NSE4 Flashcards
Which user group types does FortiGate support for firewall authentication? (Choose three.) A. RSSO B. Firewall C. LDAP D. NTLM E. FSSO
A. RSSO
B. Firewall
E. FSSO
Which of the following settings can be configured per VDOM? (Choose three)
A. Operating mode (NAT/route or transparent)
B. Static routes
C. Hostname
D. System time
E. Firewall Policies
A. Operating mode (NAT/route or transparent)
B. Static routes
E. Firewall Policies
Which best describes the mechanism of a TCP SYN flood?
A. The attackers keeps open many connections with slow data transmission so that other clients cannot start new connections.
B. The attackers sends a packets designed to sync with the FortiGate
C. The attacker sends a specially crafted malformed packet, intended to crash the target by exploiting its parser.
D. The attacker starts many connections, but never acknowledges to fully form them.
D. The attacker starts many connections, but never acknowledges to fully form them.
What attributes are always included in a log header? (Choose three.) A. policyid B. level C. user D. time E. subtype F. duration
B. level
D. time
E. subtype
When does a FortiGate load-share traffic between two static routes to the same destination subnet?
A. When they have the same cost and distance.
B. When they have the same distance and the same weight.
C. When they have the same distance and different priority.
D. When they have the same distance and same priority.
D. When they have the same distance and same priority.
Which statement is in advantage of using a hub and spoke IPsec VPN configuration instead of a fully-meshed set of IPsec tunnels?
A. Using a hub and spoke topology provides full redundancy.
B. Using a hub and spoke topology requires fewer tunnels.
C. Using a hub and spoke topology uses stronger encryption protocols.
D. Using a hub and spoke topology requires more routes
B. Using a hub and spoke topology requires fewer tunnels.
An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
A. The IPsec firewall policies must be placed at the top of the list.
B. This VPN cannot be used as a part of a hub and spoke topology.
C. Routes are automatically created based on the quick mode selectors.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.
Which of the following email spam filtering features is NOT supported on a FortiGate unit?
A. Multipurpose Internet Mail Extensions (MIME) Header Check
B. HELO DNS Lookup
C. Greylisting
D. Banned Word
C. Greylisting
Which IPSec mode includes the peer id information in the first packet? A. Main mode. B. Quick mode. C. Aggressive mode. D. IKEv2 mode.
C. Aggressive mode.
What actions are possible with Application Control? (Choose three.) A. Warn B. Allow C. Block D. Traffic Shaping E. Quarantine
B. Allow
C. Block
D. Traffic Shaping
Which is not a FortiGate feature? A. Database auditing B. Intrusion prevention C. Web filtering D. Application control
A. Database auditing
In FortiOS session table output, what is the correct proto_state number for an established, non-proxied TCP connection? A. 00 B. 11 C. 01 D. 05
C. 01
A FortiGate devices is configured with four VDOMs: ‘root’ and ‘vdom1’ are in NAT/route mode; ‘vdom2’ and ‘vdom2’ are in transparent mode. The management VDOM is ‘root’.
Which of the following statements are true? (Choose two.)
A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.
C. An inter-VDOM link between ‘vdom2’ and vdom3’ can created.
D. Inter-VDOM link links must be manually configured for FortiGuard traffic.
A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.
Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype=”Webfilter_Profile” profile=”default” status=”passthrough” msg=”URL belongs to a category with warnings enabled”
A. The traffic was blocked.
B. The user failed authentication.
C. The category action was set to warning.
D. The website was allowed
C. The category action was set to warning.
D. The website was allowed
Which of the following statements are true about PKI users created in a FortiGate device?
(Choose two.)
A. Can be used for token-based authentication
B. Can be used for two-factor authentication
C. Are used for certificate-based authentication
D. Cannot be members of user groups
A. Can be used for token-based authentication
B. Can be used for two-factor authentication
Which is a more accurate description of a modern firewall?
A. A device that inspects network traffic at an entry point to the internet and within a simple, easily defined network perimeter
B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points
B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points
Which solution, specific to Fortinet, enhances performance and reduces latency for specific features and traffic?
A. Acceleration hardware, called SPUs (Security Processing Units)
B. Increased RAM and CPU power
A. Acceleration hardware, called SPUs (Security Processing Units)
Which protocol does FortiGate use to download antivirus and IPS packages?
A. UDP
B. TCP
B. TCP
How does FortiGate check content for spam or malicious websites?
A. Live queries to FortiGuard over UDP or HTTPS
B. Local verification using downloaded web filter database locally on FortiGate
A. Live queries to FortiGuard over UDP or HTTPS
How do you restrict logins to FortiGate from only specific IP addresses?
A. Change FortiGate management interface IP addresses
B. Configure trusted host
B. Configure trusted host
As a best security practice when configuring administrative access to FortiGate, which protocol should you disable?
A. Telnet
B. SSH
A. Telnet
When configuring FortiGate as a DHCP server, to restrict access by MAC address, what does the Assign IP option do?
A. Assigns a specific IP address to a MAC address
B. Dynamically assigns an IP to a MAC address
B. Dynamically assigns an IP to a MAC address
When configuring FortiGate as a DNS server, which resolution method only uses the FortiGate DNS database to try to resolve queries?
A. Non-recursive
B. Recursive
A. Non-recursive
Which traffic is always generated from the management VDOM?
A. Link Health Monitor
B. FortiGuard
B. FortiGuard
Which statement about the management VDOM is true?
A. It is root by default and cannot be changed in multi-vdom mode.
B. It is root by default, but can be changed to any VDOM in multi-vdom mode.
B. It is root by default, but can be changed to any VDOM in multi-vdom mode.
When restoring an encrypted system configuration file, in addition to needing the FortiGate model and firmware version from the time the configuration file was produced, what must you also provied?
A. The password to decrypt the file
B. The private decryption key to decrypt the file
A. The password to decrypt the file
Which document should you consult to increase the chances of success before upgrading or downgrading firmware?
A. Cookbook
B. Release Notes
B. Release Notes
What is the Fortinet Security Fabric?
A. A Fortinet solution that enables communication and visibility among devices of your network
B. A device that can manage all your firewalls
A. A Fortinet solution that enables communication and visibility among devices of your network
Which combination of devices must participate in the Security Fabric
A. A FortiAnalyzer and two or more FortiGate devices
B. A device that can manage all your firewalls
A. A FortiAnalyzer and two or more FortiGate devices
What are the two mandatory settings of the Security Fabric configuration?
A. Fabric name and Security Fabric role
B. Fabric name and FortiManager IP address
A. Fabric name and Security Fabric role
From where do you authorize a device to participate in the Security Fabric?
A. From the downstream FortiGate
B. From the root FortiGate
B. From the root FortiGate
Why should an administrator extend the Security Fabric to other devices?
A. To provide a single pane of glass for management and reporting purposes
B. To eliminate the need to purschase the licenses for FortiGate devices in the Security Fabric
A. To provide a single pane of glass for management and reporting purposes
What is the purpose of Security Fabric external connectors?
A. External connectors allow you to integrate multi-cloud support with the Security Fabric
B. External connectors allow you to connect the FortiGate command line interface (CLI)
A. External connectors allow you to integrate multi-cloud support with the Security Fabric
Which one is a part of the Security Rating scorecard?
A. Firewall Policy
B. Optimization
B. Optimization
From which view can an administrator deauthorize a device from the Security Fabric?
A. From the physical topology view
B. From the Fortiview
A. From the physical topology view
What criteria does FortiGate use to match traffic to a firewall policy?
A. Secure and destination interfaces
B. Security profiles
A. Secure and destination interfaces
What must be selected in the Source field of a firewall policy?
A. At least one address object or ISDB
B. At least one source user and one source address object
A. At least one address object or ISDB
To configure a firewall policy, you must include a firewall policy name when configuring using the ____.
A. CLI
B. GUI
B. GUI
What is the purpose of applying security profiles to a firewall policy?
A. To allow access to specific subnets
B. To protect your network from threats, and control access to specific applications and URLs
B. To protect your network from threats, and control access to specific applications and URLs
If you configure a firewall policy with any interface, you can view the firewall policy list only in which view?____.
A. The By Sequence View
B. The Interface Pair View
A. The By Sequence View
Which of the following naming formats is correct when configuring a name for a firewall address object?
A. Good_Training
B. Good(Training)
A. Good_Training
What is the purpose of the policy lookup feature on FortiGate?
A. To find a matching policy based on input criteria
B. To block traffic based on input criteria
A. To find a matching policy based on input criteria
What is NAT used for?
A. Preserving IP addresses
B. Traffic shaping
A. Preserving IP addresses
Which statement about NAT66 is true?
A. It is NAT between two IPv6 networks.
B. It is NAT between two IPv4 networks.
A. It is NAT between two IPv6 networks.
What is the default IP pool type?
A. One-to-one
B. Overload
B. Overload
Which of the following is the default VIP type?
A. static-nat
B. load-balance
A. static-nat
Which statement is true?
A. Central NAT is not enabled by default
B. Both central NAT and firewall policy NAT can be enabled together
A. Central NAT is not enabled by default
What happens if there is no matching central SNAT policy or no central SNAT policy configured?
A. The egress interface IP will be used.
B. NAT will not be applied to the firewall session.
B. NAT will not be applied to the firewall session.
Which method would you use for advanced application tracking and control?
A. Session helper
B. Application layer gateway
B. Application layer gateway
Which profile is an example of application layer gateway?
A. WAF (Web Application Firewall) profile
B. VOIP (Voice over IP) profile
B. VOIP (Voice over IP) profile
If session diagnostic output indicates that a TCP protocol state is proto_state=01, which is true?
A. The session is established
B. The session is not established
A. The session is established
An administrator wants to check the total number of TCP sessions for an IP pool named INTERNAL. Which CLI command should the administrator use?
A. diagnose firewall ippool-all stats INTERNAL
B. diagnose firewall ippool-all list INTERNAL
A. diagnose firewall ippool-all stats INTERNAL
Which firewall authentication method does FortiGate support?
A. Local password authentication
B. Biometric authentication
A. Local password authentication
Which type of token can generate OTPs to provide two-factor authentication to users in your network?
A. FortiToken Mobile
B. USB FortiToken
A. FortiToken Mobile
When FortiGate uses a RADIUS server for remote authentication, which statement about RADIUS is true?
A. FortiGate must query the remote RADIUS server using the distinguished name (dn).
B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.
B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.
What is a valid reply from RADIUS server to an ACCESS_REQUEST packet from FortiGate?
A. ACCESS-PENDING
B. ACCESS-REJECT
B. ACCESS-REJECT
A remote LDAP user is trying to authenticate with a username and password. How does FortiGate verify the login credentials?
A. FortiGate queries its own database for user credentials.
B. FortiGate sends the user-entered credentials to the remote server verification.
B. FortiGate sends the user-entered credentials to the remote server verification.
Which statement about guest user groups is true?
A. Guest user group accounts are temporary.
B. Guest user group accounts passwords are temporary.
A. Guest user group accounts are temporary.
Guests accounts are most commonly used for which purposes?
A. To provide temporary visitor access to corporate network resources
B. To provide temporary visitor access to wireless networks
B. To provide temporary visitor access to wireless networks
Firewall policies dictate whether a user or device can or cannot authenticate on a network. Which statement about firewall authentication is true?
A. Firewall policies can be configured to authenticate certificate users.
B. The order of the firewall polices always determines whether user’s credentials are determined actively or passively.
A. Firewall policies can be configured to authenticate certificate users.
Which statement about active authentication is true?
A. Active authentication is always used before passive authentication.
B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.
B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.
Which statement about captive portal is true?
A. Captive portal must be hosted on a FortiGate device.
B. Captive portal can exempt specific devices from authenticating.
B. Captive portal can exempt specific devices from authenticating.
Which statement best describes the authentication idle timeout feature on FortiGate?
A. The length of time FortiGate waits for the user to enter their authentication credentials
B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device
B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device
Which command would you use to identify the IP addresses of all authenticated users?
A. diagnose firewall auth clear
B. diagnose firewall auth list
B. diagnose firewall auth list
Which type of logs are application control, web filter, antivirus, and DLP?
A. Event
B. Security
B. Security
The log _______ contains fields that are common to all log types, such as originating date and time, log identifier, log category, and VDOM.
A. header
B. body
A. header
Which storage type is preferred for logging?
A. Remote Logging
B. Hard drive
A. Remote Logging