NSE 4 Course Questions with complete solutions.

NSE 4 Course Questions with complete solutions. An Administrator has configured central DNAT and Virtual IPs. Which itme can be selected in the firewall policy destination field? -A VIP group -The mapped IP address object of the VIP object -A VIP object -An IP pool - correct answers.-The mapped IP address object of the VIP object An administrator configured the antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that test files can be downloaded using HTTPS protocol only. What is causing this issue? -The test file is larger than the oversize limit. -Hardware acceleration is in use. -Full SSL inspection is disabled. -HTTPS protocol is not enabled under Inspected Protocols. - correct answers.-Full SSL inspection is disabled. Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2. Which two static routes are required in the FortiGate configuration, to route traffic between both subnets through an inter-VDOM link? (Choose two.) -A static route in VDOM2 for the destination subnet 10.0.1.0/24 -A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link -A static route in VDOM1 for the destination subnet 10.0.2.0/24 -A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link - correct answers.-A static route in VDOM2 for the destination subnet 10.0.1.0/24 -A static route in VDOM1 for the destination subnet 10.0.2.0/24 Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.) -Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode. -Aggressive mode supports XAuth, while main mode does not. -The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not. -Main mode cannot be used for dialup VPNs, while aggressive mode can. - correct answers.-The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not. Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.) -Multiple interfaces can be selected as incoming and outgoing interfaces. -A zone can be chosen as the outgoing interface. -Only the any interface can be chosen as an incoming interface. -An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional. - correct answers.-Multiple interfaces can be selected as incoming and outgoing interfaces. -A zone can be chosen as the outgoing interface. View Figure 1 A user at 192.168.32.15 is trying to access the web server at 172.16.32.254. Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two.) -Loose RPF check will deny the traffic. -Strict RPF check will allow the traffic. -Loose RPF check will allow the traffic. -Strict RPF check will deny the traffic. - correct answers.-Strict RPF check will allow the traffic. -Loose RPF check will allow the traffic. (need to confirm this is correct) View Figure 2 Which two behaviors result from this full (deep) SSL configuration? (Choose two.) -The browser bypasses all certificate warnings and allows the connection. -A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted. -A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. -A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted. - correct answers.-A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted. -The browser bypasses all certificate warnings and allows the connection.(need to confirm this is correct) View Figure 3