NSE4_FGT-7.2- UPDATED ACTUAL Exam
Questions and CORRECT Answers
What is the limitation of using a URL list and application control on the same firewall policy, in
NGFW policy-based mode?
A. It limits the scanning of application traffic to the browser-based technology category only.
B. It limits the scanning of application traffic to the DNS protocol only.
C. It limits the scanning of application traffic to use parent signatures only.
D. It limits the scanning of application traffic to the application category only. - CORRECT
ANSWER -A
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in
the exhibit.
Which policy will be highlighted, based on the input criteria?
A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 4. - CORRECT ANSWER -B
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN)
subinterfaces added to the same physical interface.In this scenario, what are two requirements for
the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
the same subnet.
,B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different
VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets. - CORRECT ANSWER - B,C
An administrator has configured a strict RPF check on FortiGate.How does strict RPF check
work?
A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using
the incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session. - CORRECT
ANSWER -B
An administrator has configured the following settings:config system settingsset ses-denied-
traffic enableendconfig system globalset block-session-timer 30endWhat are the two results of
this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30 minutes.
B. Denied users are blocked for 30 minutes.
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created. - CORRECT ANSWER - C,D
Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit
B) for Facebook.
Users are given access to the Facebook web application.
They can play video content hosted onFacebook, but they are unable to leave reactions on videos
or other types of posts.
,Which part of the policy configuration must you change to resolve the issue?
A. Force access to Facebook using the HTTP service.
B. Make the SSL inspection a deep content inspection.
C. Add Facebook in the URL category in the security policy.
D. Get the additional application signatures required to add to the security policy. - CORRECT
ANSWER -B
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the
security fabric. After synchronization, this object is not available on the downstream FortiGate
(ISFW).
What must the administrator do to synchronize the address object?
A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
C. Change the csf setting on both devices to set downstream-access enable.
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default. -
CORRECT ANSWER -C
Refer to the exhibits.
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the
default configuration of high memory usage thresholds.
Based on the system performance output, which two results are correct? (Choose two.)
A. FortiGate will start sending all files to FortiSandbox for inspection.
B. FortiGate has entered conserve mode.
C. Administrators cannot change the configuration.
D. Administrators can access FortiGate only through the console port. - CORRECT
ANSWER - B,C
, Refer to the exhibit showing a debug flow output.
What two conclusions can you make from the debug flow output? (Choose two.)
A. The debug flow is for ICMP traffic.
B. The default route is required to receive a reply.
C. Anew traffic session was created.
D. A firewall policy allowed the connection. - CORRECT ANSWER - A,C
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway
setting in both sites has been configured as Static IP Address. For site A, the local quick mode
selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.Which subnet
must the administrator configure for the local quick mode selector for site B?
A. 192.168.2.0/24
B. 192.168.0.0/8
C. 192.168.1.0/24
D. 192.168.3.0/24 - CORRECT ANSWER -A
Which two settings are required for SSL VPN to function between two FortiGate devices?
(Choose two.)
A. The client FortiGate requires a manually added route to remote subnets.
B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN. -
CORRECT ANSWER - C,D
Which statement correctly describes the use of reliable logging on FortiGate?
Questions and CORRECT Answers
What is the limitation of using a URL list and application control on the same firewall policy, in
NGFW policy-based mode?
A. It limits the scanning of application traffic to the browser-based technology category only.
B. It limits the scanning of application traffic to the DNS protocol only.
C. It limits the scanning of application traffic to use parent signatures only.
D. It limits the scanning of application traffic to the application category only. - CORRECT
ANSWER -A
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in
the exhibit.
Which policy will be highlighted, based on the input criteria?
A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 4. - CORRECT ANSWER -B
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN)
subinterfaces added to the same physical interface.In this scenario, what are two requirements for
the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
the same subnet.
,B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different
VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets. - CORRECT ANSWER - B,C
An administrator has configured a strict RPF check on FortiGate.How does strict RPF check
work?
A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using
the incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session. - CORRECT
ANSWER -B
An administrator has configured the following settings:config system settingsset ses-denied-
traffic enableendconfig system globalset block-session-timer 30endWhat are the two results of
this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30 minutes.
B. Denied users are blocked for 30 minutes.
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created. - CORRECT ANSWER - C,D
Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit
B) for Facebook.
Users are given access to the Facebook web application.
They can play video content hosted onFacebook, but they are unable to leave reactions on videos
or other types of posts.
,Which part of the policy configuration must you change to resolve the issue?
A. Force access to Facebook using the HTTP service.
B. Make the SSL inspection a deep content inspection.
C. Add Facebook in the URL category in the security policy.
D. Get the additional application signatures required to add to the security policy. - CORRECT
ANSWER -B
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the
security fabric. After synchronization, this object is not available on the downstream FortiGate
(ISFW).
What must the administrator do to synchronize the address object?
A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
C. Change the csf setting on both devices to set downstream-access enable.
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default. -
CORRECT ANSWER -C
Refer to the exhibits.
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the
default configuration of high memory usage thresholds.
Based on the system performance output, which two results are correct? (Choose two.)
A. FortiGate will start sending all files to FortiSandbox for inspection.
B. FortiGate has entered conserve mode.
C. Administrators cannot change the configuration.
D. Administrators can access FortiGate only through the console port. - CORRECT
ANSWER - B,C
, Refer to the exhibit showing a debug flow output.
What two conclusions can you make from the debug flow output? (Choose two.)
A. The debug flow is for ICMP traffic.
B. The default route is required to receive a reply.
C. Anew traffic session was created.
D. A firewall policy allowed the connection. - CORRECT ANSWER - A,C
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway
setting in both sites has been configured as Static IP Address. For site A, the local quick mode
selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.Which subnet
must the administrator configure for the local quick mode selector for site B?
A. 192.168.2.0/24
B. 192.168.0.0/8
C. 192.168.1.0/24
D. 192.168.3.0/24 - CORRECT ANSWER -A
Which two settings are required for SSL VPN to function between two FortiGate devices?
(Choose two.)
A. The client FortiGate requires a manually added route to remote subnets.
B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN. -
CORRECT ANSWER - C,D
Which statement correctly describes the use of reliable logging on FortiGate?
