FORTINET NSE4 EXAM QUESTIONS WITH WELL
VERIFIED ANSWERS
Which two statements are true about IPsec VPNs and SSL VPNs? (Choose two.)
A. SSL VPN creates a HTTPS connection. IPsec does not.
B. Both SSL VPNs and IPsec VPNs are standard protocols.
C. Either a SSL VPN or an IPsec VPN can be established between two FortiGate devices.
D. Either a SSL VPN or an IPsec VPN can be established between an end-user
workstation and a FortiGate device. - ✔✔Answer:
A. SSL VPN creates a HTTPS connection. IPsec does not.
D. Either a SSL VPN or an IPsec VPN can be established between an end-user
workstation and a FortiGate device.
When browsing to an internal web server using a web-mode SSL VPN bookmark, which
IP address is used as the source of the HTTP request?
A. The remote user's virtual IP address.
B. The FortiGate unit's internal IP address.
C. The remote user's public IP address.
D. The FortiGate unit's external IP address. - ✔✔Answer:
B. The FortiGate unit's internal IP address.
Regarding the use of web-only mode SSL VPN, which statement is correct?
,A. It supports SSL version 3 only.
B. It requires a Fortinet-supplied plug-in on the web client.
C. It requires the user to have a web browser that supports 64-bit cipher length.
D. The JAVA run-time environment must be installed on the client. - ✔✔Answer:
C. It requires the user to have a web browser that supports 64-bit cipher length.
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices.
Which three configuration steps must be performed on both units to support this
scenario? (Choose three.)
A. Create firewall policies to allow and control traffic between the source and
destination IP addresses.
B. Configure the appropriate user groups to allow users access to the tunnel.
C. Set the operating mode to IPsec VPN mode.
D. Define the phase 2 parameters.
E. Define the Phase 1 parameters. - ✔✔Answer
A. Create firewall policies to allow and control traffic between the source and
destination IP addresses.
D. Define the phase 2 parameters.
E. Define the Phase 1 parameters.
,You are the administrator in charge of a FortiGate acting as an IPsec VPN gateway using
route-based mode. Users from either side must be able to initiate new sessions. There is
only 1 subnet at either end and the FortiGate already has a default route.
Which two configuration steps are required to achieve these objectives? (Choose two.)
A. Create one firewall policy.
B. Create two firewall policies.
C. Add a route to the remote subnet.
D. Add two IPsec phases 2. - ✔✔Answer:
B. Create two firewall policies.
C. Add a route to the remote subnet.
An administrator has configured a route-based site-to-site IPsec VPN. Which statement
is correct regarding this IPsec VPN configuration?
A. The IPsec firewall policies must be placed at the top of the list.
B. This VPN cannot be used as part of a hub and spoke topology.
C. Routes are automatically created based on the quick mode selectors.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is
completed. - ✔✔Answer:
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is
completed.
What is IPsec Perfect Forwarding Secrecy (PFS)?.
, A. A phase-1 setting that allows the use of symmetric encryption.
B. A phase-2 setting that allows the recalculation of a new common secret key each time
the session key expires.
C. A 'key-agreement' protocol.
D. A 'security-association-agreement' protocol. - ✔✔Answer:
B. A phase-2 setting that allows the recalculation of a new common secret key each time
the session key expires.
Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?.
A. Policy-based only.
B. Route-based only.
C. Either policy-based or route-based VPN.
D. GRE-based only. - ✔✔Answer:
B. Route-based only.
Which antivirus and attack definition update options are supported by FortiGate units?
(Choose two.)
A. Manual update by downloading the signatures from the support site.
B. Pull updates from the FortiGate.
C. Push updates from a FortiAnalyzer.
D. execute fortiguard-AV-AS command from the CLI. - ✔✔Answer:
VERIFIED ANSWERS
Which two statements are true about IPsec VPNs and SSL VPNs? (Choose two.)
A. SSL VPN creates a HTTPS connection. IPsec does not.
B. Both SSL VPNs and IPsec VPNs are standard protocols.
C. Either a SSL VPN or an IPsec VPN can be established between two FortiGate devices.
D. Either a SSL VPN or an IPsec VPN can be established between an end-user
workstation and a FortiGate device. - ✔✔Answer:
A. SSL VPN creates a HTTPS connection. IPsec does not.
D. Either a SSL VPN or an IPsec VPN can be established between an end-user
workstation and a FortiGate device.
When browsing to an internal web server using a web-mode SSL VPN bookmark, which
IP address is used as the source of the HTTP request?
A. The remote user's virtual IP address.
B. The FortiGate unit's internal IP address.
C. The remote user's public IP address.
D. The FortiGate unit's external IP address. - ✔✔Answer:
B. The FortiGate unit's internal IP address.
Regarding the use of web-only mode SSL VPN, which statement is correct?
,A. It supports SSL version 3 only.
B. It requires a Fortinet-supplied plug-in on the web client.
C. It requires the user to have a web browser that supports 64-bit cipher length.
D. The JAVA run-time environment must be installed on the client. - ✔✔Answer:
C. It requires the user to have a web browser that supports 64-bit cipher length.
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices.
Which three configuration steps must be performed on both units to support this
scenario? (Choose three.)
A. Create firewall policies to allow and control traffic between the source and
destination IP addresses.
B. Configure the appropriate user groups to allow users access to the tunnel.
C. Set the operating mode to IPsec VPN mode.
D. Define the phase 2 parameters.
E. Define the Phase 1 parameters. - ✔✔Answer
A. Create firewall policies to allow and control traffic between the source and
destination IP addresses.
D. Define the phase 2 parameters.
E. Define the Phase 1 parameters.
,You are the administrator in charge of a FortiGate acting as an IPsec VPN gateway using
route-based mode. Users from either side must be able to initiate new sessions. There is
only 1 subnet at either end and the FortiGate already has a default route.
Which two configuration steps are required to achieve these objectives? (Choose two.)
A. Create one firewall policy.
B. Create two firewall policies.
C. Add a route to the remote subnet.
D. Add two IPsec phases 2. - ✔✔Answer:
B. Create two firewall policies.
C. Add a route to the remote subnet.
An administrator has configured a route-based site-to-site IPsec VPN. Which statement
is correct regarding this IPsec VPN configuration?
A. The IPsec firewall policies must be placed at the top of the list.
B. This VPN cannot be used as part of a hub and spoke topology.
C. Routes are automatically created based on the quick mode selectors.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is
completed. - ✔✔Answer:
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is
completed.
What is IPsec Perfect Forwarding Secrecy (PFS)?.
, A. A phase-1 setting that allows the use of symmetric encryption.
B. A phase-2 setting that allows the recalculation of a new common secret key each time
the session key expires.
C. A 'key-agreement' protocol.
D. A 'security-association-agreement' protocol. - ✔✔Answer:
B. A phase-2 setting that allows the recalculation of a new common secret key each time
the session key expires.
Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?.
A. Policy-based only.
B. Route-based only.
C. Either policy-based or route-based VPN.
D. GRE-based only. - ✔✔Answer:
B. Route-based only.
Which antivirus and attack definition update options are supported by FortiGate units?
(Choose two.)
A. Manual update by downloading the signatures from the support site.
B. Pull updates from the FortiGate.
C. Push updates from a FortiAnalyzer.
D. execute fortiguard-AV-AS command from the CLI. - ✔✔Answer:
