NSE4 PRACTICE EXAM| QUESTIONS AND WELL
VERIFIED ANSWERS |ACTUAL EXAM 100%
.Which three pieces of information does FortiGate use to identify the hostname of the
SSL server when SSL
certificate inspection is enabled? (Choose three.)
A. The subject field in the server certificate
B. The serial number in the server certificate
C. The server name indication (SNI) extension in the client hello message
D. The subject alternative name (SAN) field in the server certificate
E. The host field in the HTTP header - ✔✔Answer: ACD
Explanation:
Reference: https://checkthefirewall.com/blogs/fortinet/ssl-inspection
.Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in
neither the
physical layer nor the link layer? (Choose three.)
A. diagnose sys top
B. execute ping
C. execute traceroute
D. diagnose sniffer packet any
E. get system arp - ✔✔Answer: BCD
.Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
,An administrator is investigating a problem where an application establishes a Telnet
session to a Linux
server over the SSL VPN through FortiGate and the idle session times out after about 90
minutes. The
administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or
Linux server. This
issue does not happen when the application establishes a Telnet connection to the Linux
server directly
on the LAN.
What two changes can the administrator make to resolve the issue without affecting
services running
through FortiGate? (Choose two.)
A. Set the maximum session TTL value for the TELNET service object.
B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will
not happen
after 90 minutes.
C. Create a n - ✔✔Answer: CD
.NGFW mode allows policy-based configuration for most inspection rules.
Which security profile's configuration does not change when you enable policy-based
inspection?
A. Web filtering
B. Antivirus
C. Web proxy
D. Application control - ✔✔Answer: B
,.Which of the following statements about backing up logs from the CLI and downloading
logs from the GUI
are true? (Choose two.)
A. Log downloads from the GUI are limited to the current filter view
B. Log backups from the CLI cannot be restored to another FortiGate.
C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
D. Log downloads from the GUI are stored as LZ4 compressed files. - ✔✔Answer: A,B
.Which two statements are true about the FGCP protocol? (Choose two.)
A. Not used when FortiGate is in Transparent mode
B. Elects the primary FortiGate device
C. Runs only over the heartbeat links
D. Is used to discover FortiGate devices in different HA groups - ✔✔Answer: BC
.An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?
A. VLAN interface
B. Software Switch interface
C. Aggregate interface
D. Redundant interface - ✔✔Answer: C
Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=120324
12.Which CLI command will display sessions both from client to the proxy and from the
proxy to the
servers?
, A. diagnose wad session list
B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list | grep "hook=pre"&"hook=out" - ✔✔Answer: D
13.What types of traffic and attacks can be blocked by a web application firewall (WAF)
profile? (Choose
three.)
A. Traffic to botnetservers
B. Traffic to inappropriate web sites
C. Server information disclosure attacks
D. Credit card data leaks
E. SQL injection attacks - ✔✔Answer: CDE
14.If Internet Service is already selected as Source in a firewall policy, which other
configuration objects can
be added to the Source filed of a firewall policy?
A. IP address
B. Once Internet Service is selected, no other object can be added
C. User or User Group
D. FQDN address - ✔✔Answer: C
17.Which two protocols are used to enable administrator access of a FortiGate device?
(Choose two.)
A. SSH
B. HTTPS
VERIFIED ANSWERS |ACTUAL EXAM 100%
.Which three pieces of information does FortiGate use to identify the hostname of the
SSL server when SSL
certificate inspection is enabled? (Choose three.)
A. The subject field in the server certificate
B. The serial number in the server certificate
C. The server name indication (SNI) extension in the client hello message
D. The subject alternative name (SAN) field in the server certificate
E. The host field in the HTTP header - ✔✔Answer: ACD
Explanation:
Reference: https://checkthefirewall.com/blogs/fortinet/ssl-inspection
.Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in
neither the
physical layer nor the link layer? (Choose three.)
A. diagnose sys top
B. execute ping
C. execute traceroute
D. diagnose sniffer packet any
E. get system arp - ✔✔Answer: BCD
.Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
,An administrator is investigating a problem where an application establishes a Telnet
session to a Linux
server over the SSL VPN through FortiGate and the idle session times out after about 90
minutes. The
administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or
Linux server. This
issue does not happen when the application establishes a Telnet connection to the Linux
server directly
on the LAN.
What two changes can the administrator make to resolve the issue without affecting
services running
through FortiGate? (Choose two.)
A. Set the maximum session TTL value for the TELNET service object.
B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will
not happen
after 90 minutes.
C. Create a n - ✔✔Answer: CD
.NGFW mode allows policy-based configuration for most inspection rules.
Which security profile's configuration does not change when you enable policy-based
inspection?
A. Web filtering
B. Antivirus
C. Web proxy
D. Application control - ✔✔Answer: B
,.Which of the following statements about backing up logs from the CLI and downloading
logs from the GUI
are true? (Choose two.)
A. Log downloads from the GUI are limited to the current filter view
B. Log backups from the CLI cannot be restored to another FortiGate.
C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
D. Log downloads from the GUI are stored as LZ4 compressed files. - ✔✔Answer: A,B
.Which two statements are true about the FGCP protocol? (Choose two.)
A. Not used when FortiGate is in Transparent mode
B. Elects the primary FortiGate device
C. Runs only over the heartbeat links
D. Is used to discover FortiGate devices in different HA groups - ✔✔Answer: BC
.An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?
A. VLAN interface
B. Software Switch interface
C. Aggregate interface
D. Redundant interface - ✔✔Answer: C
Explanation:
Reference: https://forum.fortinet.com/tm.aspx?m=120324
12.Which CLI command will display sessions both from client to the proxy and from the
proxy to the
servers?
, A. diagnose wad session list
B. diagnose wad session list | grep hook-pre&&hook-out
C. diagnose wad session list | grep hook=pre&&hook=out
D. diagnose wad session list | grep "hook=pre"&"hook=out" - ✔✔Answer: D
13.What types of traffic and attacks can be blocked by a web application firewall (WAF)
profile? (Choose
three.)
A. Traffic to botnetservers
B. Traffic to inappropriate web sites
C. Server information disclosure attacks
D. Credit card data leaks
E. SQL injection attacks - ✔✔Answer: CDE
14.If Internet Service is already selected as Source in a firewall policy, which other
configuration objects can
be added to the Source filed of a firewall policy?
A. IP address
B. Once Internet Service is selected, no other object can be added
C. User or User Group
D. FQDN address - ✔✔Answer: C
17.Which two protocols are used to enable administrator access of a FortiGate device?
(Choose two.)
A. SSH
B. HTTPS
