NSE4_FGT-7.0 Online Practice Questions and Answers

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

A. The signature setting uses a custom rating threshold.

B. The signature setting includes a group of other signatures.

C. Traffic matching the signature will be allowed and logged.

D. Traffic matching the signature will be silently dropped and logged.

An administrator has configured the following settings: What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 minutes.

B. Denied users are blocked for 30 minutes.

C. A session for denied traffic is created.

D. The number of logs generated by denied traffic is reduced.

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A. FortiCache

B. FortiSIEM

C. FortiAnalyzer

D. FortiSandbox

E. FortiCloud

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

A. diagnose sys top

B. execute ping

C. execute traceroute

D. diagnose sniffer packet any

E. get system arp

Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password

B. FortiGate supports pre-shared key and signature as authentication methods.

C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.

D. A certificate is not required on the remote peer when you set the signature as the authentication method.

Refer to the exhibit.

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

B. An SA never expires.

C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.

D. Phase 2 SA expiration can be time-based, volume-based, or both.

E. Both the phase 1 SA and phase 2 SA are bidirectional.

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

A. FortiManager

B. Root FortiGate

C. FortiAnalyzer

D. Downstream FortiGate

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

A. The subject field in the server certificate

B. The serial number in the server certificate

C. The server name indication (SNI) extension in the client hello message

D. The subject alternative name (SAN) field in the server certificate

E. The host field in the HTTP header

Which statement regarding the firewall policy authentication timeout is true?

A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.

B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.

C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.

D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.