversal in IPsec?

- To delete intermediary NAT devices in the tunnel path. - To encapsulation ESP packets in UDP packets using port 4500.

active-active HA cluster

- Uninterruptable upgrade is enabled by default. - Traffic load balancing is temporally disabled while upgrading the firmware.

Which of the following SD-WAN load -balancing method use interface weight value to distribute traffic?

- Volume - Session

firewall policy authentication timeout

- idle timeout. - The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

SSL-VPN timers

- mitigates DoS attacks from partial HTTP requests - Prevent SSL VPN users from being logged out because of high network latency.

On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager?

- real time - store-and-upload

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode?

- warning - allow

HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could resolve this problem?

-Change web browsers to one that does not support HPKP -Exempt those web sites that use HPKP from full SSL inspection

Which Statements about virtual domains (VDOMs) arc true?

-Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs -Each VDOM has its own routing table.

Which of the following statements about central NAT are true?

-IP tool references must be removed from existing firewall policies before enabling central NAT. -Central NAT can be enabled or disabled from the CLI only.

Which of the following conditions are required for establishing an IPSec VPN between two FortiGate devices?

-If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer. -If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or Dynamic DNS in the other peer.

Which of the following statements are true when using WPAD with the DHCP discovery method?

-If the DHCP method fails, browsers will try the DNS method -The browser sends a DHCPONFORM request to the DHCP server

An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is configured with a web filter and an SSL inspection profile configured for deep inspection.

-Implement firewall authentication for all users that need access to fortinet.com. -Configure an SSL-inspection exemption for fortinet.com.

Which of the following statements about NTLM authentication are correct?

-It is useful when users log in to DCs that are not monitored by a collector agent -NTLM-enabled web browsers are required.

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that?

-The operation mode is transparent -The interface has been configured for one-arm sniffer. -The interface is a member of a virtual wire pair.

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled?

-This is known as many-to-one NAT. -Source IP is translated to the outgoing interface IP.

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile?

-Traffic to Botnet servers -Server information disclosure attacks -SQL injection attacks

flow based inspection modes

-full scan -quick scan

NGFW mode allows policy-based configuration for most inspection rules. Which security profile's configuration does not change when you enable policy-based inspection?

Antivirus

Which statement about FortiGuard services for FortiGate is true?

Antivirus signatures are downloaded locally on FortiGate.

An administrator wants to block HTTP uploads. Examine the exhibit, which contains the proxy address created for that purpose. Where must the proxy address be used?

As the source in a proxy policy.

Which is a requirement for creating an inter-VDOM link between two VDOMs

At least one of the VDOMs must operate in NAT mode.

A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface.

Both interfaces must belong to the same forward domain.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?

Captures the logon events and forwards them to the collector agent.

In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

Client> primary FortiGate> secondary FortiGate> web server.

How can you block or allow to Twitter using a firewall policy?

Configure the Destination field as Internet Service objects for Twitter.

An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark Port Forward. What step is required for this configuration?

Configure the client application to forward IP traffic to a Java applet proxy.

When override is enabled, which of the following shows the process and selection criteria that are used to elect the primary FortiGate in an HA cluster?

Connected monitored ports > priority > HA uptime > serial number

An administrator has configured a dialup IPsec VPN with XAuth. Which statement best describes what occurs during this scenario?

Dialup clients must provide a username and password for authentication.

company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups. What is required in the SSL VPN configuration to meet these requirements?

Different SSL VPN realms for each group.

one-to-one IP pool

Does not use NAT

transparent mode operation

Ethernet packets are forwarded based on destination MAC addresses, not IP addresses

Which configuration objects can be selected for the Source field of a firewall policy?

FQDN user or user group

Which of the following services can be inspected by the DLP profile?

FTP IMAP HTTP-POST

transparent mode operation

FortiGate acts as transparent bridge and forwards traffic at Layer 2

An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy Options is not listed under Security Profiles on the GUI. What can cause this issue?

FortiGate is in flow-based inspection mode.

A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?

Implement a web filter category override for the specified website.

Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple dialup tunnels?

In aggressive mode, the remote peers are able to provide their peer IDs in the first message.

If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate take?

It blocks all future traffic for that IP address for a configured interval.

Which statement about DLP on FortiGate is true?

It can archive files and messages.

A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the default prof_admin profile is true?

It cannot have access to more than one VDOM.

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scope of application control to scan application traffic based on application category only.

When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that FortiGate can forward Internet traffic?

It must be provided in the SD-WAN member interface configuration.

transparent mode operation

It permits inline traffic inspection and firewalling without changing the IP scheme of the network

auto discovery VPN (ADVPN).

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

How does FortiGate select the central SNAT policy that is applied to a TCP session?

It selects the SNAT policy specified in the configuration of the outgoing interface.

The FSSO Collector Agent set to advanced access mode for the Windows Active Directory uses which of the following?

LDAP convention

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true?

Log downloads from the GUI are limited to the current filter view

clash=anything above 0

NAT port exhaustion

Which of the following static routes are not maintained in the routing table?

Policy routes

An administrator wants to configure a FortiGate as a DNS server. FotiGate must use a DNS database first, and then relay all irresolvable queries to an external DNS server. Which of the following DNS methods must you use?

Recursive

policy ID number

Required to modify a firewall policy using the CLI.

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

Root FortiGate

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

Root VDOM

How do you format the FortiGate flash disk?

Select the format boot device option from the BIOS menu.

During the digital verification process, comparing the original and fresh hash results satisfies which security requirement?

Signature verification

Which of the following features is supported by web filter in flow-based inspection mode with NGFW mode set to profile-based?

Static URL

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

Subject value

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

The CA certificate that signed the web-server certificate must be installed on the browser.

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

The Services field removes the requirement to create multiple VIPs for different services.

What happens to traffic that requires authorization, but does not match any authentication rule?

The active and passive SSO schemes to use for those cases is defined under config authentication setting

What information is flushed when the chunk-size value is changed in the config dlp settings?

The database for DLP document fingerprinting

When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

The internal IP address of the FortiGate device.

An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field?

The mapped IP address object of the VIP object

set-auth-on-demand implicitly What will happen to unauthenticated users when an active authentication policy is followed by a fall through policy without authentication?

The user must log in again to authenticate.

Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

To allow for out-of-order packets that could arrive after the FIN/ACK packets.

When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are required to be configured?

- Administrative Access: FortiTelemetry - IP/Network Mask.

What FortiGate components are tested during the hardware test?

- CPU - Hard disk - Network interfaces

An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best practices to do so?

- Configure host restrictions by IP or MAC address. - Configure two-factor authentication using security certificates. - Configure a client integrity check (host-check).

What settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy called Full Access?

- Enable a web filter security profile on the Full Access firewall policy. - Enable Log Allowed Traffic on the Full Access firewall policy.

An administrator is running the following sniffer command: diagnose sniffer packet any "host 10.0.2.10" 3 What information will be included in the sniffer output?

- IP header - Ethernet header - Packet payload

Which of the following statements are best practices for troubleshooting FSSO?

- Include the group of guest users in a policy. - Ensure all firewalls allow the FSSO required ports.

Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway?

- Lookup is done on the first packet from the session originator - Lookup is done on the trust reply packet from the responder

Which of the following route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing?

- Priority - Distance

What criteria does FortiGate use to look for a matching firewall policy to process traffic?

- Services defined in the firewall policy - Incoming and outgoing interfaces

Which statements about HA for FortiGate devices are true?

- Sessions handled by proxy-based security profiles cannot be synchronized. - Virtual clustering can be configured between two FortiGate devices that have multiple VDOMs.

An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

192.168.2.0/24

By default, when logging to disk, when does FortiGate delete logs?

7 days

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

A subordinate CA

Which is the correct description of a hash result as it relates to digital certificates?

A unique value used to verify the input data

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

A virtual IPsec interface is automatically created after the phase 1 configuration is completed

IP authentication header (AH) used by IPsec

AH provides data integrity but no encryption

What files are sent to FortiSandbox for inspection in flow-based inspection mode?

All suspicious files that match patterns defined in the antivirus profile.

Which action can be applied to each filter in the application control profile?

Allow, monitor, block, and quarantine

auto discovery VPN (ADVPN).

Tunnels are negotiated dynamically between spokes.