Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

NSE4_FGT-6.2 Questions and Answers

Note! Following NSE4_FGT-6.2 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is NSE4_FGT-7.2

NSE4_FGT-6.2 Questions and Answers

Question # 6

An administrator wants to block HTTP uploads. Examine the exhibit, which contains the proxy address created for that purpose.

Where must the proxy address be used?

A.

As the source in a firewall policy.

B.

As the source in a proxy policy.

C.

As the destination in a firewall policy.

D.

As the destination in a proxy policy.

Full Access
Question # 7

Which configuration objects can be selected for the Source field of a firewall policy? (Choose two.)

A.

Firewall service

B.

User or user group

C.

IP Pool

D.

FQDN address

Full Access
Question # 8

An administrator has configured two VLAN interfaces:

A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface. However, the DHCP client cannot get a dynamic IP address from the DHCP server. What is the cause of the problem?

A.

Both interfaces must belong to the same forward domain.

B.

The role of the VLAN10 interface must be set to server.

C.

Both interfaces must have the same VLAN ID.

D.

Both interfaces must be in different VDOMs.

Full Access
Question # 9

If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?

A.

The Services field removes the requirement of creating multiple VIPs for different services.

B.

The Services field is used when several VIPs need to be bundled into VIP groups.

C.

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

D.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

Full Access
Question # 10

An administrator needs to strengthen the security for SSL VPN access. Which of the following statements are best practices to do so? (Choose three.)

A.

Configure split tunneling for content inspection.

B.

Configure host restrictions by IP or MAC address.

C.

Configure two-factor authentication using security certificates.

D.

Configure SSL offloading to a content processor (FortiASIC).

E.

Configure a client integrity check (host-check).

Full Access
Question # 11

Examine the network diagram shown in the exhibit, and then answer the following question:

A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes will satisfy this requirement on FGT1? (Choose two.)

A.

172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]

B.

172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]

C.

172.20.2.0/24 (1/150) via 10.10.1.2, port3 [10/0]

D.

172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]

Full Access
Question # 12

A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added to the physical interface.

Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

A.

The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

B.

The two VLAN sub interfaces must have different VLAN IDs.

C.

The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

D.

The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

Full Access
Question # 13

An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

A.

The interface has been configured for one-arm sniffer.

B.

The interface is a member of a virtual wire pair.

C.

The operation mode is transparent.

D.

The interface is a member of a zone.

E.

Captive portal is enabled in the interface.

Full Access
Question # 14

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A.

It limits the scope of application control to the browser-based technology category only.

B.

It limits the scope of application control to scan application traffic based on application category only.

C.

It limits the scope of application control to scan application traffic using parent signatures only

D.

It limits the scope of application control to scan application traffic on DNS protocol only.

Full Access
Question # 15

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

A.

10.200.1.10

B.

Any available IP address in the WAN (port1) subnet 10.200.1.0/24

C.

10.200.1.1

D.

10.0.1.254

Full Access
Question # 16

View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

A.

Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

B.

port-VLAN1 is the native VLAN for the port1 physical interface.

C.

C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

D.

Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Full Access
Question # 17

Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

A.

FortiGate will load balance all traffic across both routes.

B.

FortiGate will use the port1 route as the primary candidate.

C.

FortiGate will route twice as much traffic to the port2 route

D.

FortiGate will only actuate the port1 route in the routing table

Full Access
Question # 18

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

A.

Log downloads from the GUI are limited to the current filter view

B.

Log backups from the CLI cannot be restored to another FortiGate.

C.

Log backups from the CLI can be configured to upload to FTP as a scheduled time

D.

Log downloads from the GUI are stored as LZ4 compressed files.

Full Access
Question # 19

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

A.

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B.

ADVPN is only supported with IKEv2.

C.

Tunnels are negotiated dynamically between spokes.

D.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Full Access
Question # 20

In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

A.

Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.

B.

Client > secondary FortiGate> web server.

C.

Clinet >secondary FortiGate> primary FortiGate> web server.

D.

Client> primary FortiGate> secondary FortiGate> web server.

Full Access
Question # 21

Examine the exhibit, which shows the partial output of an IKE real-time debug.

Which of the following statement about the output is true?

A.

The VPN is configured to use pre-shared key authentication.

B.

Extended authentication (XAuth) was successful.

C.

Remote is the host name of the remote IPsec peer.

D.

Phase 1 went down.

Full Access