NSE4_FGT-7.2 Online Practice Questions and Answers

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

A. get system status

B. get system performance status

C. diagnose sys top

D. get system arp

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

A. diagnose wad session list

B. diagnose wad session list | grep hook-preandandhook-out

C. diagnose wad session list | grep hook=preandandhook=out

D. diagnose wad session list | grep "hook=pre"and"hook=out"

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

1.

All traffic must be routed through the primary tunnel when both tunnels are up

2.

The secondary tunnel must be used only if the primary tunnel goes down

3.

In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

B. Enable Dead Peer Detection.

C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

A. Change password

B. Enable restrict access to trusted hosts

C. Change Administrator profile

D. Enable two-factor authentication

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object?

A. Change the csf setting on ISFW (downstream) to set configuration-sync local.

B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

C. Change the csf setting on both devices to set downstream-access enable.

D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Which two statements describe how the RPF check is used? (Choose two.)

A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

B. The RPF check is run on the first sent and reply packet of any new session.

C. The RPF check is run on the first sent packet of any new session.

D. The RPF check is run on the first reply packet of any new session.

Which statement is correct regarding the use of application control for inspecting web applications?

A. Application control can identity child and parent applications, and perform different actions on them.

B. Application control signatures are organized in a nonhierarchical structure.

C. Application control does not require SSL inspection to identity web applications.

D. Application control does not display a replacement message for a blocked web application.

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

A. To allow for out-of-order packets that could arrive after the FIN/ACK packets

B. To finish any inspection operations

C. To remove the NAT operation

D. To generate logs

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

A. The Detection Mode setting is not set to Passive.

B. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C. The configured participants are not SD-WAN members.

D. The Enable probe packets setting is not enabled.

Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

A. There are five devices that are part of the security fabric.

B. Device detection is disabled on all FortiGate devices.

C. This security fabric topology is a logical topology view.

D. There are 19 security recommendations for the security fabric.