NSE4_FGT-6.0 by Fortinet Valid Free Exam Practice Test

Question 1

View the following exhibit, which shows the firewall policies and the object uses in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search create shown in the following exhibit.

Which of the following will be highlighted based on the input criteria?

A. Policy with ID 5. B. Policy with ID1. C. Policy with ID 4. D. Policies with ID 2 and 3.

Correct Answer: B

Question 2

Which of the following statements about policy-based IPsec tunnels are true? (Choose two.)

A. They support GRE-over-IPsec. B. They require two firewall policies: one for each directions of traffic flow. C. They support L2TP-over-IPsec. D. They can be configured in both NAT/Route and transparent operation modes.

Correct Answer: C,D

Question 3

Examine the exhibit, which shows the partial output of an IKE real-time debug.

Which of the following statement about the output is true?

A. Phase 1 went down. B. Remote is the host name of the remote IPsec peer. C. The VPN is configured to use pre-shared key authentication. D. Extended authentication (XAuth) was successful.

Correct Answer: C

Question 4

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address
10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

A. Any available IP address in the WAN (port1) subnet 10.200.1.0/24 B. 10.0.1.254 C. 10.200.1.10 D. 10.200.1.1

Correct Answer: D

Question 5

Examine the exhibit, which shows the partial output of an IKE real-time debug.

Which of the following statement about the output is true?

A. Phase 1 went down. B. Remote is the host name of the remote IPsec peer. C. The VPN is configured to use pre-shared key authentication. D. Extended authentication (XAuth) was successful.

Correct Answer: C

Question 6

If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does FortiGate take?

A. It blocks all future traffic for that IP address for a configured interval. B. It archives the data for that IP address. C. It notifies the administrator by sending an email. D. It provides a DLP block replacement page with a link to download the file.

Correct Answer: A

Question 7

Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

A. The firewall policy is not using a full SSL inspection profile. B. The HTTPS signatures have not been added to the sensor. C. A DoS policy should be used, instead of an IPS sensor. D. The IPS filter is missing the Protocol: HTTPS option. E. A DoS policy should be used, instead of an IPS sensor.

Correct Answer: A

Question 8

Which statement is true regarding the policy ID number of a firewall policy?

A. Defines the order in which rules are processed. B. Changes when firewall policies are reordered. C. Required to modify a firewall policy using the CLI. D. Represents the number of objects used in the firewall policy.

Correct Answer: C

Question 9

Examine this output from a debug flow:

Which statements about the output are correct? (Choose two.)

A. FortiGate routed the packet through port 3. B. The packet was allowed by the firewall policy with the ID 00007fc0. C. The source IP address of the packet was translated to 10.0.1.10. D. FortiGate received a TCP SYN/ACK packet.

Correct Answer: A,D

Question 10

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

A. To force a new DH exchange with each phase 2 rekey. B. To dynamically change phase 1 negotiation mode aggressive mode. C. To encapsulation ESP packets in UDP packets using port 4500. D. To delete intermediary NAT devices in the tunnel path.

Correct Answer: C,D

Fortinet NSE 4 - FortiOS 6.0 - NSE4_FGT-6.0 Exam Practice Test