NSE4 ITExams
NAT port exhaustion will have a clash value greater than ____________.
0
In FortiOS session table output, what is the correct proto_state number for an established, non-proxied TCP connection?
01
What are the required FSSO ports?
139 workstation verification 445 workstation verification and event log polling 389 LDAP 445 636 LDAPS
A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. What two static routes need to be configured on the firewall?
172.20.2.0/24 (1/150) via 10.10.1.2, port1 [10/0] 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]
What is the minimum bandwidth required between a FortiGate and domain controllers?
64 Kbps
By default, when logging to disk, when does FortiGate delete logs?
7 days
An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field?
A VIP object
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
A root CA
An administrator has configured a route-based site-to-site IPsec VPN. What is automatically configured regarding this IPsec VPN configuration?
A virtual IPsec interface is automatically created after the Phase 1 configuration is completed
An administrator is running the following sniffer command:diagnose sniffer packet any "host 10.0.2.10" What information will be included in the sniffer output? (Choose three.) A. IP header B. Ethernet header C. Packet payload D. Application header E. Interface name
A. IP header B. Ethernet header C. Packet payload
Which of the following FortiGate configuration tasks will create a route in the policy route table? (Choose two.) A. Static route created with a Named Address object B. Static route created with an Internet Services object C. SD-WAN route created for individual member interfaces D. SD-WAN rule created to route traffic based on link latency
A. Static route created with a Named Address object D. SD-WAN rule created to route traffic based on link latency
One-to-One IP pool allows the configuration of what?
ARP replies
When configuring the root FortiGate to communicate with a downstream FortiGate, which two settings are required to be configured?
Administrative Access: FortiTelementary IP/Network Mask
What files are sent to FortiSandbox for inspection in flow-based inspection mode?
All suspicious files that match patterns defined in the antivirus profile.
What actions are possible with Application Control?
Allow Block Monitor Quarantine
What actions can be applied to each filter in the application control profile?
Allow Monitor Block Quarantine
What are two statements regarding SSL VPN timers?
Allow to mitigate DoS attacks from partial HTTP requests. Prevent SSL VPN users from being logged out because of high network latency.
A FortiGate devices is configured with four VDOMs: 'root' and 'vdom1' are in NAT/route mode; 'vdom2' and 'vdom3' are in transparent mode. The management VDOM is 'root'. What two inter-vdom links can be created?
An inter-VDOM link between root and vdom 1 can be created an inter-VDOM link between vdom 1 and vdom 2 can be created
Where are Antivirus Signatures stored?
Antivirus Signatures are downloaded locally on FortiGate
An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best practices to do so? (Choose three.) A. Configure split tunneling for content inspection. B. Configure host restrictions by IP or MAC address. C. Configure two-factor authentication using security certificates. D. Configure SSL offloading to a content processor (FortiASIC). E. Configure a client integrity check (host-check).
B. Configure host restrictions by IP or MAC address. C. Configure two-factor authentication using security certificates. E. Configure a client integrity check (host-check).
An administrator is attempting to allow access to https://fortinet.com through a firewall policy that is configured with a web filter and an SSL inspection profile configured for deep inspection. Which of the following are possible actions to eliminate the certificate error generated by deep inspection? (Choose two.) A. Implement firewall authentication for all users that need access to fortinet.com. B. Manually install the FortiGate deep inspection certificate as a trusted CA. C. Configure fortinet.com access to bypass the IPS engine. D. Configure an SSL-inspection exemption for fortinet.com.
B. Manually install the FortiGate deep inspection certificate as a trusted CA. D. Configure an SSL-inspection exemption for fortinet.com.
When using WPAD with the DHCP discovery method, what happens if the DHCP method fails?
Browsers will try the DNS method.
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA? A. The public key of the web server certificate must be installed on the browser. B. The web-server certificate must be installed on the browser. C. The CA certificate that signed the web-server certificate must be installed on the browser. D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.
C. The CA certificate that signed the web-server certificate must be installed on the browser.
Central NAT can be enabled or disabled from where?
CLI only
What are 3 FortiGate components are tested during the hardware test?
CPU Hard Disk Network Interfaces
What are two authentication methods can PKI users be used for?
Can be used for token-based authentication can be used for two-factor authentication
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What are two solutions that could resolve this problem?
Change web browsers to one that does not support HPKP. Exempt those web sites that use HPKP from full SSL inspection.
When HA override is enabled, what is the selection criteria?
Connected monitored ports Priority HA uptime Serial Number
Which of the following features is supported by web filter in flow-based inspection mode with NGFW mode set to profile-based? A. FortiGuard Quotas B. Static URL C. Search engines D. Rating option
D. Rating option
What are the WPAD discovery methods?
DHCP query DNS query
What type of filter profile can redirect blocked requests to a specific portal?
DNS filter profiles
What is used to age out entries with an unverified status?
Dead Entry Timer
A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups. What is required in the SSL VPN configuration to meet these requirements?
Different SSL VPN realms for each group
A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.What is required in the SSL VPN configuration to meet these requirements?
Different SSL VPN realms for each group.
One purposes of NAT traversal in IPSec is to encapsulate ____________ packets in ___________ packets using port ________________.
ESP UDP 4500
What two settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy called Full Access?
Enable a web filter security profile on the Full Access firewall policy. Enable 'Log Allowed Traffic' on the Full Access firewall policy.
What services can be inspected by the DLP profile?
FTP IMAP HTTP-POST
In what inspection mode can the CLI be used to configure antivirus profiles to use protocol option profiles?
Flow based
An administrator is configuring an antivirus profile on a FortiGate and notices that Proxy Options is not listed under Security Profiles on the GUI. What can cause this issue?
FortiGate is in flow-based inspection mode
How does FortiGate verify the login credentials of a remote LDAP user?
FortiGate sends the user-entered credentials to the LDAP server for authentication.
Log downloads from the _____ are limited to __________________________.
GUI the current filter view
You have tasked to design a new IPsec deployment with the following criteria:There are two HQ sites that all satellite offices must connect to. The satellite offices do not need to communicate directly with other satellite offices. No dynamic routing will be used. The design should minimize the number of tunnels being configured. Which topology should be used to satisfy all of the requirements?
Hub-and-spoke
What information is included in the output of the following command: diagnose sniffer packet any "host 10.0.2.10" 3
IP Header Packet Payload Ethernet Headers
Before enabling central NAT, what must be removed from existing firewall policies?
IP pool reference.
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. What configuration option is the most effective option to support this request?
Implement a web filter category override for the specified website.
A team manager has decided that while some members of the team need access to particular website, the majority of the team does not. Which configuration option is the most effective option to support this request?
Implement a web filter category override for the specified website.
If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate take?
It blocks all future traffic for that IP address for a configured interval.
If traffic matches a DLP filter with the option set to Quarantine IP Address, what action does the FortiGate take?
It blocks all future traffic for that IP address for a configured interval.
What statements about a One-to-One IP pool are true?
It does not use port address translations. It allows the configuration of ARP replies.
When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that FortiGate can forward Internet traffic?
It must be configured in a static route using the sdwan virtual interface.
Policy-based IPSec tunnels support_________________-over-IPSec
L2TP
What two modes can policy-based IPSec tunnels be configured?
NAT/Route Transparent
What authentication is useful for users that log in to DC's that are not monitored by a collector agent?
NTLM authentication
What is required for NTLM authentication?
NTLM-enabled web browsers
Examine this FortiGate configuration: config system global set av-failopen end Examine the output of the following debug command: #diagnose hardware sysinfo conserve memory conserve mode: on total RAM: 3040 MB memory used: 2948 MB 97% of total RAM memory freeable: 92 MB 3% of total RAM memory used + freeable threshold extreme: 2887 MB 97% of total RAM memory used threshold red: 2675 MB 88% of total RAM memory used threshold green: 2492 MB 82% of total RAM Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?
New sessions that require inspection are dropped.
Is Database Auditing a FortiGate feature?
No
Which of the following settings can be configured per VDOM? (Choose three)
Operating mode static routes firewall policies
One-to-One IP pool does not use what?
Port Address Translation
What are two route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing?
Priority Distance
In what inspection mode does the antivirus scan buffer the entire file before sending it to the client?
Proxy-based
Which user group types does FortiGate support for firewall authentication? (Choose three.)
RSSO Firewall FSSO
On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager?
Real time store and upload
On a FortiGate with a hard disk, what are two ways you can upload logs to a FortiAnalyzer or FortiManager?
Real time store-and-upload
An administrator has configured the following settings: config system settings set sess-denied-traffic enable end config system global set block-session-timer 30 end what does the configuration do?
Reduces the amount of logs generated by denied traffic. Creates a session for traffic being denied.
What are the two routing lookups performed by a FortiGate when searching for a suitable gateway?
Search for the first packet sent by the originator. Search for the first reply packet coming from the responder.
What are two features supported by the web filter in flow-based inspection mode with NGFW mode set to profile-based?
Static URL Rating option
What are two ways to create a route in the policy route table?
Static route created with a Named Address object SD-WAN rule created to route traffic based on link latency
What condition must be met in order for a web browser to trust a web server certificate signed by a third-party CA?
The CA certificate that signed the web-server certificate must be installed on the browser.
What best describes the mechanism of a TCP SYN flood?
The attacker starts many connections, but never acknowledges to fully form them.
When using WPAD with the DHCP discovery method, what does the browser send?
The browser sends a DHCPINFORM request to the server.
Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype="Webfilter_Profile" profile="default" status="passthrough" msg="URL belongs to a category with warnings enabled"
The category action was set to warning the website was allowed
What information is flushed when the chunk-size value is changed in the config dlp settings?
The database for DLP document fingerprinting
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (list three.)
The interface has been configured for one-arm sniffer the interface is a member of a virtual wire pair The operation mode is transparent
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
The internal IP address of the FortiGate device
What does proto_state=01 indicate?
The session is established
In an IKE real-time debug, what does the following message indicate: ike 0:Remote:8: PSK authentication succeeded
The vpn is configured to use pre-shared key authentication
A FortiGate device has multiple VDOMs, an admin account configured with the default prof_admin profile can reset the password for the admin account (True/False)
True
Log backups from the CLI can be configured to upload to FTP at a scheduled time. (True/False)
True
Log backups from the CLI cannot be restored to another FortiGate. (True/False)
True
The FSSO dead entry timeout interval is used to age out entries with an unverified status. (True/False)
True
Captive Portal has User Access set to 'Allow All', what users and groups are allowed access?
Users and groups defined in the firewall policy.
Which statement is in advantage of using a hub and spoke IPsec VPN configuration instead of a fully-meshed set of IPsec tunnels?
Using a hub and spoke topology requires fewer tunnels
_______ polling can increase bandwidth usage in large networks.
WMI
_______ provides the URL where the PAC file can be downloaded from.
WPAD
When does a FortiGate load-share traffic between two static routes to the same destination subnet?
When they have the same distance and same priority
When using WMI polling mode for FSSO collector agent, the collector agent uses a _______________ to query DCs for user logins.
Windows API
What is a correct description of a hash result as it relates to digital certificates?
a unique value used to verify the input data
which IPSec mode includes the peer id information in the first packet?
aggressive mode
What security profile does not change when enabling policy-based inspection?
antivirus
In quick scan mode, you can configure antivirus profiles to use___________________________.
any of the available signature data bases.
An administrator creates a Proxy Address and wants to block HTTP updloads. Where will the proxy address be used?
as the source in a proxy policy
Log backups from the CLI cannot ____________________________________________.
be restored to another FortiGate.
DNS filter profiles can block DNS requests to known _____________________.
botnet command and control servers
What is the DNS discovery method for WPAD?
browsers resolve the name wpad.<local.domain> to get the IP address of the server hosting the PAC file.
What is the DHCP discovery method for WPAD?
browsers send a DHCPINFORM query to the DHCP server to get the URL.
In transparent mode, Ethernet packets are forwarded based on _________________________.
destination MAC address
Which of the following email spam filtering features is NOT supported on a FortiGate unit?
greylisting
What attributes are always included in a log header? (Choose three.)
level time subtype
Virtual clustering cn be configured between two Fortigate devices that have ______________________________.
multiple vdoms
What administrator profile is used to configure a per-VDOM administrator account?
prof_admin
In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use _______________________________.
protocol option profiles
Sessions handled by ____________________________ security profiles cannot be synchronized.
proxy-based security profiles.
The _________ VDOM is the management VDOM by default.
root
Each VDOM maintains its own ____________________________.
routing table
During the digital verification process, comparing the original and fresh hash results satisfies which security requirement?
signature verification
DNS filter profile can redirect blocked requests to a ___________________
specific portal
When browsing to an internal webserver using a web-mode SSL VPN bookmark, what IP address is used as the source of the HTTP request?
the internal IP address of the FortiGate device.
Transparent mode permits inline traffic inspection and firewalling without changing ___________________________________________________
the ip scheme of the network
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
the two VLAN sub interfaces must have different VLAN IDs
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?
to allow for out-of-order packets that could arrive after the FIN/ACK packets
When a firewall is in transparent mode operation, the Fortigate acts a __________________ bridge and forwards traffic at ______________.
transparent Layer 2
IPS signature update requests are sent to________________________.
update.fortiguard.net on TCP 443
An administrator has configured a dialup IPsec VPN with XAuth. What must dialup clients provide for authentication?
username and password
When using WPAD DNS method, which FQDN format do browsers use to query the DNS server?
wpad.<local-domain>