Fortinet NSE4 FGT Jan 2024

- Expert Verified, Online, Free.
Prepare for your NSE4_FGT-7.2 exam with additional products
Video Course
118 Lectures
$19.99
Buy Now
 Custom View Settings

Topic 1 - Exam A
Question #1 Topic 1
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
A. It limits the scanning of application traffic to the browser-based technology category only.
B. It limits the scanning of application traffic to the DNS protocol only.
C. It limits the scanning of application traffic to use parent signatures only.
D. It limits the scanning of application traffic to the application category only.
Correct Answer: A
Community vote distribution

A (95%) 5%
  BoostBoris Highly Voted  10 months, 1 week ago
Selected Answer: A
NSE4 7.2 Security page 317: You can configure the URL Category within the same security policy; however, adding a URL filter causes application
control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website.
upvoted 14 times
  redSTORM Most Recent  3 weeks ago
Selected Answer: A
Correct Answer: A
upvoted 1 times
  joaomrogerio 3 weeks, 6 days ago
Selected Answer: A
Correct is A
upvoted 1 times
  Ygrec 1 month, 4 weeks ago

What's is ngfw please?
upvoted 1 times
  cdcogbuji 1 month, 1 week ago

its is Next Generation Firewall
upvoted 2 times
  raydel92 3 months, 1 week ago
Selected Answer: A
A. It limits the scanning of application traffic to the browser-based technology category only.
FortiGate Security 7.2 Study Guide (p.317):

"You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications
in only the browser-based technology category, for example, Facebook Messenger on the Facebook website."
Reference and download study guide:

https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 3 times
  TW2083 3 months, 2 weeks ago

FortiGate Security 7.2 Study Guide p.317
upvoted 2 times
  Slash_JM 3 months, 3 weeks ago

Selected Answer: A
You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in
only the browser-based technology category, for example, Facebook Messenger on the Facebook website.
upvoted 1 times
  AhmedZkry 5 months ago

Selected Answer: A
Correct is A
upvoted 1 times
  LaScarD 6 months, 2 weeks ago

If a URL Category is set, then applications that you add to the policy must be within the browser- based technology category
upvoted 1 times
  itashraf 7 months ago

Policy-based mode is new. In this mode, users can add applications and web filtering categories directly to a policy without having to first create
and configure Application Control or Web Filtering profiles. If a URL category is set, the applications that are added to the policy must be within the
browser-based technology category. NGFW is per VDOM setting. This means users can operate their FortiGate or individual VDOMs on their
FortiGate in NGFW policy-based mode when they select flow-based inspection.
https://www.fortinetguru.com/2019/09/policy-introduction-profile-based-ngfw-vs-policy-based-ngfw-fortios-6-2/
upvoted 2 times
  Libexec 7 months, 3 weeks ago

A / Security 7.0 page 451
upvoted 1 times
  PaulGo 8 months, 1 week ago

Security 7.0 pag 446 NGFW Policy-Based Mode (Contd)
upvoted 1 times

A is correct!
upvoted 1 times
  dogeatdog 8 months, 3 weeks ago

A. page 317 of study guide
upvoted 2 times
  Rodri96 9 months ago

D. It limits the scanning of application traffic to the application category only.
When using a URL list and application control in the same firewall policy in NGFW policy-based mode, the firewall may be limited in its ability to
fully inspect and control application traffic. This is because the URL list only controls access to specific websites or domains, while the application
control inspects and controls the specific applications or services being used.
By combining both features, the firewall may only be able to inspect and control traffic based on the application category, rather than the specific
application being used. This could potentially allow certain applications or services to bypass security measures if they are not categorized
correctly, or if they are categorized under a broader category that is not being blocked.
Therefore, it is important to carefully consider the limitations and potential gaps in security when using both URL lists and application control in
the same firewall policy.
upvoted 2 times
  santi1509 10 months ago

Selected Answer: U
Al tener un filtrado web y un control de aplicaciones en las mismas políticas, agotamos los recursos, lo cual hace que no haya un buen análisis en
la categorías basada en navegador
upvoted 1 times
  Reyne 11 months ago

Taken from the slides NSE 4 7.2:
"You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications
in only the browser based technology category, for example, Facebook Messenger on the Facebook website"
So correct answer should be A.

upvoted 1 times
  tattybizzy 11 months, 1 week ago

D. is correct
upvoted 1 times
Question #2 Topic 1
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.
Which policy will be highlighted, based on the input criteria?
A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 4.
Correct Answer: A

B (97%)
  shadow2020 Highly Voted  9 months, 3 weeks ago

there are 3 rules related to port3
and two rules source LOCAL_CLIENT
this would leave us with Rule 1 & 5
Rule one Service is = ULL_UDP
Rule five = Internet Services
Destination port we are looking for is 443 (usually this is TCP)
So it had to be PID5
upvoted 22 times
  dacmick 3 months, 1 week ago

right answer, wrong rationale, look at Slash_JM's reasoning
upvoted 1 times
  Slash_JM Highly Voted  3 months, 3 weeks ago
Selected Answer: B
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to
facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are
evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based
on the Policy Lookup criteria, Policy ID 5 will be highlighted.
upvoted 7 times
  SpikeDad Most Recent  1 month ago

I configured this up on a 60D and it matched ID5.
BTW, there is no service called ULL_UDP, obviously a typo, should be ALL_UDP, which excludes them immediately
upvoted 1 times
  TiagoFigur 1 month ago

Selected Answer: B
A resposta certa é a letra B.

upvoted 1 times
  eroman220 1 month, 1 week ago

B for sure
upvoted 1 times

B. POLICY ID 5 for sure.
upvoted 1 times
  Possa 2 months, 4 weeks ago
Selected Answer: B
Unica Politica que sai da Porta 3

com destino ao facebook é a opção 3 e 5
Mas a opção 3 Não tem https

upvoted 1 times

Selected Answer: B
B. Policy with ID 5.

upvoted 1 times
  Vic2911 3 months, 2 weeks ago

Policy id5 is the correct answer
upvoted 1 times
  lucas09 3 months, 4 weeks ago

B also there are two answers that say ID 4 so idk what thats about
upvoted 1 times
  rian00z_ 4 months ago
Selected Answer: B
Answer: B
upvoted 1 times
  ragnax 4 months, 2 weeks ago

Correct is B
upvoted 2 times
  bunnyrabbit 4 months, 2 weeks ago

Is source IP address really connected on port3 ?
It appears only into Policy Lookup and in in addition Policy ID is not esplicit on https.
Maybe PID 4 right ?
Thanks
upvoted 1 times

Selected Answer: B
Correct is B
upvoted 1 times
  YahyaB 5 months ago

Selected Answer: B
Policy ID 5
upvoted 1 times
  AgentSmith 5 months, 3 weeks ago

B. Policy with ID
upvoted 1 times
  f52f6e6 6 months ago
Selected Answer: B
Origen Port3 Objeto LOCAL_CLIENT, destino facebook.com servicios web por lo cual esta implicito el 443, tiene que ser ID5 respuesta B
upvoted 1 times
Question #3 Topic 1
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
Correct Answer: CD

BC (73%) CD (16%) 11%
  Garry_G Highly Voted  8 months ago

Anything but the "different VLAN" answer is impossible from a networking view, as well as configuration on the FG is concerned. At least up to 7.0
it's impossible to configure the same VLAN on the same physical link multiple times, no matter if it's in separate VDOMs or not.
upvoted 10 times
  Garry_G 3 months, 2 weeks ago

P.S. - did some tests - at least up to 7.0.12, the firewall will instantly complain about duplicate VLAN ID no matter if you select different VDOMs,
IPs, or IPs from the same subnet (which will ADDITIONALLY cause an IP-conflict with the first VLAN interface)
So, if the official test has this question and asks for two choices, it's definitely wrong ... (as any sane technician would argue)
upvoted 3 times
  GeniusA Most Recent  14 hours, 57 minutes ago

B & C is the correct answer
upvoted 1 times
  TheManDude 3 weeks, 3 days ago

Selected Answer: C
This Question has been asked on 7.0 and 6.4 NSE 4. It’s always been a one answer question. So it’s only C.
upvoted 1 times
  Diego_Farani 1 month ago
Selected Answer: BC
Basic concept of VLAN.

upvoted 1 times
  keshzy 1 month, 3 weeks ago

VLANs split your physical LAN into multiple, logical LANs. In NAT operation mode, each VLAN forms a
separate broadcast domain. Multiple VLANs can coexist in the same physical interface, provided they have
different VLAN IDs. In this way, a physical interface is split into two or more logical interfaces. A tag is added
to each Ethernet frame to identify the VLAN to which it belongs.
Note that in a multi-VDOM environment, the physical interface and its VLAN sub-interface can be in separate
VDOMs.
upvoted 1 times
  nazareth 1 month, 3 weeks ago
Selected Answer: BC
b and c
upvoted 1 times
  Knowledge33 1 month, 4 weeks ago
Selected Answer: BC
b and c
upvoted 1 times
  diegoBenavides 2 months ago

una interfaz puede tener dos vlan identicas si y solo si ambas pertencen a diferentes vdom, de lo contrario, en el mismo vdom, deben ser
diferentes.
upvoted 1 times
  netwkguy99 2 months, 3 weeks ago
Selected Answer: C
I think there's some confusion it could just be a mis type under choose two answers because the other answers do not really make sense. Found
an old reference which only uses different vlan IDs as the answer.
https://vceguide.com/which-statements-about-the-vlan-sub-interfaces-can-have-the-same-vlan-id-only-if-they-have-ip-addresses-in-different-
subnets/
upvoted 1 times
  Knowledge33 1 month, 4 weeks ago

You're wrong. B and C are correct. In my environnment, I have 1 interface on root VDOM, and subinterface on another VDOM. Both interfaces
have the same VLAN ID. ANd it works perfectly.
upvoted 2 times

Selected Answer: BC
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VLAN/ta-p/192843?externalID=FD43883

https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html
upvoted 1 times

B is wrong, it's not possible to configure the SAME VLAn ID ons different VDOM but on the SAM physical interface.
C is correct
B would be correct only IF the same VLAN ID would be configured on different VDOM AND different physical interfaces
upvoted 1 times
  Eist 2 months, 3 weeks ago

Then in this case D would be correct, since different physical interfaces have different ip addresses subnets, correct?
upvoted 1 times
  myrmidon3 3 months, 3 weeks ago
Selected Answer: BC
VLAN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interface/ta-p/197640
* VLANs can be created on any physical or aggregate (802.3ad) interfaces

- The same VLAN number cannot be configured twice on the same physical interface
- The same VLAN number can be used on different physical interfaces
- The usable VLAN ID range is from 1 to 4094
* VDOM interface assignment

- Two VDOMs cannot share the same interface or VLAN
- A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.
upvoted 3 times
Selected Answer: BC
FortiGate Infrastructure 7.2 Study Guide p.94
Each interface (physical or VLAN) can belong to only one VDOM.
Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as long as they are not asign to the same
VDOM.
upvoted 2 times
  Deep_Purple 4 months, 3 weeks ago

Only C
https://www.fortinetguru.com/2016/12/vlan-id-rules/
upvoted 2 times
Selected Answer: BC
Correct is B and C
upvoted 3 times
  thomasbr 3 months, 1 week ago

You can not answer "must have different VLAN IDs" and "can have the same VLAN ID if ......"
upvoted 1 times
  jcnet72 5 months ago
Selected Answer: BC
B And C Are correct

upvoted 3 times
  itmaxuser 5 months, 1 week ago

Only C is true
upvoted 2 times
Question #4 Topic 1
An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session.
Correct Answer: C

B (91%) 9%
  moutaz1983 Highly Voted  11 months, 2 weeks ago

Answer should be (B), The strict RPF check ensures the best route back to the
source is used as the incoming interface
upvoted 14 times

B for the strick RPF check
upvoted 1 times
  Wrath4980 2 weeks, 2 days ago

Selected Answer: B
According to FortiGate_Infrastructure_7.2_Study_Guide page 40
Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table. That is, if the route in table contains a
matching route for the source address and the incoming interface, but there is a better route for the source address through another interface the
the rpf check fails.
upvoted 1 times

Selected Answer: B
B definitely
upvoted 1 times

B definitely
upvoted 1 times
Selected Answer: B
B. Strict RPF checks the best route back to the source using the incoming interface.
FortiGate Infrastructure 7.2 Study Guide (p.41):

"Strict: In this mode, FortiGate also verifies that the matching route is the best route in the routing table. That is, if the routing table contains a
matching route for the source address and incoming interface, but there is a better route for the source address through another interface, then,
the RPF check fails."

upvoted 1 times

The right answer is C: "Strict RPF requires that the receiving interface is not only valid, but that it is also the best interface for the reply. If you have
multiple routes, it must be the preferred one."
upvoted 1 times

I meant B as the correct answer
upvoted 2 times

Selected Answer: B

upvoted 1 times

The Correct answer is B
Strict chooses best path back
Loose chooses a valid path back
Feasible path: Formerly known as loose, it’s the default mode. In this mode, FortiGate verifies that the
routing table contains a route that matches the source address of the packet and the incoming interface.
The matching route doesn’t have to be the best route in the routing table for that source address. It just has
to match the source address and the incoming interface of the packet.
Strict: In this mode, FortiGate also verifies that the matching route is the best route in the routing table.
That is, if the routing table contains a matching route for the source address and incoming interface, but
there is a better route for the source address through another interface, then, the RPF check fails.
So in short if there is a best route out of its incoming interface then strict will pass. If there is a route from the incoming interface but a better route
out of another Strict will deny.
upvoted 1 times
Selected Answer: B
Correct answer: B
upvoted 1 times
Selected Answer: B
Correct is B
upvoted 1 times
  ronaldvs 5 months, 3 weeks ago
Selected Answer: B
B is correct
upvoted 1 times

B. Strict RPF checks the best route back to the source using the incoming interface. Most Voted
upvoted 1 times
  RL3984 6 months ago

Why is it that the correct answer from this website has been different from the most voted 3/4 times so far?
upvoted 2 times
  Zemaye 6 months, 2 weeks ago

Selected Answer: B
Packet is dropped if its ingressing interface does not match the interface selected by the routing lookup.
upvoted 1 times
  netninja02 7 months, 2 weeks ago
Selected Answer: B
Answer is B. "The default feasible RPF mode checks only for the existence of at least one active route back to the source using the incoming
interface. The strict RPF check ensures the best route back to the source is used as the incoming interface."
upvoted 3 times

Selected Answer: B
Infra guide Page 39: "In strict mode, FortiGate checks that the best route to the source IP is through the incoming interface. The route not only has
to be active (as in the case of loose mode), but it also has to be the best"'
upvoted 2 times
Question #5 Topic 1
An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30 minutes.
B. Denied users are blocked for 30 minutes.
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
Correct Answer: AB

CD (91%) 6%

It is C-D, the timer config any way is by seconds not minutes
upvoted 19 times
  raydel92 Highly Voted  3 months, 1 week ago
Selected Answer: CD
C. The number of logs generated by denied traffic is reduced.

D. A session for denied traffic is created.

"During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages
generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table
and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each
new packet matching the denied session, which reduces CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will
be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds."

upvoted 6 times

C & D is the correct answer
upvoted 1 times
  redSTORM 3 weeks ago
Selected Answer: CD
Correct Answer: CD
upvoted 1 times

C and D are correct
upvoted 1 times

Selected Answer: CD

upvoted 4 times

Selected Answer: CD
FortiGate Security 7.0 p.127

upvoted 1 times
C and D are correct, this is because during the session, if a security profile detects a violation, FortiGate records the attack log immediately. To
reduce the number of log messages generated and improve performance you can use the ses-denied-traffic command this puts creates a denied
session entry for <x> number of SECONDS.
upvoted 1 times
  azmiit 4 months, 1 week ago
Selected Answer: CD
C & D correct
upvoted 1 times
Selected Answer: CD
Correct is C and D
upvoted 1 times

CD
We enable denied session to be added into the session table to reduce the CPU processing due to denied session from same source/destination ip
address, port and protocol.
Solution
Below are the commands to enable denied session to be added into the session table:
#config system settings
#set ses-denied-traffic enable
#end
For optimum performance, adjust the global block-session-timer.

#config system global
#set block-session-timer <1-300> (default = <30>)
#end
upvoted 3 times
  leowulf 6 months, 2 weeks ago

C&D
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478
upvoted 2 times
  ferdi1989 6 months, 3 weeks ago

config system setting
set ses-denied-traffic enable
set block-session-timer <integer 1 – 300> (this determines in seconds how long, in seconds, the session is kept in the table)
upvoted 1 times
  joeytrib 7 months ago

Selected Answer: CD
CD is the correct answer

upvoted 1 times

Selected Answer: CD
Security Page 127

upvoted 2 times
Selected Answer: CD
Correct C and D
upvoted 1 times
  reaz 9 months, 2 weeks ago

B&D is the correct
upvoted 2 times
Question #6 Topic 1
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?
A. Force access to Facebook using the HTTP service.
B. Make the SSL inspection a deep content inspection.
C. Add Facebook in the URL category in the security policy.
D. Get the additional application signatures required to add to the security policy.
Correct Answer: B

B (100%)
  GeniusA 14 hours, 47 minutes ago

B is the correct answer
upvoted 1 times
Selected Answer: B
B. Make the SSL inspection a deep content inspection.

upvoted 3 times
  lakis789 2 months, 3 weeks ago

Hey raydel92,
Have you given the exam ?
upvoted 1 times
Selected Answer: B
FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect encrypted traffic.
upvoted 1 times
Selected Answer: B
Correct is B
upvoted 2 times
Selected Answer: B
Correct: B
upvoted 1 times
  Miico 9 months, 2 weeks ago
Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
Necesita realizar una inspección profunda de las acciones que se están haciendo en la página de Facebook para poder denegar las reacciones.
upvoted 3 times
  Knowledge33 3 months, 2 weeks ago

It's an English exam. You don't need to speak in Spanish. I'm french but speak in English. If you cannot, please don't leave comments.
upvoted 4 times
  DanteHn 2 months, 3 weeks ago

Is useful for non-English speakers, even if the test is in english, the Spanish translation gives context to the answer.
upvoted 2 times
  [Removed] 10 months, 1 week ago
Selected Answer: B
B is correct
Because the SSL Inspection is set to Certificate-Inspection, it must be set to Deep-inspection

upvoted 1 times
  zeebo340 11 months, 2 weeks ago

Answer is B -
They can play video (tick) content hosted on

Facebook, but they are unable to leave reactions on videos or other types of posts.
This indicate that the rule are partially working as they can watch video but cant react, i.e. liking the content. So must be an issue with the SSL
inspection rather then adding an app rule.
upvoted 4 times
  mohdroos1 11 months, 3 weeks ago
Selected Answer: B
needs ssl full inspection

upvoted 2 times
Question #7 Topic 1
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is
not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
C. Change the csf setting on both devices to set downstream-access enable.
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Correct Answer: D

C (56%) D (44%)
  Equiano Highly Voted  9 months ago
Selected Answer: D
The correct answer is D. When both devices are configured with set downstream-access-disable (answer in C) then the newly created address
objects are still replicated. However, when I configure the root with set fabric-object-unification local the address object is no longer replicated to
the downstream FortiGates. I believe that the Exhibit B is wrong!
upvoted 9 times
  JakubCh Highly Voted  5 months ago
Selected Answer: C
D - not correct
Fortigate Security guide 7.2 - page 434
The CLI command "set fabric-object-unification" is only available on the root FortiGate.
upvoted 7 times

Option C is the correct answer
upvoted 1 times
  piipo 3 weeks, 1 day ago
Selected Answer: C
Answer C is correct.
upvoted 1 times
  SpikeDad 4 weeks, 1 day ago

Answer C is correct. From the study guide "If object synchronisation is disabled on the root Fortigate, using the command 'set fabric-object
disable', firewall addresses and address groups will not be synchronised to downstream Fortigate devices."
The question states that the admin created an address object on the root, so it won't be synchronised.
upvoted 2 times
  wwwwaaaa 1 month, 1 week ago
Selected Answer: C
A is wrong, "if set configuration-sync is set to local, the downstream device does not participate in synchronization"
B wrong, as the connection has been established and no need to authenticate
D is wrong, the command is already there on the root
C is the only one left
upvoted 1 times
  LAFNELL 1 month, 3 weeks ago

I think neither D nor C is correct. Don't forget the fabric-object-unification command is configured on a downstream device and not on Root
Fortigate. It could be correct if we had proposed answer like : "Change the csf settings on ISFW by set fabric-object-unification default"
upvoted 1 times
  keshzy 1 month, 3 weeks ago

C - Correct. C stands for correct. jk. This is tricky just because D is already enable by default and is actually given in this scenario that it is already
enabled. Clearly C - because look this statement in exhibit B on the root side "set fabric-object disable". this needs to be changed to enable. ^_^
upvoted 1 times
  Possa 2 months ago

Selected Answer: C
Fortigate Security guide 7.2 - page 434

upvoted 1 times
  ake01 2 months, 3 weeks ago

D - Correct. To synchronize the address object created on the root FortiGate (Local-FortiGate) with the downstream FortiGate (ISFW), the
administrator must ensure that the fabric-object-unification setting on the root FortiGate is set to "default"
. This setting allows the downstream device to synchronize objects from the root FortiGate. When set to local, the device does not synchronize
objects from the root but will still participate in sending the synchronized object downstream
.Therefore, the correct answer is:D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.The Exhibit B is wrong.
upvoted 2 times
  skyvahaerie 1 week ago

I had this question in my exam today (12/12/23) and can tell you the exhibit B is NOT wrong. 100% identical to the exam question. Therefore C
must be the correct answer.
upvoted 2 times
  talos_2002 2 months, 3 weeks ago
Selected Answer: C
D is already default, as it should. Fortinet has a good example with explanation:

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/520820/improvements-to-synchronizing-objects-across-the-security-fabric-6-4-
4
C is right, though enabling only to the root FGT is enough:

https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/148620/config-system-csf
upvoted 1 times
  batman123 2 months, 3 weeks ago

D is correct
upvoted 1 times
Selected Answer: D
On the config output set fabric-object-unification is se to local, which means the device does not synchronize objects from the root but will send
the synchronized objects downstream. So it must be changed back to default ( which is the default setting) and Global CMDB objects will be
synchronized in the Security Fabric.
https://www.coursehero.com/file/p6s6q0dr/An-administrator-creates-a-new-address-object-on-the-root-FortiGate-Local/
upvoted 1 times
  Nabled 2 months, 3 weeks ago
Selected Answer: D
As others have said, the Exhibit B looks to be wrong.

if fabric-object-unification is enabled, it should allow for the synchronization of objects to downstream devices even if downstream-access is
disabled. The downstream-access setting would prevent the downstream devices from accessing or pulling other configurations and data from
the root, but it wouldn't prevent the automatic synchronization of objects due to the fabric-object-unification setting.
its a bit confusing because the downstream-access command makes it seem like it would prevent this and the documentation isn't very clear on
this either, but the default is to be disabled and object synchronization will still work.
upvoted 1 times
Selected Answer: D
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Exhibit B is wrong, check the same question from previous exam version:
https://www.examtopics.com/exams/fortinet/nse4_fgt-70/view/5/

upvoted 1 times

Selected Answer: D
The correct answer is D. Exhibit B is wrong. It should say "set fabric-object-unification local", which will cause the problem described. None of the
other choices fix the problem.
upvoted 2 times

I think they meant to say root fortigate for Answer D Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default. If this
is the case then the correct answer is D. However, the answer would be C in this scenario. FortiGate Security 7.2 Study Guide pg 434
upvoted 2 times
Question #8 Topic 1
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage
thresholds.
Based on the system performance output, which two results are correct? (Choose two.)
A. FortiGate will start sending all files to FortiSandbox for inspection.
B. FortiGate has entered conserve mode.
C. Administrators cannot change the configuration.
D. Administrators can access FortiGate only through the console port.
Correct Answer: BD

BC (96%) 4%
  Spago Highly Voted  11 months, 2 weeks ago

Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the
configuration.
FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources
and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization.
Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the
configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may
require additional resources that are not available.
It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access
FortiGate through other means besides the console port.
upvoted 11 times

Option BC is the correct answer
upvoted 1 times
Selected Answer: BC

FortiGate Infrastructure 7.2 Study Guide (p.367-368):
"If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters conserve mode."
"FortiGate does not accept configuration changes, because they might increase memory usage."

upvoted 3 times

Selected Answer: BC
FortiGate Infrastructure 7.2 Study Guide p.367-368
If the memory usage goes above the percentage defined as the red threshold, the FortiGate enters conserve mode. While in conserve mode;
system configuration cannot be changed, skips quarantine actions (including FortiSandbox analysis).
upvoted 2 times
  Variant_ 4 months ago

Selected Answer: BC
According to FortiGate training knowledge checks, D is incorrect whereas C is correct.
Admins cannot change the configuration when the FortiGate is in conserve mode.
upvoted 1 times

Selected Answer: BC
Correct is B and C
upvoted 2 times
  erawemk 5 months, 2 weeks ago
Selected Answer: BC
FortiGate_Infrastructure_7.2_Study_Guide page 367

upvoted 4 times

BC is the correct answer!
upvoted 1 times

BC is the correct answer
upvoted 1 times
  Akash10 8 months, 1 week ago

pAGE 368 Answer BC
upvoted 3 times

Selected Answer: BC
Infrastructure pag 383

upvoted 2 times

Selected Answer: BD
Al fortigate llegar al umbral de memoria establecido este entra en modo conservador, su configuración la puede cambiar solo el administrador
desde la consola.
upvoted 1 times
  BoostBoris 10 months, 1 week ago
Selected Answer: BC
What actions does FortiGate take to preserve memory while in conserve mode?
• FortiGate does not accept configuration changes, because they might increase memory usage.
• FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.
• You can configure the fail-open setting under config ips global to control how the IPS engine
behaves when the IPS socket buffer is full.
upvoted 2 times
  kosta_georgiev 10 months, 3 weeks ago
Selected Answer: BC
Link to conserve mode explainer - https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

upvoted 2 times
  walter_rcp 11 months ago
Selected Answer: BC
BC are the correct.

upvoted 2 times
  Spyder_Byte 11 months, 1 week ago
Selected Answer: BC
A: wrong because fortinet skips sandboxing

C: correct; no config changes possible to prevent increasing memory usage
upvoted 1 times
  Rich_Man_Rich 11 months, 2 weeks ago

B- Memory used is 90% and from 88% to 95% is conserve mode
C- When FGT has entered conserve mode is inaccessible so administrators can not do anything to it
upvoted 2 times
Question #9 Topic 1
Refer to the exhibit showing a debug flow output.
What two conclusions can you make from the debug flow output? (Choose two.)
A. The debug flow is for ICMP traffic.
B. The default route is required to receive a reply.
C. Anew traffic session was created.
D. A firewall policy allowed the connection.
Correct Answer: AC

AC (93%) 7%

Option AC are the correct answer
upvoted 1 times
Selected Answer: AC
AC
100%
upvoted 1 times
  Sfeleka 2 months ago

Selected Answer: AC
A , C are the correct answer

upvoted 1 times
Selected Answer: AC
A. The debug flow is for ICMP traffic.

C. A new traffic session was created.

upvoted 2 times

Selected Answer: AC

upvoted 2 times
Selected Answer: AC
Correct answers
upvoted 1 times
  alejandrofern43 4 months, 2 weeks ago
Selected Answer: AC
ICMP proto 1
New sesion
upvoted 1 times
  santi1509 7 months, 2 weeks ago

Selected Answer: AC
ICMP proto: 1
new session
upvoted 1 times
Selected Answer: AC
proto = 1 = ICMP
"allocate a new session...."
upvoted 1 times

Selected Answer: AC
Correct answers
upvoted 1 times

Selected Answer: AC
Answer correct!
upvoted 1 times

Selected Answer: BC
Al crearse una nueva sesion, se tiene que verificar si hay problemas en la transmision de los datos.
upvoted 1 times

AC. CORRECT
ICMP proto = 1
New session
upvoted 3 times
  tscholz 11 months, 1 week ago
Selected Answer: AC
A & C correct
upvoted 1 times
  indunil75 11 months, 2 weeks ago

AC is right
upvoted 1 times
  chromevandium11 11 months, 2 weeks ago
Selected Answer: AC
AC is correct.
upvoted 1 times
Question #10 Topic 1
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static
IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
A. 192.168.2.0/24
B. 192.168.0.0/8
C. 192.168.1.0/24
D. 192.168.3.0/24
Correct Answer: C

A (96%) 4%

A. 192.168.2.0/24
For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the
remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach
the 192.168.2.0/24 subnet at site B.
To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the
same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at
site B to reach the 192.168.1.0/24 subnet at site A.
Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.
upvoted 14 times

Option A is the correct answer
upvoted 1 times
  hebdeb 2 months ago
Selected Answer: A
Opuesto del site A

upvoted 1 times
  Sfeleka 2 months ago

Selected Answer: A
A is the correct answer

upvoted 1 times

Selected Answer: A
A. 192.168.2.0/24

upvoted 1 times
Selected Answer: A
Correct answer is A
upvoted 1 times
Selected Answer: A
192.168.2.0/24
upvoted 1 times
  alejandrofern43 4 months, 4 weeks ago
Selected Answer: A
Si configuro primero el A, colocando un local y un remoto, debe copiar lo mismo en el B. Pero invertido.
upvoted 2 times
Selected Answer: A
SiteA: local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24
SiteB: local quick mode selector is 192.168.2.0/24 and the remote quick mode selector is 192.168.1.0/24
This is set to make a working Phase 2 VPN configuration, the tricky words are local and SiteB
upvoted 3 times

A. 192.168.2.0/24
upvoted 1 times
  umairmasood 6 months, 2 weeks ago

A. is valid
upvoted 1 times
  Danny_B 6 months, 4 weeks ago
Selected Answer: A
Has to be mirrored
upvoted 1 times
  Calgon_TakeMeAway 7 months ago

Am I missing something here? Site A says the local selector is 192.168.1.0, making site B the remote site, which is 192.168.2.0.
This logic must flip when considering site B, which now becomes the local site, 192.168.2.0. This means the remote site must now become Site A,
192.168.1.0
upvoted 1 times
  Calgon_TakeMeAway 7 months ago

-Update- I _was_ missing something, that last bit which asked about the local selector for Site B, not the remote site. -_-;
upvoted 2 times
Selected Answer: A
Correct Answer.
upvoted 1 times
Selected Answer: A
By the direction of the traffic is A

upvoted 1 times
  Rewrock 8 months, 3 weeks ago

Gotta be A
upvoted 1 times
  Equiano 9 months ago

Selected Answer: A
192.168.2.0/24 is the remote on site A so logically it should be the local on site B

upvoted 2 times
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
A. The client FortiGate requires a manually added route to remote subnets.
B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
Correct Answer: BC

CD (89%) 11%
Selected Answer: CD

"The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type"
"The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate."

upvoted 3 times

What if they are using Web Mode SSL VPN?
upvoted 1 times

Selected Answer: CD

upvoted 2 times
  darkstar15 5 months ago

CyD
en Security para tunnel mode - Fortigate as client:
Requires proper CA certificate on SSL VPN Server Fortigate.
Use SSL VPN Tunnel interface type.
upvoted 1 times

C and D
upvoted 1 times
Selected Answer: CD
7.2 SEC 200

upvoted 2 times

correction 7.2 INF 200
upvoted 4 times

Selected Answer: CD
Security pag 582
This configuration requires proper CA certificate installatin as the SSL VPN cliente FortiGate/user uses PSK and a PKI client certificate to
authenticate. The FG devices must have the proper CA certificaate installed to verity the certificate chain to the root CA that signed the certificate.
link: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/508779/fortigate-as-ssl-vpn-client
The SSL VPN server has a custom server certificate defined, and the SSL VPN client user uses PSK and a PKI client certificate to authenticate. The
FortiGates must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
upvoted 2 times
  santi1509 9 months, 4 weeks ago
Selected Answer: BC
El cliente debe instalar en su maquina local el software de autenticación el cual es el encargado de establecer la firma HA, este mismo es enviado
al FortiGate el cual almacena el certificado HA. Cada vez que se vaya a hacer una conexión o petición el FortiGate compara los dos certificados, y
si concuerdan, deja pasar la petición
upvoted 2 times
  spiku 4 months ago

No matter when you read Santi, unfortunately he's always wrong. Seems done on purpose.
upvoted 3 times
  D1360_1304 4 months, 1 week ago

He always puts the answers wrong
upvoted 4 times
  IckoPCNSE 9 months, 3 weeks ago

So you mean CD are the correct answers right ?
upvoted 1 times
  Malamba 9 months, 2 weeks ago

Yeah CD are correct
upvoted 1 times

Selected Answer: CD
C: This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to
authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the
certificate.
D: The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.
upvoted 1 times
  leadac 10 months, 3 weeks ago
Selected Answer: CD
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/508779/fortigate-as-ssl-vpn-client
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.
The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
upvoted 3 times
  chiheb 11 months, 2 weeks ago
Selected Answer: CD
C and D are the right answers.

upvoted 1 times
  Spago 11 months, 2 weeks ago

Selected Answer: CD
To establish an SSL VPN connection between two FortiGate devices, the following two settings are required:
The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate will use a CA (Certificate Authority)
certificate to verify the client FortiGate certificate, ensuring that the client device is trusted and allowed to establish an SSL VPN connection.
The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: The client FortiGate must have an SSL VPN tunnel interface
type configured in order to establish an SSL VPN connection. This interface type will be used to connect to the server FortiGate over the SSL VPN.
upvoted 2 times
Which statement correctly describes the use of reliable logging on FortiGate?
A. Reliable logging is enabled by default in all configuration scenarios.
B. Reliable logging is required to encrypt the transmission of logs.
C. Reliable logging can be configured only using the CLI.
D. Reliable logging prevents the loss of logs when the local disk is full.
Correct Answer: D

B (69%) D (25%) 6%
  RCouto Highly Voted  9 months, 3 weeks ago
Selected Answer: B
NSE4 - Security Training 7.2 - Study Guide, page 191.

"If using reliable logging, you can encrypt communications using SSL-secured OFTP. "
upvoted 14 times
  Moe1416 8 months ago

Page 192 as I just checked
upvoted 8 times
  leadac Highly Voted  10 months, 3 weeks ago
Selected Answer: B
Reliable logging changes the log transport delivery from UDP to TCP. Then, only if you are using Reliable logging, you can do encryption.
NSE 4 training 7.2 training material: Fortigate Security: 05.Logging and Monitoring: Page 22, Reliable logging and OFTPs
upvoted 10 times
  ChinkSantana 10 months, 2 weeks ago

Correct. Relaible Logging changes delivery method from UDP to TCP as TCP provides relaible data transfer gauranteeing that the transfered
data remains intact and arrives in the same order in which it was sent.
upvoted 4 times
  moutaz1983 Most Recent  1 week, 5 days ago

encryption does not require reliable logging, correct answer is C, reliable logging is only available to be configured by CLI
upvoted 1 times
  Satekhi 2 weeks, 3 days ago

The correct statement regarding reliable logging on FortiGate is:
D. Reliable logging prevents the loss of logs when the local disk is full.
Reliable logging helps ensure that logs are not lost even when the local disk reaches its capacity by offloading and storing them in another location
or system.
Option B states: "Reliable logging is required to encrypt the transmission of logs."
This statement is not accurate regarding reliable logging on FortiGate. Reliable logging primarily focuses on ensuring logs are not lost due to disk
space constraints, rather than specifically encrypting log transmissions. Encryption of log transmissions would typically be handled through other
means such as secure protocols or encryption settings, not directly tied to reliable logging functionality.
upvoted 1 times
  redSTORM 3 weeks ago
Selected Answer: B
Correct Answer: B
upvoted 1 times
  skyvahaerie 4 weeks, 1 day ago
Selected Answer: D
As encryption is an optional feature and this course is about about FGT - 7.2 I would argue that D is the answer they are aiming at.
Fortigate Security 7.2 Study Guide, p. 192:
When both FortiGate and FortiAnalyzer are running version 7.2 or later, and reliable logging is configured, FortiGate keeps logs in a confirm queue
until it verifies those logs were received by FortiAnalyzer. This is achieved by using sequence numbers (seq_no) to track the logs received. FortiOS
periodically queries FortiAnalyzer for the latest seq_no of the last log received, and clears logs from the confirm queue up to the seq_no.
upvoted 1 times
  Igor_Mioralli 1 month, 2 weeks ago
Selected Answer: D
Encryption is OPTIONAL , so the answer is D, the main reason you would allow Reliable logs is to prevent log loss, so it is RELIABLE in the case of a
failure. Encryption is to SECURE the logs not to make it RELIABLE :
reliable
/rɪˈlʌɪəbl/
adjective
consistently good in quality or performance; able to be trusted.
"a reliable source of information"
Source :
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/942202/improve-fortianalyzer-log-
caching#:~:text=Improve%20FortiAnalyzer%20log%20caching,seq_no%20to%20track%20received%20logs
upvoted 1 times

Selected Answer: D
Selected Answer: D
"Selected Answer: B
Answer: D.
"When both Fortigate and FortiAnalyzer are running version 7.2 or later, and reliable logging is configured, Fortigate keeps logs in a confirm queue
until it verifies those logs where received by FortiAnalyzer.
OPTIONALLY, if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it
is safely transmitted across an unsecure network. "
upvoted 4 times

I could be wrong here but I think the question is asking what describes the correct use meaning what is the main function of reliable logging
wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D correct?
upvoted 3 times

Selected Answer: B
B. Reliable logging is required to encrypt the transmission of logs.

"if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely
transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI."

upvoted 1 times

Found this example for encrypted transmission to FAZ/FMG ...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Encrypt-logs-sent-to-FortiAnalyzer-FortiManager/ta-p/192021
Sample config CLI shows "set reliable enable" along with "set enc-algorithm" command ... so B seems to be correct
upvoted 1 times
Selected Answer: B
If using reliable logging ("set reliable enable"), then you have the option to encrypt communications using OFTPS ("set enc-algorithm").
upvoted 3 times
  PaoloR 3 months, 3 weeks ago
Selected Answer: B
Reliable must be enabled to set enc-algotithm

upvoted 1 times

Both B and D are correct, Reliable logging uses OFTP to encrypt logs and it does prevent the loss of logs by allowing the use of upload logs. This
likely breaks the answer down to which one best describes its use which I would say answer B because reliable loggings main purpose is to
provide reliable logs. It uses sequence numbers to confirm the delivery of logs to the log server and encrypts them with OFTP
upvoted 1 times
Selected Answer: B
Correct answer
upvoted 1 times
  Emiaj23 4 months, 2 weeks ago

The answer is D as you can see in https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/942202/fortianalyzer-log-caching
upvoted 2 times
  ngura 3 months, 3 weeks ago

No. It only says this:
Reliable logging to FortiAnalyzer prevents lost logs when the connection between FortiOS and FortiAnalyzer is disrupted.
upvoted 1 times
  KHALEDMAG 5 months, 3 weeks ago

The correct statement is D. Reliable logging prevents the loss of logs when the local disk is full.
Reliable logging is a feature that stores log messages in a buffer on the FortiGate until they can be written to the local disk. This helps to prevent
the loss of log messages if the local disk becomes full. Reliable logging is not enabled by default, and it can be configured using the CLI or the
FortiGate web interface.
The other statements are incorrect:
Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly.
Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured separately.
Reliable logging can be configured using the CLI or the FortiGate web interface.
upvoted 3 times
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?
A. 10.200.1.1
B. 10.0.1.254
C. 10.200.1.10
D. 10.200.1.100
Correct Answer: D

D (85%) C (15%)

Option D is the correct answer
upvoted 1 times
Selected Answer: D
Because it uses the IP POOL range from LAN to WAN

upvoted 1 times
  1239944 2 months, 3 weeks ago
Selected Answer: D
FortiOS 7.2 Study Guide Page 110:

"(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped
address in the VIP, provided the matching firewall policy has NAT enabled"
"Note that you can override the behavior described in step 2 by using an IP pool"
upvoted 3 times
  itzuy06 3 months ago

Selected Answer: D
D. 10.200.1.100
upvoted 2 times

Selected Answer: D
D. 10.200.1.100

upvoted 2 times

I know that in some situations, the VIP IP is used for SNAT, but are never sure what the requirements are for that to happen ... :( I tried the setup on
our live system, but the firewall kept using the NAT pool instead of the VIP NAT
upvoted 1 times
  spydog 2 months, 3 weeks ago

VIP external IP will be used for source NAT for outbound traffic, when traffic is matching policy enabled with NAT for egress interface.
If outbound traffic match rule with NAT enabled and IP pool configured. Traffic will use the IP pool external IP.
Basically SNAT priority from high to low will be :
1) IP pool
2) VIP IP
3) SNAT egress interface
upvoted 3 times
Selected Answer: D
FortiGate Security 7.2 Study Guide p.97-98

upvoted 1 times
Selected Answer: C
Correct answer: C. 10.200.1.10.

In the battle field, I observed this behavior related on article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-
IP-Address-for-Source/ta-p/189947?externalID=FD44529:
- The second Firewall policy will activate the VIP so that its external IP address can be used to perform SNAT when the HOST generates traffic
towards the Internet.
- Internet Traffic from internal network will be allowed by first firewall policy for SNAT with VIP's external IP address.
upvoted 3 times

That is correct when outbound traffic is matching rule with SNAT using egress interface.
When SNAT is configured to use IP Pool, this will override the VIP IP external address.
upvoted 1 times
  Mboweni 6 months, 2 weeks ago

D is the correct answer
upvoted 1 times
Selected Answer: D
7.2 SEC 97-98

upvoted 1 times
  fc8 7 months, 3 weeks ago

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947?externalID=FD44529
upvoted 1 times
Selected Answer: D
The question says SNAT, so the only correct answer here (looking at the IP Pool) is D
upvoted 1 times
  danieldelgado 9 months, 1 week ago

I correct my answer to D, because the VIP has portwarding enables plus the outgoing policy has an IPPool enabled
upvoted 1 times
  danieldelgado 9 months, 2 weeks ago

Correct answer is C because the VIP is a static NAT and it takes precedence over the NAT overload of the IP pool
upvoted 1 times
Selected Answer: D
Esta es la dirección que recibe todo el trafico

upvoted 1 times
  foobarasdf123 10 months, 1 week ago
Selected Answer: D
D is correct. If the IP Pool would not have been set on the egress Policy C would have been the correct answer due to default VIP behaviour in
SNAT
upvoted 1 times

Selected Answer: D
From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100
Destination NAT, from WAN to LAN, will use the VIP
upvoted 3 times
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and
the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time,
the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.
Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?
A. Configure a loopback interface with address 203.0.113.2/32.
B. In the VIP configuration, enable arp-reply.
C. Enable port forwarding on the server to map the external service port to the internal service port.
D. In the firewall policy configuration, enable match-vip.
Correct Answer: D

B (92%) 5%
  kosta_georgiev Highly Voted  11 months ago
Selected Answer: B
correct answer is B:
In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the
ISP, and this is why there is no packets in the forti sniffer.
upvoted 24 times
  samael666 2 months, 1 week ago

you're right, another thing it will be if in the ISP we have a static route to that subnet, in that case at least we would see traffic
upvoted 2 times
  erawemk Highly Voted  5 months, 2 weeks ago

A. Makes no sense
B. This option is available for VIP configurations please check page 115 on security study materials, so this is the correct answer
C. It is no required to solve the problem due to firewall policy is allowing all traffic for VIP object
D. This option is enabled only for deny policies please check the note in https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-
not-block-incoming-WAN-to-LAN/ta-p/189641?externalID=FD36750
upvoted 6 times

Option B is the correct answer
upvoted 1 times
  Satekhi 1 week, 3 days ago

Selected Answer: B
Note that the match-vip setting is available only when the firewall policy action is set to DENY.
upvoted 1 times
  itzuy06 3 months ago

Selected Answer: B
B) In the VIP configuration, enable arp-reply.

upvoted 1 times

Selected Answer: B
B. In the VIP configuration, enable arp-reply.

"Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop
information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can
solve the issue for you. For this reason, it’s a best practice to keep ARP reply enabled."

upvoted 5 times
Selected Answer: B

upvoted 1 times

Without any doubt the answer is B
A,C and D have no sense
upvoted 1 times
  itka 5 months, 3 weeks ago

C. Enable port forwarding
upvoted 1 times
  certchris 5 months, 3 weeks ago

SG Security p.115:
ISP-Router has no entry in it's routing table to access the ip, only connected route (C). So it generates ARP requests to resolve MAC address of any
address of the destination subnet.
upvoted 1 times
  Vingador3000 8 months, 1 week ago

Selected Answer: C
C. Enable port forwarding on the server to map the external service port to the internal service port.
upvoted 2 times
  shadow2020 9 months, 3 weeks ago

the reason why its not D
match-vip is not allowed in firewall policies when the action is set to accept.
https://docs.fortinet.com/document/fortigate/6.4.11/fortios-release-notes/350283/enabling-match-vip-in-firewall-policies
upvoted 4 times

Selected Answer: D
Al estar deshabilitado el match-vip, no iba a ver trafico proveniente de internet porque no se habían conectado
upvoted 1 times

Selected Answer: B
the external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network
has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream
network
upvoted 4 times

match vip is only needed if the policy is using a firewall address object as the destination. In this case, we see the destination is the vip object so
the traffic would match either way.
upvoted 2 times
Which two statements are true about the FGCP protocol? (Choose two.)
A. FGCP elects the primary FortiGate device.
B. FGCP is not used when FortiGate is in transparent mode.
C. FGCP runs only over the heartbeat links.
D. FGCP is used to discover FortiGate devices in different HA groups.
Correct Answer: AD

AC (100%)
Selected Answer: AC

The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA) clusters of FortiGate devices. It performs
several functions, including the following:
FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate device will be the primary device,
responsible for handling traffic and making decisions about what to allow or block. FGCP uses a variety of factors, such as the device's priority, to
determine which device should be the primary.
FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA cluster using the heartbeat links. These are
dedicated links that are used to exchange status and control information between the devices. FGCP does not run over other types of links, such
as data links.
upvoted 13 times

Option AC are the correct answer
upvoted 1 times

AC is correct
upvoted 1 times
  Kain1077 3 months ago
Selected Answer: AC
A and C are correct. Transparence doesn't matter here and HA devices must be configured not discovered.
upvoted 3 times
Selected Answer: AC


"FortiGate HA uses the Fortinet-proprietary FortiGate Clustering Protocol (FGCP) to discover members, elect the primary FortiGate, synchronize
data among members, and monitor the health of members.
To discover and monitor members, the members broadcast heartbeat packets over all configured heartbeat interfaces."

upvoted 4 times
  Jumpy007 2 months, 3 weeks ago

C mentions runs only over heartbeat links, which according to p. 292 isn't true.
upvoted 1 times
Selected Answer: AC

upvoted 1 times

Selected Answer: AC

upvoted 1 times

C. FGCP runs only over the heartbeat links
upvoted 2 times

Selected Answer: AC
7.2 INF 292

upvoted 2 times

Selected Answer: AC
AC are correct answers

upvoted 1 times
  exemine 9 months, 2 weeks ago

Selected Answer: AC
A and C is correct
upvoted 1 times
  Sergio3000 10 months, 1 week ago
Selected Answer: AC
it´s ok.
upvoted 1 times
Selected Answer: AC
Agreed with others

upvoted 1 times
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes
down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
D. Enable Dead Peer Detection.
Correct Answer: AD

BD (100%)
Selected Answer: BD
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D. Enable Dead Peer Detection.

upvoted 5 times
  Ygrec Most Recent  1 month, 4 weeks ago

BD
The lower distance is the better

upvoted 1 times

Selected Answer: BD

upvoted 2 times
Selected Answer: BD
Answer: BD
upvoted 1 times
  Nambialagar 4 months, 2 weeks ago

Answer: BD. Study Guide: Infra: Page 276
upvoted 3 times
  mcclane654 5 months, 3 weeks ago
Selected Answer: BD
BD, as explained in the IPsec videos in the official nse4 training guide from fortinet
upvoted 1 times

BD is the correct answer.
upvoted 1 times
  geroboamo 7 months, 1 week ago

Selected Answer: BD
B - a lower distance will be preferred for route selection

D - Dead peer detection will detect tunnel failure
upvoted 4 times
  PimplePooper 8 months ago
Selected Answer: BD
BD is the correct answer.

upvoted 1 times
  Vingador3000 8 months, 1 week ago
Selected Answer: BD
B,e is super correct.

upvoted 1 times
Selected Answer: BD
Correct B and D
upvoted 1 times
Selected Answer: BD
BD correct
upvoted 1 times
  Tumza2023 10 months, 1 week ago

I just wrote NSE4 7.2 exam and I failed it. It shows that I got no answer correctly on routing. I looked a these questions and answers compared
with the official fortinet exam and I can see that I got the answers correctly. How do I query this with fortinet or pearson vue in order for my exam
to be reviewed ?
my email matlala.tumelo@outlook.com
upvoted 1 times
  IckoPCNSE 9 months, 3 weeks ago

Did you use the answers given by default here(initially) or you used the answers given by the people from the comment section which (some of
them) are completely different ?
upvoted 1 times

Should people used the ''Default answers'' or the ''Most wanted'' comment section?
upvoted 1 times
  018ea9e 2 months, 3 weeks ago

Should I pay attention to the comments? Which is the answer comment or the default one?
upvoted 1 times
  reaz 9 months, 2 weeks ago

what answer should be taken into consideration
upvoted 1 times
  ChinkSantana 10 months, 1 week ago

Hello Sir. What practise material did you use?
upvoted 1 times
  kosta_georgiev 11 months ago
Selected Answer: BD
Correct answers are B and D
Lower distance means higher priority

DPD is used to check the status of the tunnel by sending hello packets between peers.
upvoted 2 times
Selected Answer: BD
Lower distance = higher priority

Dead peer detection does heartbeat testing of VPN tunnels.
upvoted 3 times
Selected Answer: BD
BD are correct
upvoted 2 times

BD is correct
upvoted 3 times
What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)
A. FortiGate uses fewer resources.
B. FortiGate performs a more exhaustive inspection on traffic.
C. FortiGate adds less latency to traffic.
D. FortiGate allocates two sessions per connection.
Correct Answer: AC

AC (100%)

Fewer resources and less lantency
upvoted 1 times

AC of course
upvoted 1 times
Selected Answer: AC


upvoted 2 times
Selected Answer: AC

upvoted 2 times
  darkstar15 4 months, 4 weeks ago

Fortigate Security: flow-based mode is designed to optimize performance.
Requires fewer processiong resources
Correct A and C.
upvoted 1 times
Selected Answer: AC
Correct A and C
upvoted 1 times
  Trooper44 10 months, 3 weeks ago
Selected Answer: AC
A and C are correct

upvoted 1 times

A and C are correct
upvoted 1 times

Selected Answer: AC
A. Fewer resources since it does not need to keep much in memory.

C. Samples traffic while it goes by, and only does makes allow or deny decision with the last package. So client does not have to wait on FortiGate
to scan the bulk of the packtets.
upvoted 2 times
  Spago 11 months, 2 weeks ago

Selected Answer: AC

Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including FortiGate, to analyze network traffic. It is
designed to be more efficient and less resource-intensive than proxy-based inspection, and it offers several benefits over this approach.
Two benefits of flow-based inspection compared to proxy-based inspection are:
FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to improve the
performance of the firewall device and reduce the impact on overall system performance.
FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for
real-time applications or other types of traffic that require low latency.
upvoted 4 times

AC is correct
upvoted 3 times
FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the
override must be configured using a specific syntax.
Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)
A. www.example.com
B. www.example.com/index.html
C. www.example.com:443
D. example.com
Correct Answer: AB

AD (100%)
Selected Answer: AD
A. www.example.com
D. example.com
To create a web rating override for the home page of the example.com domain, the administrator must use one of the following syntaxes:
www.example.com: This syntax specifies the fully qualified domain name (FQDN) of the website, including the www subdomain. This syntax will
apply the web rating override to all pages on the website, including the home page.
example.com: This syntax specifies the root domain of the website, without the www subdomain. This syntax will also apply the web rating
override to all pages on the website, including the home page.
upvoted 17 times

AD are the correct options
upvoted 1 times
  stcfiras 3 months ago

A and D
upvoted 1 times
Selected Answer: AD
A. www.example.com
D. example.com

upvoted 1 times

Selected Answer: AD

upvoted 1 times
Selected Answer: AD
A. www.example.com
D. example.com
upvoted 1 times

A. www.example.com
D. example.com
upvoted 1 times
  Muhammadk007 6 months, 2 weeks ago
Selected Answer: AD
Correct answer
upvoted 1 times
Selected Answer: AD
Correct A and D
upvoted 1 times
Selected Answer: AD
AD correct
upvoted 1 times
Selected Answer: AD
AD correct
upvoted 1 times
  exemine 9 months, 2 weeks ago

Selected Answer: AD
A and D
upvoted 1 times
  RCouto 9 months, 3 weeks ago

For sure, A and D. No doubts.
upvoted 1 times
  foobarasdf123 10 months, 1 week ago
Selected Answer: AD
A and D are correct

upvoted 1 times
Selected Answer: AD
A and D are correct

upvoted 1 times
  Lolno420 11 months ago
Selected Answer: AD
The correct answer is 100% A,D

upvoted 1 times
  ka_bin 11 months, 2 weeks ago

The correct answer is 100% A,D
upvoted 2 times
Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However,
when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?
A. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.
B. On the Static URL Filter configuration, set Type to Simple.
C. On the Static URL Filter configuration, set Action to Exempt.
D. On the Static URL Filter configuration, set Action to Monitor.
Correct Answer: C

C (92%) 8%
Selected Answer: C
Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has
also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access
twitter.com.
To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration
change:
On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on
twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking
sites will still be blocked.
upvoted 8 times
  spydog Most Recent  1 month, 1 week ago
Selected Answer: C
Even that in the GUI static URL filter is configured as part of Web Filter profile in the background they are separate. FortiGate will apply the
following order of inspection 1)Static URL -> 2) FortiGuard Category Filter -> 3)Advance Filter.
When static URL filter is configured to allow FGT will move to next and check if url is allowed or blocked by FortiGuard categories.
Exempt action on static url filter will tell FGT to exempt this url from other inspections, by passing FortiGuard categories.
upvoted 3 times
  elemzy 2 months, 2 weeks ago

why is everyone choosing C, when the url is not a wildcard. This is a simple entry in the url filter, so change the type to simple.
Moreover, static url entry is first checked before others. Also, exempt only means to completely trust the trafficand not pass it through other
security check, but here it is still blocked by a webfilter. Meaning something is wrong with the filter definition.
upvoted 1 times
  spydog 1 month, 1 week ago

As you mentioned static URL filter is applied first, before category filter.
Static URL filter has three actions - allow, block and exempt:
- If block page is block without checking categories
- if allow, page is send for inspection by category filter
- if exempt, page is bypassing category filter and displayed to the user.
upvoted 2 times

no Bro it's definitely a wildcard. So i can confirm you the correct answer is C
upvoted 1 times
  aap2023 3 months ago

C, but set Action to Exempt.
upvoted 1 times
Selected Answer: C

"Allow: Access is permitted. Traffic is passed to remaining operations, including FortiGuard web filter, web content filter, web script filters, and
antivirus scanning.
Exempt: Allows traffic from trusted sources to bypass all security inspections."

upvoted 2 times
Selected Answer: C
Correct answer is C:
Exempt: when set to exempt, the FortiGate allow the traffic and exempt URL from all further inspection (including FortiGuard catergories which
would then block the traffic)
upvoted 2 times
Selected Answer: C

upvoted 2 times
  crose 3 months, 3 weeks ago

C: (if its not exempt it will still be blocked in a latter filter)
Http inspection order >> URL >> static url filter (block/allow/exempt) -> Fortigate category filter (allow block) advanced filters (block/allow) >>
displays page
upvoted 2 times
  pramodbs 4 months, 1 week ago

Answer is B since URL filter is checked before category filter. you have to just change to simple
upvoted 2 times
  jlarmando85 4 months, 1 week ago

Selected Answer: B
I configured this WebFilter on a FGT on Labo and the answer is B.

You need to configure to simple to match with: twitter.com.
On the other way, URL filter is evaluated before the Category Filter, so when matches it will pass.
upvoted 2 times

Selected Answer: C
A. It will allow all social networking sites, it is not correct

B. It does not help
C. Exempt does allow traffic and not inspect it
D. Monitor will allow traffic and log it as well "allow" config that is not working
upvoted 2 times

B is the answer, Simple - Allow. This rule will be hit before the Content Filter
upvoted 1 times
  felcard_debugs 8 months ago
Selected Answer: C
C is correct
upvoted 1 times

Selected Answer: C
Correct C
upvoted 1 times

Selected Answer: C
C is correct! Tested this in a lab environment and to make this work as stated in the question the Exempt action is the only way to go, and also
*.twimg.com will has to be added to the URL Filter with an Exempt action for this situation to really work!
upvoted 1 times
  moutaz1983 11 months, 2 weeks ago

It is correct C, exempt need to be used as the URL filter even if configured to allow, the URL categories inspection comes after it and will be blocked
also, but exempt will exempt it from later inspections
upvoted 3 times
  jberol 11 months, 2 weeks ago

I think is B
upvoted 1 times
Which three statements explain a flow-based antivirus profile? (Choose three.)
A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
B. If a virus is detected, the last packet is delivered to the client.
C. The IPS engine handles the process as a standalone.
D. FortiGate buffers the whole file but transmits to the client at the same time.
E. Flow-based inspection optimizes performance compared to proxy-based inspection.
Correct Answer: ADE

ADE (91%) 9%
Selected Answer: ADE
D as formulate is definitely not a correct answer. FortiOS 7.2 Admin Guide Page 1086. You can read "When a firewall policy's inspection mode is
set to flow, traffic flowing through the policy will not be buffered by the FortiGate". Below the link
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/659145
So, as C is not correct too, i think there is a mistake on the formulation of answer D which should be the correct answer.
upvoted 1 times

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
D. FortiGate buffers the whole file but transmits to the client at the same time.
E. Flow-based inspection optimizes performance compared to proxy-based inspection.

upvoted 1 times
Selected Answer: ACE
A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. (correct)
B. If a virus is detected, the last packet is delivered to the client. (Wrong, if a virus is detected the packet is dropped and a RST packet is sent to
client)
C. The IPS engine handles the process as a standalone.(since B and D are wrong, C must be correct)
D. FortiGate buffers the whole file but transmits to the client at the same time. (wrong, is flow-based inspection mode the fortigate does not buffer
the packets, it delivers them to the client immediately. When the last packet arrives, FortiGate caches it and puts it on hold while performing AV
scanning by the AV engine)
E. Flow-based inspection optimizes performance compared to proxy-based inspection. (correct)
upvoted 1 times

I misread the D sentence. D answer is correct
upvoted 3 times

upvoted 1 times
  D1360_1304 4 months, 2 weeks ago

A, D and E, FortiGate Security 7.2 Study Guide Page 350
upvoted 2 times
7.2 SEC 350

upvoted 2 times

Correct answer is A, D, E
upvoted 1 times
A: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection
D: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. some
operations can be offloaded to SPUs to improve performance (not C)
E: If performance is your top priority, then flow inspection mode is more appropriate.
upvoted 2 times

ADE is correct.
upvoted 2 times
Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)
A. Services defined in the firewall policy
B. Highest to lowest priority defined in the firewall policy
C. Destination defined as Internet Services in the firewall policy
D. Lowest to highest policy ID number
E. Source defined as Internet Services in the firewall policy
Correct Answer: ABE

ACE (100%)
Correct:
A. Services defined in the firewall policy
C. Destination defined as Internet Services in the firewall policy
E. Source defined as Internet Services in the firewall policy

"When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following
objects:
• Incoming Interface
• Outgoing Interface
• Source: IP address, user, internet services
• Destination: IP address or internet services
• Service: IP protocol and port number
• Schedule: Specific times to apply policy"

upvoted 5 times
  Slash_JM Most Recent  3 months, 2 weeks ago
The policies are consulted from top to bottom, regardless of the Policy ID #. The first rule that matches is applied and subsequent rules are not
evaluated. FortiGate matches the traffic using the following criteria:
- Incoming Interface
- Outgoing Interface
- Source (IP Address, User, Internet Services)
- Destination (IP Address or Internet Services)
- Service (IP Protocol and Port number)
- Schedule (Time that the packet connected to the FortiGate)
upvoted 4 times

ACE is correct
upvoted 1 times

7.2 SEC 52
upvoted 2 times
there is no priority to be defined in security policies, and the policy id is just for reference
upvoted 2 times

Correct A, C, E
upvoted 1 times

ACE is correct!
upvoted 1 times
  DriftandLuna 9 months, 3 weeks ago

ACE, firewall policy will match on services, source & destinaiton
upvoted 1 times

ACE - Policy ID does not define a matching criteria, it´s just for editing purposes, and there is no priority in the policies, only their order will affect
the matching process.
upvoted 2 times
  Rich_Man_Rich 11 months, 2 weeks ago

ACE is correct
upvoted 2 times

ACE is correct
upvoted 3 times

the correct answers are ACE.

upvoted 3 times
  jberol 11 months, 2 weeks ago

ACE is correct
upvoted 3 times
What are two functions of ZTNA? (Choose two.)
A. ZTNA manages access through the client only.
B. ZTNA manages access for remote users only.
C. ZTNA provides a security posture check.
D. ZTNA provides role-based access.
Correct Answer: CD

CD (100%)
Selected Answer: CD

ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices,
and applications. It is based on the principle of "never trust, always verify," which means that all access to network resources is subject to strict
verification and authentication.
Two functions of ZTNA are:
ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources.
This can include checks on the device's software and hardware configurations, security settings, and the presence of malware.
ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are
granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access
and minimize the risk of data breaches.
upvoted 15 times

CD are the correct answers
upvoted 1 times
Selected Answer: CD
Correct:
A. ZTNA manages access through the client only. (client or browser)
B. ZTNA manages access for remote users only. (not just remote)

"ZTNA is an access control method that uses client device identification, authentication, and zero-trust tags to provide role-based application
access."
"IP/MAC filtering uses ZTNA tags to provide an additional factor for identification, and a security posture check to implement role-based zero-trust
access."

upvoted 3 times
Selected Answer: CD

upvoted 1 times
Selected Answer: CD
7.2 INF 165

upvoted 4 times
  redSTORM 7 months, 2 weeks ago

Selected Answer: CD

upvoted 1 times
Selected Answer: CD
ZTNA is for both internal users and remote users.

upvoted 1 times
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer
does not support a dynamic DNS update service.
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?
A. Pre-shared key
B. Dialup user
C. Dynamic DNS
D. Static IP address
Correct Answer: D

B (100%)
  jberol Highly Voted  11 months, 2 weeks ago

Dialup user is correct. Answer B
upvoted 11 times
  Kryten Highly Voted  9 months ago
Selected Answer: B
B
How can it be that some of the answers here are the most obviously false ones? :)
upvoted 5 times
  bgod 4 months, 2 weeks ago

im taking this exam soon and tbh this is the most frustrating.. other sites have these same "incorrect" answers
upvoted 1 times

B is the answer
upvoted 1 times

B
Because we cannot use dynamic dns or static ip in this case

upvoted 1 times
Selected Answer: B
B. Dialup user

upvoted 2 times

Who even suggests those answers? How can the provided answer even be D, if the question clearly states the remote client has a DYNAMIC and
NOT a STATIC address? ... B of course.
upvoted 2 times
  Skubany32 2 months, 3 weeks ago

Like for the real, some of the answers on exam topics are just quite unbelievable
upvoted 1 times
Selected Answer: B

upvoted 2 times
Selected Answer: B
Dialup user is correct. Answer B

upvoted 1 times
The remote peer whose IP address is unknown acts as the dialup client, and this is often the case for branch offices and mobile VPN clients that
use dynamic IP addresses, and no dynamic DNS.
upvoted 2 times
  Wrath4980 5 months, 2 weeks ago

Selected Answer: B
If its not an IPSec VPN Tunnel it's going to be a dial up tunnel so option B
upvoted 3 times
  ronaldvs 5 months, 2 weeks ago

Selected Answer: B
Its B !!
Page 25
3 FortiGate_Infrastructure_7.2
upvoted 3 times
  Eggrolls 6 months ago

Its B !!
Page 263 FortiGate_Infrastructure_7.2
upvoted 2 times
Selected Answer: B
someone did not read the question...

upvoted 3 times
  PimplePooper 7 months, 4 weeks ago

Selected Answer: B
B is the correct answer

upvoted 1 times
  felcard_debugs 8 months ago

Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
Infrastructure pag 225 explain Dialup User

upvoted 2 times
Selected Answer: B
B is correct!
upvoted 1 times
Which timeout setting can be responsible for deleting SSL VPN associated sessions?
A. SSL VPN idle-timeout
B. SSL VPN http-request-body-timeout
C. SSL VPN login-timeout
D. SSL VPN dtls-hello-timeout
Correct Answer: A

A (100%)
Selected Answer: A
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session
becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the
timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated
resources (such as VPN tunnels and virtual interfaces) will be deleted.
upvoted 10 times

A ofcourse for Idle seesion
upvoted 1 times
Selected Answer: A

"Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting
on the GUI."

upvoted 2 times
Selected Answer: A

upvoted 1 times

A. FortiGate Infrastrucure 7.2 Study Guide Page 208. Idle logout (default idle:300 sec (5min))
upvoted 1 times

Selected Answer: A
Idle logout / idle timeout 7.2 INF 208

upvoted 3 times

Selected Answer: A
Correct Answer: A
upvoted 1 times
  ChinkSantana 10 months, 1 week ago

A is correct
upvoted 2 times
Which statement is correct regarding the use of application control for inspecting web applications?
A. Application control can identify child and parent applications, and perform different actions on them.
B. Application control signatures are organized in a nonhierarchical structure.
C. Application control does not require SSL inspection to identify web applications.
D. Application control does not display a replacement message for a blocked web application.
Correct Answer: A

A (95%) 5%
Selected Answer: A
The FortiGuard application control signature database is organized in a hierarchical structure. This gives you the ability to inspect the traffic with
more granularity. You can block Facebook applications while allowing users to collaborate using Facebook chat.
upvoted 8 times
Selected Answer: A
Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application
control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.
upvoted 7 times
Selected Answer: A
FortiGate Security 7.2 Study Guide p.296-315

upvoted 2 times
Selected Answer: A
Correct:
Incorrect:
B. Application control signatures are organized in a nonhierarchical structure. (p.302)
C. Application control does not require SSL inspection to identify web applications. (p.296)
D. Application control does not display a replacement message for a blocked web application. (p.308 and p.315)

upvoted 3 times

A. correct
FortiGate Security 7.2 Study Guide
B. False P.302
C. False P.296
D. False P.308
upvoted 3 times

Also, in page 314 and 315 give more information.
upvoted 1 times

La respuesta correcta es A.
Las demás respuestas son incorrectas porque si requiere ssl inspection para el tráfico https, si es jerargico, y si puede mostrar mensajes cuando
bloquea una aplicación.
upvoted 3 times
Selected Answer: C
Didn't found answer A in study guide.

Application Control doesn't require SSL inspection because it use pattern in packet (transmission) to determine what application is it.
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through
HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and
does not block the file, allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)
A. The website is exempted from SSL inspection.
B. The EICAR test file exceeds the protocol options oversize limit.
C. The selected SSL inspection profile has certificate inspection enabled.
D. The browser does not trust the FortiGate self-signed CA certificate.
Correct Answer: AD

AC (78%) BC (17%) 6%

It is AC, deep inspection need to be enabled
upvoted 9 times
  SollyMalwane Most Recent  23 hours, 56 minutes ago
Selected Answer: AD
ssl is exampted
upvoted 1 times
Selected Answer: AC

upvoted 1 times

Selected Answer: AC
Answers are A and C. Can't be B because the file was already downloaded through HTTP without problems and D doesn't apply.
upvoted 1 times
  Jumpy007 3 months ago

AC is correct see FortiGate_Security_7.2_Study_Guide-Online p. 230
While offering some level of security, certificate inspection does not permit the inspection of encrypted data. p. 333 Deep-Inspection is required in
stead of Certificate-based to ensure content inspection.
upvoted 3 times

Correct:
A. The website is exempted from SSL inspection.
C. The selected SSL inspection profile has certificate inspection enabled.
The same file was blocked through HTTP, so "B" is wrong.

upvoted 3 times
  tinugeorge 3 months, 4 weeks ago

Selected Answer: BC
B - Since files bigger than the oversize limit are bypassed from scanning although there is option to enable it
C - Deep inspection is required for scanning files for virus
upvoted 1 times

Your answer is correct. But in this question it is mentioned - "same file but over HTTPS". If file was successfully scanned and blocked when on
HTTP, exact same file over HTTPS will be bigger and there for option B can be eliminated.
upvoted 2 times
  Variant_ 4 months ago

Selected Answer: AC
AC is correct because if the file is downloading over HTTPS which means that there must be no SSL inspection (or at least the correct ones) so A
is true, and C is true because you would need SSL deep-inspection in order to inspect a file over HTTPS.
upvoted 1 times
Selected Answer: AC
Correct Answer: AC
upvoted 1 times

To my knowledge the answers would be C and D
upvoted 1 times
  clrf26 6 months, 1 week ago

A and C. SSL Inspection Profile, on the Inspection method there are 2 options to choose from, SSL Certificate Inspection or Full SSL Inspection. FG
SEC 7.2 Studi Guide: Full SSL Inspection level is the only choice that allows antivirus to be effective.
upvoted 2 times
  HernandoZ 6 months, 2 weeks ago

Selected Answer: AC
Since the file downloaded using http it's not the size.
upvoted 3 times
  sb_alves 7 months, 1 week ago

B and C.
Files larger than 10Mb AV does not analyze
upvoted 1 times

yes, but "when downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file".
upvoted 1 times

Selected Answer: AC
Correct Answer: AC
upvoted 2 times
  JonyBGP 7 months, 3 weeks ago

Selected Answer: BC
A is opposite of C, so BC is the answer - look up oversize limit on anti-virus

upvoted 2 times
  Jeageristt 7 months ago

the same file (same size) was downloaded using HTTP so its not B
upvoted 9 times
  marli 7 months, 3 weeks ago

AC is the correct ans
upvoted 1 times
  jj1982ar 8 months ago
Selected Answer: AC
B and D don´t make any sense

upvoted 1 times
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and
the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
B. The traffic sourced from the client and destined to the server is sent to FGT-1.
C. The cluster can load balance ICMP connections to the secondary.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Correct Answer: AB

AD (84%) D (16%)
Selected Answer: AD
A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in standby mode
D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to
the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This
is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is
done only for the first packet of a load balanced session
upvoted 6 times

Sorry, FGT2 is primary... So the other way around --'
upvoted 4 times
  walter_rcp Highly Voted  11 months ago
D: is the only correct for me.
upvoted 5 times
  Diego_Farani Most Recent  1 month, 1 week ago
Selected Answer: AD
FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320): "To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses." "The
primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates
the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated
packet includes the original packet plus session information that the secondary requires to process the traffic."
upvoted 1 times
  Rian 2 months, 3 weeks ago

A and B. Since Secondary : FGT-1 HA Cluster index = 0
upvoted 1 times

Selected Answer: AD

upvoted 2 times
Selected Answer: AD
Correct:
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
Incorrect:
B. The traffic sourced from the client and destined to the server is sent to FGT-1. (not primary)
C. The cluster can load balance ICMP connections to the secondary. (not enabled)
FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320):

"To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses."
"The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary
encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The
encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic."

upvoted 4 times

A and D
for A-A loadbalance traffic from the client is received on the primary's Vmac to which the packet is then sent to the secondary for inspection with
the physical mac address of the primary as source. Then it comes back to primary and client to which the handshake has begun.
upvoted 2 times

La C no es por que se puede sincronizar pero no hacer balanceo de ICMP
upvoted 2 times
Selected Answer: D
A. Is not true, always Cluster sends traffic to server using physical MAC
B. Is not true, the traffic sourced from the client and destined to the server is sent to FGT-2.
C. Is not true, the cluster cannot load balance ICMP connections
D. Is true for load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary using 0x8891 frame
Everything is taken from infrastruture study guide pages 320-322
upvoted 3 times

Answer is A & D
upvoted 1 times
  yamahaforti 6 months, 1 week ago

Can A really be correct?
View the slide on page 322 FortiGate_Infrastructure_7.2_Study_Guide-Online.pdf

It's shows secondary-physical MAC-port2 to server
D is the only correct one

upvoted 2 times

in mode A-A no icmp protocol can ben load balanced
upvoted 2 times
  Mturco 9 months, 1 week ago
Selected Answer: AD
correct answer is A&D

upvoted 2 times
  danieldelgado 9 months, 2 weeks ago

Correct answers are C and D. The cluster is in Active-Active mode and FGT1 is the secondary
upvoted 4 times
  shadow2020 9 months, 3 weeks ago

Set mode is a-a not a-p
upvoted 2 times
  efot 10 months, 4 weeks ago

Selected Answer: AD
Correct Answr is AD
upvoted 1 times

Sorry A could be ok because is for non-balanced connections
upvoted 2 times
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)
A. The keyUsage extension must be set to keyCertSign.
B. The CA extension must be set to TRUE.
C. The issuer must be a public CA.
D. The common name on the subject field must use a wildcard name.
Correct Answer: AB

AB (100%)
  itmaxuser Highly Voted  5 months, 1 week ago

The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding
private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.
Answer is A and B
upvoted 5 times
Selected Answer: AB

upvoted 1 times
Selected Answer: AB
A. The keyUsage extension must be set to keyCertSign.

B. The CA extension must be set to TRUE.

upvoted 2 times
Selected Answer: AB
Correct answers: AB
upvoted 1 times
  mcclane654 5 months, 3 weeks ago
Selected Answer: AB
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Add-a-new-certificate-to-SSL-SSH-inspection/ta-p/251252
upvoted 2 times

A & B are true. can verify over site
upvoted 1 times
Selected Answer: AB
A&B
FortiGate_Security_7.2 page 232

Although it appears as though the user browser is connected to the web server, the browser is connected to
FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA
certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension
set to keyCertSign.
upvoted 4 times
Selected Answer: AB
Correct Answer: AB
upvoted 1 times
Selected Answer: AB
Security page 323
its CA certificate must have the basic constrainst extension set to cA=True and the value of the keyUsage extension set to keyCertSing
upvoted 2 times
Selected Answer: AB
Full SSL inspection - Certificate requirements:

FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension
set to cA=True and the value of the keyUsage extension set to keyCertSign
upvoted 2 times

Selected Answer: AB
AB is correct.
upvoted 1 times
An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)
A. Packet payload
B. Application header
C. IP header
D. Ethernet header
E. Interface name
Correct Answer: CDE

ACE (100%)
Sniffer with verbose 5: IP header, IP payload, Port name

upvoted 7 times

upvoted 1 times

FortiGate_Infrastructure_7.2_Study_Guide-Online
p. 61 Packet Capture Verbosity Level which is set to 5 in the exhibit, if it was level 6 it should also include ethernet headers. Application headers
are never included.
This is Correct:
A. Packet payload
C. IP header
E. Interface name
upvoted 3 times

Correct:
A. Packet payload
C. IP header
E. Interface name

upvoted 2 times
FortiGate_Infrastructure page 61
upvoted 3 times
  RabbitB 6 months ago

Correct answer must be ACE
upvoted 1 times

Verbosity 5: IP Headers, Packet Payload and Interface Name: ACE
upvoted 4 times
  efot 11 months ago

Correct Answer should be ACE

upvoted 3 times
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.
Which CLI command causes FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?
A. set webfilter-force-off disable
B. set webfilter-cache disable
C. set protocol tcp
D. set fortiguard-anycast disable
Correct Answer: C

D (100%)
  Eggrolls Highly Voted  6 months ago

D is correct
upvoted 7 times
  Techpro30 Most Recent  2 months, 3 weeks ago

p.288 on study guide
upvoted 1 times

Selected Answer: D

upvoted 1 times
Selected Answer: D

upvoted 2 times


upvoted 1 times

D. Is the correct answer.
upvoted 2 times

Selected Answer: D

upvoted 2 times
Selected Answer: D

upvoted 2 times
  DriftandLuna 8 months, 3 weeks ago
Selected Answer: D
C is incorrect as TCP is a reliable protocol

upvoted 3 times

D. is correct answer
upvoted 1 times
Selected Answer: D
To change the fortiguard port, you have to disable "fortiguard-anycast" option under fortiguard settings
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-UDP-protocol-for-FortiGuard-web-filter/ta-p/191920
upvoted 3 times

Selected Answer: D
D is correct answer
upvoted 3 times

Selected Answer: D
D is correct.
upvoted 1 times
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends
DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet this requirement?
A. On Demand
B. On Idle
C. Disabled
D. Enabled
Correct Answer: B

B (100%)
Selected Answer: B

upvoted 1 times
Selected Answer: B
B. On Idle

upvoted 1 times
  seguridadsit 5 months ago

Selected Answer: B
On Idle, opcion B
upvoted 1 times

Selected Answer: B
FortiGate_Infrastructure_7.2 page 288

upvoted 3 times
  bgod 4 months, 1 week ago

this is the incorrect page correct page is 256
upvoted 1 times
  Eggrolls 5 months, 3 weeks ago

Sorry wrong page its 256
upvoted 5 times
  HernandoZ 6 months, 2 weeks ago
Selected Answer: B
On Idle, so B is correct
upvoted 1 times

Correct answer : B
upvoted 1 times

Selected Answer: B
On Idle: FortiGate sends DPD probes when no traffic is observed in the tunnel.
upvoted 3 times
An administrator does not want to report the login events of service accounts to FortiGate.
Which setting on the collector agent is required to achieve this?
A. Add user accounts to the Ignore User List.
B. Add user accounts to Active Directory (AD).
C. Add user accounts to the FortiGate group filter.
D. Add the support of NTLM authentication.
Correct Answer: A

A (100%)
Selected Answer: A

upvoted 5 times
Selected Answer: A

upvoted 1 times
Selected Answer: A
A. Add user accounts to the Ignore User List.

upvoted 1 times

A. FortiGate Infrastructure 7.2 Study Guide Page 144.
upvoted 1 times

A is correct
upvoted 1 times
  emacip23 7 months, 4 weeks ago
Selected Answer: A
A is correct
upvoted 2 times

A is correct
upvoted 3 times
Based on the ZTNA tag, the security posture of the remote endpoint has changed.
What will happen to endpoint active ZTNA sessions?
A. They will be re-evaluated to match the endpoint policy.
B. They will be re-evaluated to match the firewall policy.
C. They will be re-evaluated to match the ZTNA policy.
D. They will be re-evaluated to match the security policy.
Correct Answer: D

C (100%)
Selected Answer: C

upvoted 7 times
Selected Answer: C

upvoted 1 times
Selected Answer: C
C. They will be re-evaluated to match the ZTNA policy.

"Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the
ZTNA policy."

upvoted 3 times
  Edderdinho 6 months, 3 weeks ago
Selected Answer: C
ZTNA POLICY
upvoted 2 times

Selected Answer: C
It's a ZTNA policy

upvoted 1 times

C is the answer
upvoted 1 times

Selected Answer: C
It's a ZTNA policy

upvoted 1 times
  chromevandium11 11 months, 1 week ago

Selected Answer: C
C should be the answer:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/580880/posture-check-verification-for-active-ztna-proxy-session-7-0-2
upvoted 4 times
  mohdroos1 11 months, 3 weeks ago
Selected Answer: C
ztna policy
upvoted 2 times
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate
device.
Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)
A. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
B. FortiGate allocates port blocks on a first-come, first-served basis.
C. FortiGate generates a system event log for every port block allocation made per user.
D. FortiGate allocates 128 port blocks per user.
Correct Answer: AD

BC (90%) 7%
Selected Answer: BC
Not A: FortiGate allocates a block size and number per host for a range of external addresses
B: FortiGate allocates port blocks on a first-come, first-served basis
C: For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator
Not D: It allows 8 blocks of 128 ports per host
upvoted 18 times
  NKWEN123 7 months, 1 week ago

I agree. Answers B and C are correct.
Security 7.2 Study Guide page 108.
upvoted 4 times

I agree correct answers are B &C
upvoted 3 times
Selected Answer: BC

upvoted 1 times
Selected Answer: BC
B. FortiGate allocates port blocks on a first-come, first-served basis.

C. FortiGate generates a system event log for every port block allocation made per user.

"FortiGate allocates port blocks on a first-come, first-served basis."
"For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator."

upvoted 3 times
Selected Answer: BC
Correct: BC
upvoted 1 times
  alejandrofern43 4 months, 1 week ago
Selected Answer: BC
B and C are Correct.

pag 109 Fort_Security_Guide.
upvoted 2 times

B and C are Correct.
pag 109 Fort_Security_Guide.
upvoted 1 times

Tal vez la única diferencia es de user a host en la respuesta. pero esta documentado en Security 7.2 pag. 109:
FortiGate allocates port
blocks on a first-come, first-served basis. The port block allocation is made when FortiGate receives a packet from unserved hosts.
FortiGate also generates system event logs with the port block allocation details to inform the administrator.
upvoted 2 times

B and C
upvoted 1 times

Selected Answer: BC
BC are correct answers the question is describing a port block allocation, please see Study guide - Security_7.2 page 109
upvoted 2 times

Study guide - Security_7.2.
FortiGate allocates a port block to a host, it generates a system event log to inform the administrator
FortiGate allocates port blocks on a first-come, first-served basis
upvoted 1 times
  a1brt 6 months, 1 week ago

BD:
FG Security 7.2 Study Guide, page 109
upvoted 1 times
  a1brt 6 months, 1 week ago

Coorection: BC
upvoted 1 times

B & C. page 109. study guide
upvoted 2 times
  GCISystemIntegrator 9 months, 2 weeks ago
Selected Answer: CD
https://docs.fortinet.com/document/fortigate/7.2.3/hyperscale-firewall-guide/303964/port-block-allocation-cgn-ip-pool
based on this doc CD are correct
c - When all of the client sessions have ended, FortiOS releases the port block and writes another log message.
d - The number of ports allocated in a block. The default value is 128.
upvoted 1 times
  claumagagnotti 9 months, 2 weeks ago

Selected Answer: AD
Because type is port-block-allocation
https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/298620/config-firewall-ippool
upvoted 2 times

IT is B&C
reference from study:
Fortigate Allocates a block size and number per host for a range of EXTERNAL addresses (not internal as it say in the question)
upvoted 1 times

AD
Because type is port-block-allocation
https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/298620/config-firewall-ippool
upvoted 1 times
  shadow2023 9 months, 1 week ago

AD is not correct, look at the IPOOL config
block-size = 128
num-blocks-per-user = 8
upvoted 2 times
Which two statements about the Security Fabric rating are true? (Choose two.)
A. It provides executive summaries of the four largest areas of security focus.
B. The Security Fabric rating is a free service that comes bundled with all FortiGate devices.
C. Many of the security issues can be fixed immediately by clicking Apply where available.
D. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
Correct Answer: CD

CD (100%)

CD
Page 450 forti 7.2 security

upvoted 1 times
Selected Answer: CD

upvoted 2 times
Selected Answer: CD
Correct:
C. Many of the security issues can be fixed immediately by clicking Apply where available.
D. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

upvoted 3 times

Aunque no esta explicito en la documentación de Fortinet, las respuestas correctas son la C y D.
la A no puede ser por que son 3 areas y la B tampoco por que se requiere de licenciamiento.
upvoted 2 times

CD. Correct
A. Are three not four areas.
B. Is a subscription services that requires a security rating license.
upvoted 2 times
  Brandon534 5 months, 2 weeks ago

Selected Answer: CD
FortiGate_Security_7.2_Study_Guide page 450

upvoted 2 times
Selected Answer: CD
Correct answers are CD: Study guide - Security_7.2 - page 450

upvoted 2 times
Selected Answer: CD
Security rating is a subscription service that requires a security rating license. It provides executive summaries of THREE largest areas of security
focus.
upvoted 4 times

FortiGate_Security_7.2_Study_Guide Page 450. Answer CD
upvoted 1 times
An administrator wants to configure timeouts for users. Regardless of the user's behavior, the timer should start as soon as the user authenticates
and expire after the configured value.
Which timeout option should the administrator configure on FortiGate?
A. new-session
B. idle-timeout
C. hard-timeout
D. soft-timeout
E. auth-on-demand
Correct Answer: C

C (100%)

C
Hard time out
upvoted 1 times

Selected Answer: C

upvoted 2 times

Selected Answer: C
C. hard-timeout

upvoted 2 times
Selected Answer: C
Answer is C: hard-timeout
Fortigate Security 7.2 Study Guide, Pag. 167
upvoted 2 times
  Halmonte0780 4 months, 4 weeks ago

Fortigate Security 7.2 Study Guide, Pag. 167
upvoted 3 times
Selected Answer: C
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Firewall/ta-p/189423
upvoted 2 times

Selected Answer: C
Hard: time is an absolute value. Regardless of the user’s behavior, the timer starts as soon as the user authenticates and expires after the
configured value.
upvoted 3 times
Which two statements explain antivirus scanning modes? (Choose two.)
A. In flow-based inspection mode, files bigger than the buffer size are scanned.
B. In proxy-based inspection mode, files bigger than the buffer size are scanned.
C. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
Correct Answer: CD

CD (100%)
Selected Answer: CD
FortiGate Security 7.2 Study Guide p.350, 352

upvoted 1 times
Selected Answer: CD
Correct:
C. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
D. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
FortiGate Security 7.2 Study Guide (p.350 & 352):

"In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at
the same time. Because the file is ransmitted simultaneously, flow-based mode consumes more CPU cycles than proxy-based."
"Each protocol’s proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is reached) before scanning. The client
must wait for the scanning to finish."

upvoted 2 times

CD are correct.
A and B are false in both cases.
upvoted 1 times
Selected Answer: CD
page 350 and 352

upvoted 2 times
Selected Answer: CD
NSE4 FortiGate Security 7.2, pages 350 and 352

upvoted 2 times

Selected Answer: CD
C and D correct answer

upvoted 1 times

Selected Answer: CD
CD correct
upvoted 1 times
  lrnt 9 months ago

C and D - Regardless of inspection mode, files bigger than buffer size are not scanned (Logging can be enabled)
upvoted 4 times
The exhibits show a network diagram and firewall configurations.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access
the Webserver. Remote-User2 must not be able to access the Webserver.
In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)
A. Disable match-vip in the Deny policy.
B. Set the Destination address as Webserver in the Deny policy.
C. Enable match-vip in the Deny policy.
D. Set the Destination address as Deny_IP in the Allow_access policy.
Correct Answer: CD

BC (93%) 7%
  CISUG 1 month, 3 weeks ago
Answer is BC
see below link for explanation
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641
upvoted 1 times
Selected Answer: BC

upvoted 1 times
Selected Answer: BC


upvoted 1 times

BC
A. Disable match-vip in the Deny policy.

- No, because you want to match destination IP 203.0.113.22
- Yes - Source Remote_user2, dest Webserver (203.0.113.22).
- Best practice is to be explicit
- allows policy to match the Webserver - VIP IPs
D. Set the Destination address as Deny_IP in the Allow_access policy.
- No because we want to block Remote_user2
upvoted 3 times

You're correct on the answers, It's b and c. But the explanation is wrong. B is correct because. We use destination NAT. Then in the firewall rule,
we need to match the the private IP of the server and not the public IP. That's why B is correct but not D.
When FG receives a packet, it performs first the DNAT, then firewall rules checking.
upvoted 2 times
Selected Answer: BC
Correct
upvoted 1 times
Selected Answer: BC
B and C
upvoted 1 times
  zheka 9 months ago

You are wrong with D. Look and read carefully this Fortinet guide, i.e. FortiGate_Security_7.2_Study_Guide, namely page 114. It says:
In case you want to block only traffic destined to one ore more VIPs you can reference the VIP as the destination address in the deny firewall
policy.
The key here is the Deny policy, not the Allow policy
upvoted 2 times
  lrnt 9 months ago

C and D - match-vip in deny policy needs to be enabled (set match-vip enable) or destination address needs to be the VIP object (set adstaddr "VIP
object")
upvoted 1 times
Selected Answer: CD
Because they only want to block one public IP

upvoted 1 times

Selected Answer: CD
Because they only want to block one public IP
upvoted 1 times
  Poseidon458 10 months, 4 weeks ago

Selected Answer: BC
Answer should be BC. It makes sense that the destination address be the webserver which needs to be denied for IP Deny_IP
upvoted 4 times

Selected Answer: BC
Answer should be BC
upvoted 2 times

Selected Answer: BC
Answer should be BC.

upvoted 3 times
Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit.
If option 5 is used with the IPS diagnostic command and the outcome is a decrease in the CPU usage, what is the correct conclusion?
A. The IPS engine is unable to prevent an intrusion attack.
B. The IPS engine is inspecting a high volume of traffic.
C. The IPS engine will continue to run in a normal state.
D. The IPS engine is blocking all traffic.
Correct Answer: B

B (100%)

B is correct. IPS engine remains active, but doesn't inspect traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic
being inspected is too high for that FortiGate model.
upvoted 8 times
Selected Answer: B

upvoted 1 times

Selected Answer: B
B. The IPS engine is inspecting a high volume of traffic.

upvoted 1 times
  Dani_Prime 3 months, 1 week ago

B is correct:
fortinet-fortigate-security-study-guide-for-fortios-72 page 417
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application
ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass
mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases
after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
upvoted 1 times

Selected Answer: B
Correct answer: B
upvoted 1 times

B. Is correct.
upvoted 1 times

IMHO, A is correct:
Option 5 enables IPS bypass mode. In this mode, the IPS is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually
indicates that the volume of traffic being inspected is too high for that particular FortiGate model. If the
CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine that you must report to Fortinet's support.
Enterprise_Firewall_7.0_Study_Guide-Online pg 405
upvoted 1 times
Selected Answer: B

upvoted 4 times
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)
A. FTM
B. SSH
C. HTTPS
D. FortiTelemetry
Correct Answer: BC

BC (100%)

BC
Simple
2 protocol
upvoted 1 times
  Possa 2 months ago

Selected Answer: BC
B, C
upvoted 1 times
Selected Answer: BC
B and C
upvoted 1 times

Selected Answer: BC
B. SSH
C. HTTPS

upvoted 2 times

B and C, no doubts.
upvoted 1 times
  bolq 8 months, 1 week ago
Selected Answer: BC
B and C
upvoted 1 times
  Eiichi06328 9 months ago

BC yes
upvoted 2 times
Which statement about video filtering on FortiGate is true?
A. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
B. It does not require a separate FortiGuard license.
C. Full SSL inspection is not required.
D. Otis available only on a proxy-based firewall policy.
Correct Answer: B

D (88%) 13%
  zheka Highly Voted  8 months, 4 weeks ago

To support it is D take a look at NSE4_FGT-7.2 guide page 279
upvoted 5 times
  SamKar Most Recent  1 month ago

I guess Otis is just Misspelled, 'It is'!
upvoted 2 times
  Suru98 2 months, 2 weeks ago

what is Otis ??
upvoted 1 times
  Skubany32 2 months, 3 weeks ago

Otis Redding
upvoted 2 times

Selected Answer: D

upvoted 3 times
  ralphito 3 months ago

what is OTIS though?
upvoted 2 times
Selected Answer: D
D. It is available only on a proxy-based firewall policy.

"To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must enable full SSL
inspection on the firewall policy."

upvoted 4 times
  Vic2911 3 months, 1 week ago
Selected Answer: D
D is correct, but contais a typo

"It is" available only on a proxy-based firewall policy
upvoted 2 times
  dsticht 3 months, 3 weeks ago

D. Otis was my favorite of the pips.
upvoted 2 times
  crose 4 months ago

The answer is (OTIS) = It is... only used in proxy based policies.
Which is true from Security 7.2 Video Filter under chapter 7

upvoted 2 times
Selected Answer: B
B is correct
upvoted 1 times
  ianomax 6 months, 2 weeks ago
Selected Answer: D
Video filtering is only proxy-based

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/860867/filtering-based-on-fortiguard-categories
upvoted 3 times

upvoted 2 times
  Ibrahimadwan 7 months ago

D is correct
upvoted 1 times
  rgeneson 7 months, 1 week ago
Selected Answer: D
It looks to me like 'Otis' is a mistyped 'It is' -- in any case D is the correct answer.
upvoted 1 times
  ssssss_12345 9 months ago
Selected Answer: D
Not A - Video Filtering FortiGuard categories are based on a combination of popular online video provider categories, not web filter FortiGuard
categories
Not B - It is part of the FortiGuard "service", but requires a SEPARATE license bundled with the other FortiGuard security services
NOT C - video filtering DOES require full SSL inspection
By process of elimination, the answer is D - but I can't find any documentation specifically for "Otis"....but video filtering in general should be
applied to only proxy-based FW policies
upvoted 4 times

D.
The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection. The FortiGuard Video filtering service is
based on a valid FortiGuard web filter license.
upvoted 2 times
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
A. The collector agent must search Windows application event logs.
B. The NetSessionEnum function is used to track user logouts.
C. NetAPI polling can increase bandwidth usage in large networks.
D. The collector agent uses a Windows API to query DCs for user logins.
Correct Answer: D

B (69%) C (23%) 8%
  NaturehasIT Highly Voted  10 months, 1 week ago

I really want to advise all who is studying and taking the exam soon.This Q: Question #: 42, the ans is : C. NetAPI polling can increase bandwidth
usage in large networks.
Reason being, when NetAPI: polls sessions created on the DC, it only polls user logins and NOT logouts. And as such it does this every 9seconds if
default timer is used. Hence, it will generate alot of bandwidth in large networks.
upvoted 13 times
  MtoE Most Recent  4 weeks, 1 day ago
Selected Answer: C
NetAPI polling does not track user log out through NetSessionEnum function. This function is used to retrieve info about session established on a
server but it does not specifically track user log outs
upvoted 1 times
  Matawa100 1 month, 1 week ago
Selected Answer: C
FSSO CANNOT get logout on an AD server.
Answer is C.
upvoted 1 times
Selected Answer: B
Answer is B you can check FortiGate Infrastructure 7.2 Study Guide p.128
NetAPI: Polls temporary sessions created on the DC when users logs in or logs out and calls the NetSessionEnum function on Windows.
upvoted 1 times
  Kiran_k2 2 months, 1 week ago

Ans B : The NetAPI polling use the NetSessionEnum Microsoft API from netapi32.dll to detect the users that have established session on the
domain controller.
upvoted 1 times
Selected Answer: D
I think D stands as the correct answer because the question is asking what correctly describes the polling mode. In this case, the polling method
scans a Microsoft or Windows DC using the windows API (netapi32.dll) for logged in users.
https://community.fortinet.com/t5/FortiGate/Technical-Note-FSSO-NetAPI-polling-bandwidth-usage-calculator/ta-p/196417
upvoted 2 times
  johncz88 2 months, 3 weeks ago
Selected Answer: C
C is the correct answer.

upvoted 1 times

Selected Answer: B

upvoted 1 times

Selected Answer: C
Polling doesn't do use user logout only logins. The correct answer is C, increase network bandwidth.
upvoted 1 times
Selected Answer: B
B. The NetSessionEnum function is used to track user logouts.

upvoted 1 times
  Gorgoyle 3 months, 3 weeks ago

Selected Answer: B
NetAPI:Polls temporary sessions created on the DC when a user logs in or out and calls the NetSesssionEnum function on Windows. It is faster
than WinSec and WMI but in turn might miss some login events if DC is under heavy load. This is because sessions can be quickly created and
purged from RAM before agent has time to poll and notify FG.
upvoted 2 times
  rian00z_ 3 months, 4 weeks ago
Selected Answer: C
IMHO correct answer C

upvoted 2 times

IMHO, C
Logged-in users are detected not logged-out...
https://community.fortinet.com/t5/FortiGate/Technical-Note-FSSO-NetAPI-polling-bandwidth-usage-calculator/ta-
p/196417#:~:text=The%20FSSO%20NetAPI%20polling%20mode,session%20on%20the%20domain%20controller.
upvoted 3 times

Wrong, it pols when a user logs in or out. B is correct.
upvoted 1 times
  ansalias 5 months, 1 week ago

A as stated in
https://community.fortinet.com/t5/FortiGate/Technical-Note-FSSO-NetAPI-polling-bandwidth-usage-calculator/ta-p/196417?externalID=FD34906
upvoted 2 times

Selected Answer: B
Based on FortiGate_Infrastructure_7.2_Study_Guide page 128

upvoted 3 times

Selected Answer: B
NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. It’s faster
than the WinSec and WMI methods; however, it can
miss some login events if a DC is under heavy system load. This is because sessions can be quickly created and purged from RAM, before the
agent has a chance to poll and notify FortiGate.
upvoted 3 times
  Edderdinho 6 months, 3 weeks ago
Selected Answer: B
Correcta B
Fortigate Infraestructure Pag. 128.
upvoted 1 times
What are two features of FortiGate FSSO agentless polling mode? (Choose two.)
A. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
B. FortiGate uses the AD server as the collector agent.
C. FortiGate directs the collector agent to use a remote LDAP server.
D. FortiGate does not support workstation check.
Correct Answer: AD

AD (100%)
  efot Highly Voted  11 months ago

Limitations of agentless polling mode.
- If there are many user logins at the same time, the FSSO daemon may miss some.
- Winsec polling only.
- No NTLM.
- No workstation checks and dead entry.
- FSSO-polling Agentless may not work correctly with nested users group.
- More CPU consuming: with local polling.

upvoted 5 times
Selected Answer: AD

upvoted 1 times
Selected Answer: AD
A. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
D. FortiGate does not support workstation check.

upvoted 1 times

Selected Answer: AD
AD correct. page 130 correct

upvoted 3 times

Selected Answer: AD

upvoted 4 times
Selected Answer: AD
Correct Answer is AD
upvoted 3 times
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
A. Intrusion prevention system engine
B. Application control engine
C. Antivirus engine
D. Turbo engine
Correct Answer: B

A (100%)
  lrnt Highly Voted  9 months ago

A - IPS Engine is used by Application Control, AV, Web filter and Email filter
upvoted 7 times
Selected Answer: A
Application Control uses IPS engine

upvoted 5 times
Selected Answer: A

upvoted 1 times

Selected Answer: A
A. Intrusion prevention system engine

upvoted 1 times

A - IPS Engine is used
upvoted 2 times
Selected Answer: A
A is the correct answer

upvoted 1 times
Selected Answer: A
Correct answer is A
upvoted 2 times
  fotboll123 11 months, 1 week ago

Correct answer is A
upvoted 4 times
Based on the routing database shown in the exhibit, which two conclusions can you make about the routes? (Choose two.)
A. The port3 default route has the lowest metric.
B. The port1 and port2 default routes are active in the routing table.
C. The ports default route has the highest distance.
D. There will be eight routes active in the routing table.
Correct Answer: CD

BC (89%) 11%
  Timbal Highly Voted  6 months, 1 week ago

I found in other questionnaires the well written options (here they are not written correctly):
a.- The port3 default route has the lowest metric, making it the best route.
b.- Both port1 and port 2 default routers are active in the routing table.
c.- The port3 default has a higher distance than port1 and port2 default routes
d.- There will be eight toutes active in the routing table
So the correct answers are B&C.

upvoted 14 times
Selected Answer: BC

upvoted 2 times

Selected Answer: BC
Correct:
B. The port1 and port2 default routes are active in the routing table.
C. The "port3" default route has the highest distance.
C option correctly written in Question 41:

https://www.examtopics.com/exams/fortinet/nse4_fgt-70/view/11/

upvoted 1 times
  myrmidon3 3 months, 2 weeks ago
Selected Answer: BC
B is CORRECT because port1 and 2 are active routes.

C is CORRECT because 20 indicates an administrative distance of 20 out of a range of 0 to 255. 0 is an additional metric associated with this
route, such as in OSPF.
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/139692/routing-concepts
upvoted 1 times
pienso que la imagen esta mal:
For example, when two static routes to the same destination subnet have different distances, the one with the lower distance is active. The one
with the higher distance is inactive.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-identify-Inactive-Routes-in-the-Routing/ta-p/197595
upvoted 1 times
  MomoBill 3 months, 3 weeks ago

B and C is correct except there is typo in C
upvoted 1 times

A and C could be correct but they are wrongly formulated.
B. Correct.
D. False
upvoted 2 times
  exiled2019 5 months ago

I believe A & B are correct.
upvoted 2 times

Selected Answer: BC
Please correct the write of C, the other one options makes no sense
upvoted 1 times

BC is correct
upvoted 1 times
  HernandoZ 6 months, 1 week ago
Selected Answer: BC
Answer C contains a typo (port3 not ports), see Timbals explanation

upvoted 2 times
Selected Answer: BC
BC are correct answers

upvoted 2 times
  yamahaforti 7 months ago

A - Can't be right since every route has metric value of 0
B - Correct since they are active
C - No they don't. A value of [10/0] is lower than port3 route that has [20/0]
D - Where is the eight route?
Check page 57 in FortiGate_Infrastructure_7.2_Study_Guide-Online.pdf

upvoted 3 times
Selected Answer: AB
I believe that C is a prank, so I understand that answers A and B are correct

upvoted 2 times

BC is the correct answer
upvoted 1 times

Selected Answer: BC
Bit confusing… Routes with *> are active. So port1 and port2. Answer B.
For C, I guess there is a typo and meant port3 has the highest distance, which is true
upvoted 4 times

I believe that C is a prank, so I understand that answers A and B are correct
upvoted 2 times

Selected Answer: BC
Correct Answer is BC
upvoted 2 times
The exhibits show a firewall policy (Exhibit A) and an antivirus profile (Exhibit B).
Why is the user unable to receive a block replacement message when downloading an infected file for the first time?
A. The firewall policy performs a full content inspection on the file.
B. The intrusion prevention security profile must be enabled when using flow-based inspection mode.
C. Flow-based inspection is used, which resets the last packet to the user.
D. The volume of traffic being inspected is too high for this model of FortiGate.
Correct Answer: C

C (100%)

In flow based inspection, when a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FortiGate
resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated
and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the
IPS engine will then send a block replacement message to the client instead of scanning the file again.
upvoted 13 times
  erawemk Highly Voted  5 months, 2 weeks ago
Selected Answer: C
NSE4_FortiGate_Security_7.2_Study_Guide page 350

upvoted 5 times
Selected Answer: C

upvoted 1 times

Selected Answer: C
C. Flow-based inspection is used, which resets the last packet to the user.
upvoted 2 times

Security 7_2 pag. 363.
For flow-based inspection mode scanning, if a virus is detected at the start of the stream, the block replacement page is displayed at the first
attempt. If a virus is detected after a few packets have been transmitted, the block replacement page is not displayed. However, FortiGate caches
the URL and can display the replacement page immediately, on the second attempt.
upvoted 1 times
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
A. FortiGuard web filter cache
B. FortiGate hostname
C. DNS
D. NTP
Correct Answer: CD

CD (100%)
Selected Answer: CD

By elimination, its C (DNS) and D (NTP)
upvoted 1 times

Selected Answer: CD
C. DNS
D. NTP

upvoted 2 times

Selected Answer: CD
In the 7.2 Infrastructure Guide (page 306) the list of configuration settings that are NOT synchronized includes both 'FortiGate host name' and
'Cache'
upvoted 3 times
Selected Answer: CD
FortiGate hostname and cache (such as FortiGuard web filtering cache) are NOT synchronized
upvoted 3 times
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?
A. Forward traffic logs
B. Local traffic logs
C. Security logs
D. System event logs
Correct Answer: D

B (100%)

D: Page 17 of the FortiGate Security 7.2 Study Guide: Local information are logged directly to and from the FortiGate management IP addresses?
upvoted 1 times
Selected Answer: B

upvoted 1 times
  P4rr0ts 3 months, 1 week ago
Selected Answer: B
B. Correct !
upvoted 1 times

Selected Answer: B
B. Local traffic logs

"Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to
the GUI and FortiGuard queries."

upvoted 2 times

Selected Answer: B
D, never... correct answer: B; Local traffic logs

upvoted 1 times

B. correct.
upvoted 1 times

B. Local traffic logs contain information about traffic directly to and from the FortiGate
upvoted 1 times

B. Local Traffic logs
upvoted 1 times
Selected Answer: B
7.2 Security Study Guide states B directly on page 176.

upvoted 3 times
Selected Answer: B
Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to
the GUI and FortiGuard queries.
upvoted 4 times
  yasirmohy 9 months, 1 week ago

FortiGate Security 6.4 Study Guide - page 256
upvoted 1 times
  fotboll123 11 months, 1 week ago

The correct answer is B
upvoted 2 times
Selected Answer: B
Answer should be B.
upvoted 2 times
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?
A. Traffic matching the signature will be allowed and logged.
B. The signature setting includes a group of other signatures.
C. Traffic matching the signature will be silently dropped and logged.
D. The signature setting uses a custom rating threshold.
Correct Answer: C

C (93%) 7%
  rgeneson Highly Voted  7 months, 1 week ago
Selected Answer: C
The correct answer is C, take a look at the 7.2 Security study guide page 394:
Select Block to silently drop traffic matching any of the signatures included in the entry.
So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the
default action the setting would have to be 'Default'.
upvoted 9 times
  raydel92 Most Recent  3 months, 1 week ago
Selected Answer: C
C. Traffic matching the signature will be silently dropped and logged.

upvoted 1 times

Selected Answer: C
Correct answer is C beacause IPS action is set to block, if action is set to default it will allow the traffic.
upvoted 2 times
  Bund 6 months ago

Selected Answer: C
allow but final is block by IPS

upvoted 1 times
Selected Answer: C
I didn't understand this application Control link if the theme is IPS... The right answer is C
upvoted 1 times
  alex4988 7 months, 2 weeks ago
Selected Answer: A
Answer A reference
http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control
upvoted 1 times

I didn't understand this application Control link if the theme is IPS... The right answer is C
upvoted 1 times
An administrator configures outgoing interface any in a firewall policy.
What is the result of the policy list view?
A. Search option is disabled.
B. Policy lookup is disabled.
C. By Sequence view is disabled.
D. Interface Pair view is disabled.
Correct Answer: D

D (92%) 8%
Selected Answer: D
From the 7.2 Security Study Guide page 75:
"If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface
pairs—some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence)."
Thus the correct answer is D -- Interface Pair view is disabled.

upvoted 8 times
Selected Answer: D
D. Interface Pair view is disabled.

upvoted 1 times
  e359166 5 months ago

D is the correct answer. If policies are crated using multiple source and destination interface or ANY interface (By Sequence) is the only option
(Interface pair view is disabled)
upvoted 1 times

Selected Answer: D
The correct answer is D

upvoted 2 times
  alex4988 7 months, 2 weeks ago
Selected Answer: A
"If you use multiple source or destination interfaces, or the any interface in a firewall policy, you cannot separate policies into sections by interface
pairs—some would be triplets or more. So instead, policies are then always displayed in a single list (By Sequence)."
upvoted 1 times
  Tutepy 7 months, 1 week ago

You meant D then, right?
upvoted 3 times
Which statement describes a characteristic of automation stitches?
A. They can have one or more triggers.
B. They can be run only on devices in the Security Fabric.
C. They can run multiple actions simultaneously.
D. They can be created on any device in the fabric.
Correct Answer: C

C (100%)
  Niels123 2 months, 3 weeks ago

C is correct
upvoted 1 times
Selected Answer: C
Correct:
C. They can run multiple actions simultaneously.
Incorrect:
A. They can have one or more triggers.
B. They can be run only on devices in the Security Fabric.
D. They can be created on any device in the fabric.

A - "Each automation stitch pairs a trigger and one or more actions."
B - "However, the Security Fabric is not required to use stitches."
C - "Can run actions sequentially or in parallel"
D - "Can be created only on the root FortiGate in the Security Fabric"

upvoted 1 times
Selected Answer: C

upvoted 2 times
  Phil708 6 months, 4 weeks ago
Selected Answer: C
A - Incorrect - 1 trigger for 1+ action

B - Incorrect - Must be created on Root device but can run on any device
C - Correct
D - Incorrect - Security Fabric not required
upvoted 1 times
  HeartOrange 10 months ago
Selected Answer: C
Actions can be run sequentially or in parallel per the slides from NSE 4 FortiGate Security 7.2 - Security Fabric.
upvoted 2 times
  Robinbehreccna 11 months ago

Selected Answer: C
C is correct, here under actions, it says one ore more https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creating-automation-

stitches
upvoted 1 times
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination
port of the packet be, after FortiGate forwards the packet to the destination?
A. 10.0.1.254, 10.0.1.10, and 443, respectively
B. 10.0.1.254, 10.0.1.10, and 10443, respectively
C. 10.200.3.1, 10.0.1.10, and 443, respectively
Correct Answer: C

A (80%) C (20%)
  Phil708 Highly Voted  6 months, 4 weeks ago
Selected Answer: A
A is correct.
NAT on the policy means the source gets translated from 10.200.3.1 to 10.0.1.254. The VIP performs DNAT which changes the destination from
10.200.1.10 to 10.0.1.10. Then port forwarding translates the port from 10443 to 443.
upvoted 21 times
Selected Answer: A
The correct answer is A because this rule is set-up with BOTH SNAT and DNAT enabled (which is very uncommon in the real world.)
The Destination is a VIP with Port Forwarding which means the FortiGate has to translate the incoming requests destination IP and port to the
internal resource's IP and port. Thus destination translation occurs from 10.200.1.1:10443 to 10.0.1.10:443.
The firewall rule itself also has NAT set to Enabled. The default setting for this type of source NAT is 'Use Outgoing Interface Address' (in this case
port3's IP) and, given the options, this must be set in this case. Thus source translation occurs from 10.200.3.1 to 10.0.1.254.
For more information see: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/

upvoted 12 times
  Amrrax 6 months, 2 weeks ago

Correct, in the rule there is the nat enable and this change the source ip
upvoted 3 times

I think this is not very uncommon, instead is normal in the real world, and only works in that way if you use a secondary IP or IP Pool for NAT.
upvoted 1 times

"Use the following best practices when implementing NAT:
- Don’t configure a NAT rule for inbound traffic unless it is required by an application. For example, if there is a matching NAT rule for inbound
SMTP traffic, the SMTP server might act as an open relay."
upvoted 1 times
  marwan93 Most Recent  1 month ago

C is correct
IP Header usually does not change the src-ip and dst-ip address for any packet end-to-end but since we have NAT it will just translate the dst-ip so
the correct answer should be C
upvoted 2 times
  Samhain666 3 months, 1 week ago

C is correct.
DNAT takes precedent on the incoming traffic, and no rule is configured to translate incoming traffic to the port 3 address.
upvoted 2 times
Selected Answer: A
Translations:
10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy
10.200.1.10 --> 10.0.1.10 because VIP as Destination
10443 --> 443 because Port Forwarding enabled on VIP

upvoted 1 times
Selected Answer: A
A is the right answer The policy has NAT enabled, so the original IP is NATted using the outgoing interface IP address
upvoted 1 times
Selected Answer: A
Correct answer: A
upvoted 1 times
  imwatever 5 months, 1 week ago

Selected Answer: A
Lab tested.
upvoted 2 times
  lupnoob 5 months, 1 week ago
Selected Answer: C
C for sure. If IP pool is used, NAT column should show the IP pool name.
NAT column will show
upvoted 1 times

C for sure. If IP pool is used, NAT column should show the IP pool name.
NAT column will show enabled even when VIP is configured at destination.
upvoted 1 times
  Vences 6 months ago
Selected Answer: C
Definitely C, DNAT does not change source IP address, only destination - tried it several times.
upvoted 2 times
  mirosaty 4 weeks, 1 day ago

Did you enable NAT which translate public ip to private ip in this scenario?
upvoted 1 times
  Bund 6 months ago

Selected Answer: C
should C
upvoted 1 times
  HernandoZ 6 months, 1 week ago

Selected Answer: A
I agree with Phil708, so A it is

upvoted 1 times
  leocopek 6 months, 2 weeks ago

Selected Answer: A
A is correct, the ip pool nat is enable

upvoted 1 times
  SH_ 6 months, 2 weeks ago
Selected Answer: A
See Phil708's explanation.

upvoted 1 times
  Clicky 7 months, 2 weeks ago
Selected Answer: A
After Firewall the packet source will be the LAN port (10.0.1.254) and the destination will be 10.0.1.10 with port 443
upvoted 1 times
  Moe1416 7 months, 3 weeks ago
Selected Answer: C
C for Sure
upvoted 2 times
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only
VDOM with internet access and is directly connected to the ISP modem.
What can you conclude about this configuration?
A. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.
C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
D. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Correct Answer: C

D (89%) 5%
Selected Answer: D

You cannot create an inter-VDOM link between layer 2 transparent VDOMs (C is wrong). At least on of the VDOMs must be operating in NAT mode.
upvoted 2 times

Selected Answer: D

upvoted 2 times
  darkstar15 4 months, 1 week ago

es D la respuesta: FortiGate_Infrastructure_7.2 pag 101
Transparent to transparent beacuse, no layer 3; potential Layer 2 loops.
upvoted 2 times

Selected Answer: D
A. Management VDOM ALWAYS need access to internet

B. Is not true, you ALWAYS need a default route to access the internet, despite is set manually or via DHCP
C. Static routes are not needed for subnets to which Fortigate has derect layer 2 connectivity (FortiGate_Infrastructure_7.2_Study_guide page 11)
D. Correct
upvoted 4 times
  clrf26 5 months, 3 weeks ago

A. "Correct".
B. "False". When you create a new VDOM you don't have any route defined, usually one define 0.0.0.0/0.0.0.0 as a default static route to the
internet.
C. "Wrong" Both VDOMS are in Transparent Mode at least one must be In NAT Mode, a VLINK will potentially create a Layer 2 loop.
D. "Not Wrong, but unnecessary" In the exhibit the Root VDOM is used only as a management VDOM, as a best practice a VLINK is not required to
allow traffic between the Local and Root VDOMs.
FG Infrastructure 7.2 Study Guide Online Page 100.

upvoted 2 times
  clrf26 5 months, 3 weeks ago

Correction!!!! The correct one is "D". "A" is false as the management VDOM Root needs to reach the internet.
upvoted 3 times
Selected Answer: D
A Static route is ALWAYS required to access internet. B conclusion is false.

FortiGate_Infrastructure_7.2_Study_Guide page 11.
upvoted 2 times
  cisco1750 6 months ago
Selected Answer: B
B makes more sense than others for me since the default gateway can be learned via DHCP, no static route is really needed.
upvoted 1 times
  cisco1750 6 months ago

B makes more sense for me since the default gateway can be learned via DHCP, no static route is really needed. The question does not describe
any traffic that would require any inter-vdom link, for example I dont see any requirement for connecting root vdom to anywhere - via inter-vdom
link.
upvoted 1 times
  leocopek 6 months, 2 weeks ago
Selected Answer: D
D is correct. local and dmz are in transparent mode

upvoted 3 times
  Schwartzden 9 months, 2 weeks ago
Selected Answer: A
You would need inter vdom links to the local and DMZ frm the internet vdom to get out on the internet. You do not need a link between the rot and
the internet since it is used for managment. Thats under the section of inter vdom links.
upvoted 1 times
  Schwartzden 9 months, 2 weeks ago

I take that back. Went back over material. Root VDOM should have internet access in case something breaks. I agree answer is D
upvoted 6 times

Answer is D. Before configuring inter-VDOM routing:
You must have at least two virtual domains configured.

The virtual domains must all be in NAT mode.
Each virtual domain to be linked must have at least one interface or subinterface assigned to it.
upvoted 4 times

Selected Answer: D
Correct Answer is D
upvoted 2 times

Selected Answer: D
C: wrong because one of the vdoms has to be in nat mode to create a link.
upvoted 2 times
  Ney_mediana 11 months, 1 week ago

upvoted 1 times
The exhibit shows the output of a diagnose command.
What does the output reveal about the policy route?
A. It is an ISDB route in policy route.
B. It is a regular policy route.
C. It is an ISDB policy route with an SDWAN rule.
D. It is an SDWAN rule in policy route.
Correct Answer: C

D (90%) 10%
  [Removed] Highly Voted  6 months ago
Selected Answer: D
Answer is D, ref FortiGate 7.2 Infrastructure page 59

In diagnose firewall proute list, if:
* ID <= 65535 then its a regular policy route
* ID >= 65535 without vwl_service field then it is ISDB route
* ID >=65535 with vwl_service field then it is SD-WAN rule.
upvoted 15 times
  jfff Most Recent  1 month ago
Selected Answer: D
Answer D
See Fortinet Article:https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-find-out-the-Policy-Route-Types/ta-p/270555
upvoted 1 times
  costavo 2 months ago

upvoted 2 times

I don't know why the suggested answer is C. it should be D: Page 59, slide 55 in the FortiGate Infrastructure 7.1 study guide, clearly states it is a
SDWAN and the vwl-service=1.
upvoted 1 times
Selected Answer: D

"ISDB routes and SD-WAN rules are assigned an ID higher than 65535. However, SD-WAN rule entries include the vwl_service field, and ISDB route
entries don’t."

upvoted 2 times
  Leodoro 3 months, 3 weeks ago
Selected Answer: D
The answer is D.
ID >= 65535 and vwl_service tag means SD-WAN.
upvoted 2 times
Selected Answer: D
Correct answer: D
upvoted 2 times

es la letra D
There are three types of policy routes displayed in the policy route table: regular policy routes, ISDB routes, and SD-WAN rules.
upvoted 1 times
  Timbal 6 months, 1 week ago

The correct answer is D
Examples:
Static route with “Internet Services”:
id=2113929252 static_route=36 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=0(any) dport=1-65535 path(1)
oif=8(wan2)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Adobe-DNS(917507,0,0,0)
SDWan rules with Internet Services:
id=2134507527(0x7f3a0007) vwl_service=7(SDWanRulewithIS) vwl_mbr_seq=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00

protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(1) oif=8(wan2)
source(1): 192.168.0.0-192.168.0.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Adobe-Adobe.Experience.Cloud(917640,0,0,0)
hit_count=0 last_used=2023-06-10 17:24:19
upvoted 3 times
Selected Answer: D
vwl_service is present !
upvoted 2 times
Selected Answer: D
The correct answer is D. This is an SD-WAN rule (ID greater than 65535 and the vwl_service field is present)
upvoted 3 times
  fc8 7 months, 3 weeks ago

Selected Answer: D
page 59
upvoted 3 times
  Grace_Shu 8 months, 2 weeks ago

answer should be A, there is only 2 oif in this exhibit. SDWAN should have 4 oif
upvoted 1 times
  bix88 8 months, 2 weeks ago

Selected Answer: D
Correct is D, page 59 infrastructure study guide.

The image is the same of the study guide, SD-WAN rule.
upvoted 4 times
Selected Answer: D
look at slide page 59. D is correct

upvoted 3 times

Why is not D? I'm not 100% sure is C
upvoted 1 times

Selected Answer: C
SDB routes and SD-WAN rules are assigned an ID higher than 65535. However, SD-WAN rule entries include the vwl_service field, and ISDB route
entries don’t. The vwl_service field indicates the ID and the name of the rule from the SD-WAN configuration perspective.
upvoted 4 times

- SD-WAN rules are assigned an ID higher than 65535.
- SD-WAN rule entries include the "vwl_service" field.
- ISDB (Internet Services Database) route entries do not include the "vwl_service" field.
Given these criteria, it becomes clear that the presence of the "vwl_service" field indicates that the entry is an SD-WAN rule. Therefore, option C,
"It is an ISDB policy route with an SD-WAN rule," is not correct. Instead, it should be identified as an SD-WAN rule within the policy route. But I
see the sugetsed answer remain C. Can Admin please clarify this?
upvoted 1 times
  Skey 8 months, 1 week ago

So in this case, it should be D and not C, right ?
upvoted 2 times
  soporte127 8 months, 4 weeks ago

Where in the guide does it mention that?
upvoted 1 times
  Richard 8 months, 3 weeks ago

It can be found on page 59 of the infrastructure study guide.
upvoted 3 times
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group
option.
What is the impact of using the Include in every user group option in a RADIUS configuration?
A. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
B. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
C. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
Correct Answer: B

B (92%) 8%
Selected Answer: B

upvoted 6 times
  Jumpy007 Most Recent  3 months ago
Selected Answer: B

The option adds the radius server and every user who can authenticate against this server in every user group on the FortiGate.
upvoted 1 times
  Dani_Prime 3 months ago


The Include in every User Group option adds the RADIUS server and all users that can authenticate against it, to every user group created on
FortiGate. So, you should enable this option only in very specific scenarios (for example, when only administrators can authenticate against the
RADIUS server and policies are ordered from least restrictive to most restrictive).
upvoted 1 times
Selected Answer: B

upvoted 1 times

A is correct.
upvoted 1 times
Selected Answer: B
B is correct
upvoted 2 times
  NKWEN123 7 months, 1 week ago

Answer B is correct. See page 146 Security 7.2 Study Guide.
upvoted 2 times
  sebajacaj 9 months, 4 weeks ago

Selected Answer: A
Optional setting to add the RADIUS server to each user group.
This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/759080/configuring-a-radius-server
upvoted 1 times
Selected Answer: B
B is correct. The Include in every User Group option adds the RADIUS server and all users that can authenticate against it, to every user group
created on FortiGate.
upvoted 1 times
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status
is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?
A. On Remote-FortiGate, set Seconds to 43200.
B. On HQ-FortiGate, set Encryption to AES256.
C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
D. On HQ-FortiGate, enable Auto-negotiate.
Correct Answer: B

B (88%) 13%
Selected Answer: B
B. On HQ-FortiGate, set Encryption to AES256.

upvoted 1 times
Selected Answer: B
B is correct.
When key lifetime is different, FortiGate chooses the lower one.
Diffie Helman group needs only one that matches.
The authentication proposals need one matching, which there isnt. That makes is B.
upvoted 2 times

La respuesta es B por que lo esta manejando el escenario como una "falla en fase 2".
1) Confirm if the Encryption and Hashing algorithms match on both receiver and initiator.
2) Check if PFS is enabled, if yes, make sure the configuration is matched on both the units.
3) Make sure, if the quick mode selectors (interesting traffic) is matching on both units.
upvoted 2 times
  A_Roger 4 months, 3 weeks ago
Selected Answer: C
I think the correct is C. DH is different between HQ and Spoke. AES is matching on both sides
upvoted 1 times

IPSEC will work as long as there is an overlap in the configs ... if one had only 5, the other only 2, you'd be correct. But as both have 5 available,
they can still initiate Phase 2 using it. At least if both share the same encryption/signature combos, so B ...
upvoted 2 times
  A_Roger 4 months, 3 weeks ago

AES are different. Right is B
upvoted 2 times
  Sjiht87 8 months, 1 week ago

Selected Answer: B
B is Correct set AES256 on both sides in order to complete Phase2

upvoted 4 times
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
A. It uses UDP 8888.
B. It uses UDP 53.
C. It uses DNS over HTTPS.
D. It uses DNS over TLS.
Correct Answer: B

D (100%)
  Senox999 Highly Voted  7 months, 1 week ago
Selected Answer: D
Study Guide Page 15 - By default, uses DNS over TLS DoT to secure DNS traffic - FortiOS uses Fortiguard server for DNS requests
upvoted 6 times
Selected Answer: D
upvoted 6 times
Selected Answer: D
When using fortiguard servers for DNS? FortiOS uses DNS over TLS by default to secure the DNS traffic. Answer D is correct.
upvoted 1 times
Selected Answer: D
D. It uses DNS over TLS.

"When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic."

upvoted 2 times

Selected Answer: D
Correct answer: D
upvoted 1 times

Selected Answer: D
ref security 7.2, page 15, last paragraph.

upvoted 3 times

FortiGate Security 7.2 Study Guide P.15
When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have
been added as primary and secondary servers.
upvoted 3 times

B is correct
upvoted 1 times

Apologize correct is D (DNS over TLS)
upvoted 1 times
  EmmaW 7 months, 2 weeks ago
When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic. So answer D is correct. It will be
using not UDP port 53 but port 853.
upvoted 2 times
  Dalik 7 months, 3 weeks ago

B is correct
According to FortiOS 7.2.0 Administration Guide:
The following DNS protocols can be enabled:

- cleartext: Enable clear text DNS over port 53 (default).
- dot: Enable DNS over TLS.
- doh: Enable DNS over HTTPS.
upvoted 1 times

I didn't find this reference on Admin Guide, but on FortiGate Security 7.2 Study Guide P.15
When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers
have been added as primary and secondary servers.
I've tested on lab and the result was the same of the Study Guide.
upvoted 1 times
  Dalik 7 months, 3 weeks ago

Correction: D is the right answer. 'When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS
traffic. New FortiGuard DNS servers are added as primary and secondary servers.'
upvoted 3 times

Selected Answer: D
I’m going with answer D if this exam is focused on FortiOS 7.2.3 and lower. From 7.2.4 the default setting is set to DNS (UDP/53) and TLS
(TCP/853) is optional.
upvoted 2 times
  GCISystemIntegrator 9 months, 1 week ago
Selected Answer: D
For DNS servers, select Use FortiGuard Servers. The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS
Protocols is set to TLS and cannot be modified.
upvoted 2 times
  Poseidon458 10 months, 4 weeks ago
Selected Answer: D
Answer is D:
https://docs.fortinet.com/document/FortiProxy/7.2.0/administration-guide/710207/use-dns-over-tls-for-default-fortiguard-dns-servers
upvoted 2 times

Selected Answer: D
Correct answer is D
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/92199/use-dns-over-tls-for-default-fortiguard-dns-servers-7-0-4
upvoted 2 times
  lelacool 11 months, 1 week ago

B CORRECT.
Debido a que los servidores DNS probablemente no admiten DES de bajo cifrado, los dispositivos de bajo cifrado no tienen la opción de
seleccionar DoT o DoH. En su lugar, los dispositivos utilizan de forma predeterminada texto no cifrado (UDP/53).
upvoted 1 times
Selected Answer: D
DNS over TLS

upvoted 1 times

I think is D. DNS over TLS
If you configure FortiGuards Servers as DNS, you can not choose UDP 53, DNS over TLS is selected
upvoted 2 times
The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
A. The sensor will gather a packet log for all matched traffic.
B. The sensor will reset all connections that match these signatures.
C. The sensor will block all attacks aimed at Windows servers.
D. The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.
Correct Answer: AB

CD (91%) 9%
  itashraf Highly Voted  7 months, 2 weeks ago

In FortiGate Firewall IPS, the "monitor" action is used to allow the traffic to pass through the firewall but still monitor it for potential threats or policy
violations.
When an IPS sensor detects an intrusion attempt or violation of a security policy, it can trigger an alert or log the event, providing information for
further analysis or action.
By using the monitor action instead of the block action, you can allow traffic to continue flowing while still gaining visibility into potential security
risks. This can be useful in situations where blocking the traffic might cause operational disruptions or false positives.
However, it's important to note that the monitor action does not actively block traffic, so it's recommended to use it in conjunction with other
security measures, such as firewalls, antivirus software, and intrusion prevention systems, to ensure comprehensive protection against cyber
threats.
upvoted 7 times
  chromevandium11 Highly Voted  11 months, 2 weeks ago
Selected Answer: CD
I believe the answer should be CD.

upvoted 5 times
  ChiaPet75 Most Recent  1 month ago

Correct Answer is CD
When the IPS engine compares traffic with the signatures in each filter, order matters. The Rules are similar to firewall policy matching; the engine
evaluates the filters and signatures at the top of the list first, and applies the first match. The engine skips the subsequent filters.
FortiGate Security 7.2 StudyGuide p.392
upvoted 1 times
  Igor_Mioralli 1 month ago
Selected Answer: AD
The Right answer is actually A and D, cause there is a catch - the Fortigate is not blocking ALL attacks to windows server cause it is allowing that
iSCSI signature to pass through and the matching traffic is indeed set to log
upvoted 1 times

I rathe say it is A&B. because of detail Microsift.windows.iSCSI.target
.Dos and Exempt IP's =0
upvoted 1 times
Selected Answer: CD
I believe the answer should be CD

upvoted 1 times
Selected Answer: CD
Correct Answer is CD
upvoted 4 times

I too believe the answer is CD
upvoted 2 times
Which two types of traffic are managed only by the management VDOM? (Choose two.)
A. DNS
B. FortiGuard web filter queries
C. PKi
D. Traffic shaping
Correct Answer: AB

AB (100%)
Selected Answer: AB
C is wrong because PKI stands for Public Key Infrastructure and is associated with VPNS
D is wrong because traffic shaping is configured on a 'Traffic Shaping Policy'
A is correct because Fortigate will use Fortiguard for these queries
B is correct as the management VDOM can use DNS for DNS queries
upvoted 6 times
Selected Answer: AB
A. DNS
B. FortiGuard web filter queries

"What about traffic originating from FortiGate? Some system daemons, such as NTP and FortiGuard updates, generate traffic coming from
FortiGate.
Traffic coming from FortiGate to those global services originates from the management VDOM. One, and only one, of the VDOMs on a FortiGate
device is assigned the role of the management VDOM.
It is important to note that the management VDOM designation is solely for traffic originated by FortiGate, such as FortiGuard updates, and has no
effect on traffic passing through FortiGate."

upvoted 2 times
Selected Answer: AB
Infrastructure study guide page 73

upvoted 4 times
  Kaleema 10 months, 1 week ago

BC for sure
upvoted 1 times

cannot be BC. PKI is for VPN. DNS is handled by the management VDOM per Infrastructure Study Guide page 73
upvoted 2 times
The SSL VPN connection fails when a user attempts to connect to it.
What should the user do to successfully connect to the SSL VPN?
A. Change the SSL VPN port on the client.
B. Change the idle-timeout.
C. Change the SSL VPN portal to the tunnel.
D. Change the server IP address.
Correct Answer: A

A (100%)
  itzuy06 2 months, 3 weeks ago
Selected Answer: A
Change from 10.200.1.1:1443 to 10.200.1.1:11443 so A is correct.

upvoted 1 times
Selected Answer: A
A. Change the SSL VPN port on the client.

upvoted 1 times

Selected Answer: A
wrong port number on client. Missing a 1

upvoted 3 times

Selected Answer: A
Change from 10.200.1.1:1443 to 10.200.1.1:11443 so A is correct.

upvoted 3 times
  Sjiht87 8 months, 1 week ago
Selected Answer: A
A is correct
upvoted 2 times
If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination
port of the packet be, after FortiGate forwards the packet to the destination?
B. 10.0.1.254, 10.200.1.10, and 443, respectively

C. 10.200.3.1, 10.0.1.10, and 443, respectively
D. 10.0.1.254, 10.0.1.10, and 10443, respectively
Correct Answer: C

A (66%) C (34%)
  Timbal Highly Voted  6 months, 1 week ago

Is this question the same as #52, but here are the 4 answer options.?
upvoted 5 times
  [Removed] 6 months ago

exactly!
upvoted 1 times
  cerifyme85 Most Recent  1 week, 6 days ago

I think the question is asking about post nat ip addresses and ports? then A
If they were asking for Pre nat then C. Question needs to be clearer though
upvoted 1 times
  lliu27 3 weeks, 3 days ago

C. SNAT only applies from LAN to WAN, not both way.
upvoted 1 times
Selected Answer: C
security guide P112, check the example there

upvoted 1 times
  costavo 2 months ago

upvoted 1 times
  samael666 2 months, 1 week ago

Selected Answer: C
change the source IP address of the outgoing traffic, in the other way, the changes goes for the destination.
upvoted 1 times

Selected Answer: A
Question repeated with Q52
Translations:
10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy
10.200.1.10 --> 10.0.1.10 because VIP as Destination
10443 --> 443 because Port Forwarding enabled on VIP

upvoted 4 times

Selected Answer: A
Correct answer is A..

On the security policy NAT is enabled and by default the firewall performs NAT using outgoing interface address
upvoted 1 times
Selected Answer: A
Answer is A.
SNAT and DNAT are both active. We dont see the IP pool of SNAT, but it has to be another IP than the original. The only logical answer is A.
upvoted 1 times
  JakubCh 4 months, 2 weeks ago

Selected Answer: A
There is SNAT configured on firewall policy. That's why it is A.

upvoted 3 times
  NiciExam 5 months ago
Selected Answer: A
It is A
upvoted 2 times
Selected Answer: A
Lab tested.
upvoted 1 times
  Alwie 5 months, 2 weeks ago
Selected Answer: C
NAT only operates in one direction at a time. for inbound traffic only the DNAT will apply as the original source has to be preserved so that traffic
can be routed back, so C.
upvoted 2 times

The incoming policy has explicit source nat enabled (last column), so any incoming session will use the destination interface IP as snat IP. And
of course both SNAT and DNAT can be used together ... have used it before when I needed to ensure returning traffic to get back to the right FW
when the same external source could be coming over two different firewalls / locations (redundancy situation)
upvoted 1 times
Selected Answer: C
The correct option is C because the external source IP is never translated, only the server address that is behind the Fortigate, so A option is
wrong.
The NAT enabled in the firewall policy indicates that egress traffic is translated using the VIP address (10.200.1.10) and not using the 10.200.1.1
(port1 of fortigate)
Please see NSE4_FortiGate_Security_7.2_Study_Guide page 97 and 110

upvoted 3 times

Correction!!
When you use a secondary IP or IP Pool for VIP (not the outgoing interface IP) fortigate sends traffic from internal port2 to web server, I
checked it on my own lab, to have an idea someone in question 52 shared this link: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-
the-same-traffic-in-fortigate/
correct Answer is A (what a tricky question huh?)

upvoted 3 times
  SH_ 6 months, 2 weeks ago

Selected Answer: A
There's DNAT and then there's NAT enabled in the policy (i.e. SNAT). So destination address will change, as well as the source address. So A is
correct.
upvoted 4 times

Magi 202 is correct, the source will stay the same no mather what.
It is a D-NAT and 10443 gonna be 443 because the portforward :) so C is the only correct answer. Gonna do my exam in two days :)
upvoted 1 times

hey ferdi1989 how was your exam?
upvoted 2 times
  magi202 7 months, 2 weeks ago

Selected Answer: C
Source will stay the same. NAT will take place so it will forward packet to mapped IP in VIP
upvoted 3 times
Which three methods are used by the collector agent for AD polling? (Choose three.)
A. FortiGate polling
B. FSSO REST API
C. WMI
D. NetAPI
E. WinSecLog
Correct Answer: CDE

CDE (86%) 14%
Selected Answer: CDE
C. WMI
D. NetAPI
E. WinSecLog
FortiGate Infrastructure 7.2 Study Guide (p.127-128):

"As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide
from left to right shows most recommend to least recommended: (WMI, WinSecLog, and NetAPI)"

upvoted 1 times
  e359166 4 months, 4 weeks ago

FortiGate Infrastructure Study Guide for FortiOS 7.2 page 127 - 128
upvoted 2 times
  beuzec 5 months ago

The answer are C,D,E
7.2_Study_Guide page 127
Three methods:
. NetAPI
. WinSecLog
. WMI
upvoted 3 times
  krisu96 5 months ago
C,D,E - right anserws

upvoted 1 times
FortiGate Infrastructure Study Guide for FortiOS 7.2 site 128

upvoted 1 times
  Takumi 5 months, 1 week ago
The answer are C, D, E

upvoted 1 times

Selected Answer: BCD
The answer is B, C, and D.
FortiGate polling is not a method used by the collector agent for AD polling.
FSSO REST API is not a method used by the collector agent for AD polling.
WMI is a method used by the collector agent for AD polling.
NetAPI is a method used by the collector agent for AD polling.
WinSecLog is not a method used by the collector agent for AD polling.
The collector agent uses NetAPI and WMI to poll the domain controllers for user logon information. The collector agent then sends this
information to the FortiGate firewall.
upvoted 1 times
What are two functions of the ZTNA rule? (Choose two.)
A. It redirects the client request to the access proxy.
B. It applies security profiles to protect traffic.
C. It defines the access proxy.
D. It enforces access control.
Correct Answer: BC

BD (82%) Other

Actually B,C and D are inline with the question. But the question is in specific tot he ZTNA Rule! But on page 176 of the FortiGate Infrastructure 7.2
study guide, bullet number 2, says " The ZTNA "SERVER" defines the access proxy VIP and the real servers that clients connect to... The most likely
answers are B and D. This is however confusing.
upvoted 2 times
Selected Answer: BD
B. It applies security profiles to protect traffic.

D. It enforces access control.

"A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust role-based access. To
create a rule, type a rule name, and add IP addresses and ZTNA tags or tag groups that are allowed or blocked access. You also select the ZTNA
server as the destination. You can also apply security profiles to protect this traffic."

upvoted 3 times

la respuesta es B y D en Administration Guide 7.2.3 pag. 1033
A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role based access.
Security profiles can be configured to protect this traffic.
upvoted 1 times

FortiGate Infrastructure Study Guide for FortiOS 7.2 pages 177
B and D
upvoted 1 times
Selected Answer: BD
FortiGate Infrastructure Study Guide for FortiOS 7.2 p.177

B and D
upvoted 2 times
  lupnoob 5 months ago

Selected Answer: CD
My vote is C,D
A ZTNA rule is a proxy policy used to enforce access control.
Infra 7.2 page 177.
upvoted 1 times
  Dave304409 5 months ago

Selected Answer: BD
The answers are BD

upvoted 1 times
Selected Answer: BD
The answers are BD

upvoted 1 times
Selected Answer: AD
The two functions of a ZTNA rule are to redirect the client request to the access proxy and to enforce access control. So the answer is A and D.
Redirecting the client request to the access proxy is the primary function of a ZTNA rule. This is how the ZTNA solution ensures that all traffic is
routed through the access proxy, where it can be inspected and protected.
Enforcing access control is another important function of a ZTNA rule. This is how the ZTNA solution ensures that only authorized users and
devices are allowed to access the protected resources.
upvoted 1 times
Selected Answer: BD
Inf 7.2 p.176

upvoted 2 times
Which two statements describe how the RPF check is used? (Choose two.)
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
B. The RPF check is run on the first sent and reply packet of any new session.
C. The RPF check is run on the first sent packet of any new session.
D. The RPF check is run on the first reply packet of any new session.
Correct Answer: AC

AC (100%)
  Takumi Highly Voted  5 months, 1 week ago
Selected Answer: AC
The two statements that describe how the RPF check is used are A and C.
RPF stands for Reverse Path Forwarding. It is a security mechanism that protects FortiGate and the network from IP spoofing attacks.
The RPF check is run on the first sent packet of any new session. This is because the first packet is the only packet that contains the source IP
address of the sender.
upvoted 5 times
Selected Answer: AC
Found this also which explains C litteraly.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reverse-path-forwarding-check-not-working-for/ta-p/230015
upvoted 1 times
  Lalane 3 months, 1 week ago

Correct answer are A & D, because as indicated by its name "reverse patch check" is done on the first reply packet of any new session.
upvoted 1 times

Selected Answer: AC
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
C. The RPF check is run on the first sent packet of any new session.

"The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in
the routing table."
"FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate
accepts the session, FortiGate doesn’t perform any additional RPF checks on that session."

upvoted 3 times

Selected Answer: AC
ref infrastructure page 41, first and second paragraph

upvoted 1 times

Selected Answer: AC
The answer are A and C

upvoted 2 times
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed
to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring
phase 1 up? (Choose two.)
A. On both FortiGate devices, set Dead Peer Detection to On Demand.
B. On HQ-FortiGate, set IKE mode to Main (ID protection).
C. On HO-FortiGate, disable Diffie-Helman group 2.
D. On Remote-FortiGate, set port2 as Interface.
Correct Answer: BD

BD (100%)
Selected Answer: BD
FortiGate Infrastructure 7.2 study guide page 250 last paragraph.

upvoted 1 times
Selected Answer: BD
B. On HQ-FortiGate, set IKE mode to Main (ID protection).
D. On Remote-FortiGate, set port2 as Interface.
"In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must
agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel."

upvoted 3 times
Selected Answer: BD
FortiGate Security 7.2 study guide page 250

In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: mail and aggressive mode. The settings on both ends must
agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.
Note: on the network diagram, port 2 is used on the remote Fortigate so the answer is B & D
upvoted 4 times
  cyberfriends 4 months, 1 week ago

It is page 250 for Infrastructure study guide 7.2
upvoted 2 times

Selected Answer: BD
The answer are B and D

upvoted 2 times
An administrator needs to increase network bandwidth and provide redundancy.
Which interface type must the administrator select to bind multiple FortiGate interfaces?
A. Redundant interface
B. Software switch interface
C. VLAN interface
D. Aggregate interface
Correct Answer: D

D (100%)
Selected Answer: D
it's D
upvoted 2 times
  PTomis 2 months, 3 weeks ago

Answer is D and it would be regardless if Fortinet or not
upvoted 1 times
Selected Answer: D
D. Aggregate interface
Download study guide:

upvoted 2 times

Es la D la respuesta. FortiOS 7.2 Administration Guide pag 190.
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated
(combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred
automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.
This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a
time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).
upvoted 3 times

The answer is D
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/567758/aggregation-and-redundancy
upvoted 2 times
  Takumi 5 months ago
Selected Answer: D
The answer is D.
upvoted 1 times
FortiGate is integrated with FortiAnalyzer and FortiManager.
When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or
FortiManager?
A. Policy ID
B. Log ID
C. Sequence ID
D. Universally Unique Identifier
Correct Answer: D

D (100%)
Selected Answer: D
D. Universally Unique Identifier

"When creating firewall objects or policies, a universally unique identifier (UUID) attribute is added so that logs can record these UUIDs and improve
functionality when integrating with FortiManager or FortiAnalyzer."

upvoted 3 times

D correct, Fortigate Security Study Guide page 67
upvoted 4 times
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: D
The answer is D
upvoted 1 times

D correct, Security p.67
upvoted 3 times
Refer to the exhibit, which contains a static route configuration.
An administrator created a static route for Amazon Web Services.
Which CLI command must the administrator use to view the route?
A. get router info routing-table database
B. diagnose firewall route list
C. get internet-service route list
D. get router info routing-table all
Correct Answer: B

B (91%) 9%
  ansalias Highly Voted  5 months, 1 week ago

Answer B should be diagnose firewall proute list (p is missing...)
Infrastructure Guide p.59
upvoted 9 times
Selected Answer: B
B. diagnose firewall proute list
FortiGate Infrastructure 7.2 Study Guide (p.16 and p.59):

"Even though they are configured as static routes, ISDB routes are actually policy routes and take precedence over any other routes in the routing
table. As such, ISDB routes are added to the policy routing table."
"FortiOS maintains a policy route table that you can view by running the diagnose firewall proute list command."

upvoted 6 times
  Leodoro Most Recent  3 months, 3 weeks ago
Selected Answer: B
There is a typo in there.

ISDB route --> under proutes
upvoted 1 times
  Wazza31 4 months, 3 weeks ago

Selected Answer: A
To view active and standby routes

upvoted 1 times

Answer B.
ISDB static route will not create entry directly in routing-table. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-
static-route-for-Predefined-Internet/ta-p/198756 and here https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-
policy-route/ta-p/190640
upvoted 3 times

Answer B
Fortigate Infrastructure Guide p.59
upvoted 1 times
  skappa_exams 5 months ago

to me A. Thisi is a Static Route and not a Policy route. Moreover we does not know if it is active or not.
upvoted 1 times
Selected Answer: B
The answer is B
upvoted 2 times
Selected Answer: B
diagnose firewall proute list

typo
upvoted 1 times
An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS
connection.
Which FortiGate configuration can achieve this goal?
A. SSL VPN bookmark
B. SSL VPN tunnel
C. Zero trust network access
D. SSL VPN quick connection
Correct Answer: B

B (100%)
  Takumi Highly Voted  5 months, 1 week ago
Selected Answer: B
The answer is B. SSL VPN tunnel.
SSL VPN tunnel is a FortiGate configuration that allows remote users to connect to the FortiGate firewall through an SSL/TLS connection. This
connection provides a secure tunnel between the remote user's PC and the FortiGate firewall, which allows the remote user to send external
application data running on their PCs and access FTP resources through the firewall.
upvoted 5 times
Selected Answer: B
B. SSL VPN tunnel

"Tunnel mode requires FortiClient to connect to FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user’s PC. This
virtual adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all
traffic is SSL/TLS encapsulated.
The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send
traffic through the tunnel."

upvoted 2 times

la B es correcto.
Infrastructure 7.2 pag 198.
upvoted 1 times

Both A and B are possible answer. A also encrypt the traffic with SSL/TLS.
upvoted 2 times
The IPS engine is used by which three security features? (Choose three.)
A. Antivirus in flow-based inspection
B. Web filter in flow-based inspection
C. Application control
D. DNS filter
E. Web application firewall
Correct Answer: ABC

ABC (83%) ACD (17%)
Selected Answer: ABC
A. Antivirus in flow-based inspection

B. Web filter in flow-based inspection
C. Application control

"The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It’s also responsible for application
control, flow-based antivirus protection, web filtering, and email filtering."

upvoted 2 times

Correct answer is A.
IPS engine is used by:
- Application control
- Antivirus (flow-based)
- Web filter (flow-based)
- Email filter (flow-based)
upvoted 1 times
  Jordancueay 4 months, 1 week ago

Correct answers: ABC
Reference: page 385 Study guide, Security module
upvoted 1 times

The answer are A,B and C
IP Engine is used by these 4 :

Web Filter (Flow Based)
Antivurs (Flow Based)
Application Control
Email Filter (Flow Based)
Fortigate Security 7.2 Study Guide Pages 385

upvoted 2 times

The answer are A,B and C

upvoted 2 times
  nambomm 5 months, 1 week ago

ABC is the right answer.
IP Engine is used by these 4 :
Web Filter (Flow Based)
Antivurs (Flow Based)
Application Control
Email Filter (Flow Based)
upvoted 4 times
Selected Answer: ACD
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/605868
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/836396/antivirus
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/302748/application-control
upvoted 1 times
  GANGA2021 5 months ago

So D is not correct. the docs especify DNS filter on flow-based policies, and answer is not telling us that. That means, could be on proxy based
that is not used. So correct answer should be ABC
upvoted 2 times
You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?
A. No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%.
B. No new log is recorded until you manually clear logs from the local disk.
C. Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.
D. Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%.
Correct Answer: C

C (100%)

C. Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%.
config log disk setting

set diskfull [ overwrite | nolog ]
Action to take when disk is full. The system can overwrite the oldest log messages or stop logging when the disk is full. (default --> overwrite)
config log memory global-setting

set full-first-warning-threshold {integer}
Log full first warning threshold as a percent. (default --> 75)
Reference:
https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/421620/config-log-disk-setting
https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/418620/config-log-memory-global-setting
upvoted 3 times
  link13 4 months, 2 weeks ago

Logs are overwritten by default - https://docs.fortinet.com/document/fortigate/7.2.4/cli-reference/482620/config-log-disk-setting
upvoted 1 times

C.... https://docs.fortinet.com/document/fortigate/7.2.1/cli-reference/468620/config-log-memory-global-setting
upvoted 2 times
Selected Answer: C
C is correct, FortiGate Security 7.2 Page 184

upvoted 3 times

It's C. Fortigate reserves 25% of disk
upvoted 1 times

Selected Answer: C
The answer is C
upvoted 1 times

C is correct, Fortigate Security 7.2 Page 183
upvoted 2 times
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)
A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
B. Extended authentication (XAuth) to request the remote peer to provide a username and password
C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
D. Pre-shared key and certificate signature as authentication methods
Correct Answer: BD

BD (100%)
Selected Answer: BD
B. Extended authentication (XAuth) to request the remote peer to provide a username and password
D. Pre-shared key and certificate signature as authentication methods

"Authentication-wise, both versions support PSK and certificate signature. Although only IKEv1 supports XAuth, IKEv2 supports EAP, which is
equivalent to XAuth."

upvoted 4 times

sabemos por la pag. 237 de Infrastructure guide xauth solo esta para ikev v1 adicional el la pag 260 esta esta referencia:
Phase 1 supports two types of authentication: pre-shared keys and digital signatures. The XAuth extension,
sometimes called phase 1.5, forces remote users to authenticate additionally with their credentials (username
and password). So, additional authentication packets are exchanged if you enable it. What is the benefit?
Stronger authentication.
upvoted 1 times

Correct B and D, Fortigate infrastructure Study Guide 7.2 page 237
upvoted 2 times
Selected Answer: BD

upvoted 1 times

Correct B and D, Fortigate infrastructure 7.2 page 237
upvoted 2 times
If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field
of a firewall policy?
A. IP address
B. No other object can be added
C. FQDN address
D. User or User Group
Correct Answer: B

B (93%) 7%
  NiciExam Highly Voted  5 months ago
Selected Answer: B
Security p. 59
Answer B is correct
upvoted 7 times
  dmvpn Most Recent  2 months, 3 weeks ago

Selected Answer: B. tried checking the destination, user or user group is not present to be selected.
upvoted 1 times
  dmvpn 2 months, 3 weeks ago

Should be D. I tried it on firewall. When you already selected internet service, it will not accept other objects except of user or user group or another
Internet service
upvoted 1 times
Selected Answer: B
B. No other object can be added

"When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports,
and protocols used by that service. For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services
on a firewall policy. The ISDB objects already have services information, which is hardcoded."
D. User or User Group (incorrect because you can not use Users or Groups as Destination, just as Source and they actually can be mixed with ISDB
objects)

upvoted 4 times

If Internet Service is selected as Destination
- You cannot use Address in the Destination

- You cannot select Service in the Firewall Policy
Fortigate Security Study Guide v7.2, page 59

upvoted 4 times
  ccnax2 5 months ago
Selected Answer: A
If you've ever made a policy, you know you can make the destination an IP address.
upvoted 1 times

Correction, B is correct due to "If Internet Service is already selected".
upvoted 2 times
Selected Answer: B
The answer is B
upvoted 2 times
Which statement is correct regarding the security fabric?
A. FortiManager is one of the required member devices.
B. FortiGate devices must be operating in NAT mode.
C. A minimum of two Fortinet devices is required.
D. FortiGate Cloud cannot be used for logging purposes.
Correct Answer: C

B (78%) C (17%) 4%
Selected Answer: B
Correct:
B. FortiGate devices must be operating in NAT mode.
Incorrect:
A. FortiManager is one of the required member devices. (Recommended member)
C. A minimum of two Fortinet devices is required. (3 Fortinet devices = 2 FG + 1 logging)
D. FortiGate Cloud cannot be used for logging purposes. (It can be used)

"You must have a minimum of two FortiGate devices at the core of the Security Fabric, plus one FortiAnalyzer or cloud logging solution.
FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The FortiGate devices must be running in NAT mode."

upvoted 5 times
  velrisan Most Recent  2 months, 4 weeks ago
Selected Answer: B
B is the correct answer. This is the explanation. You must have a minimum of two FORTIGATE devices at the core of the Security Fabric, plus one
FortiAnalyzer or cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The FortiGate devices must
be running in NAT mode. C is incorrect, because said you must have two fortinet devices no fortigate. PAGE 428 7.2
upvoted 3 times
Selected Answer: B
Correct answer is B
- FortiGate devices must operate in NAT mode https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/58646/security-fabric-
settings-and-usage
C is wrong since the rcore requirements for Security Fabric are:
2 FortiGate devices AND one of the following:
FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud
upvoted 2 times

La respuesta es la B
pagina 2380 fortiOS Administration Guide.
Prerequisites
- l If devices are not already installed in your network, complete basic installation and configuration tasks by following the instructions in the device
documentation.
- l FortiGate devices must be operating in NAT mode.
upvoted 1 times

B is correct and so is C. This must be a pick 2 question
You must have a minimum of two FortiGate devices at the core of the Security Fabric, plus one FortiAnalyzer
or cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the cloud logging solution. The
FortiGate devices must be running in NAT mode.
upvoted 1 times
  Melazizy 3 months, 3 weeks ago

Selected Answer: B
Answer is B
As he says 2 Fortinet devices not 2 FortiGate devices.
upvoted 4 times
  Hanno1 3 months, 3 weeks ago

I recon C, the reason is you fabric doesn't just consist of FortiGate devices, but can also consist of FortiAPs, FortiSwitces etc.
upvoted 1 times
  sampix 4 months ago
Selected Answer: B
In Study Guide 7.2 Page 428

upvoted 2 times
  cyberfriends 4 months ago

this question is wrong in a bunch of ways.
C. would be true if it said "A minimum of two FORTIGATE devices required" not two fortinet devices.
having said that B. seems more correct because of C. being worded that way
upvoted 4 times

B, Page 428 Study guide 7.2 Security module
upvoted 1 times

B. Correct.
upvoted 1 times
  JakubCh 4 months, 2 weeks ago

Selected Answer: B
Answer is B as per Fortigate Security 7.2 Study Guide Page 428.

upvoted 2 times

Selected Answer: C
Both C & B answers are correct. In the FortiGate security study guide Page 428
1st You must have a minimum of two FortiGate devices at the core of the security fabric, plus one FortiAnalyzer or Cloud loggin solution.
2nd The FortiGate device must be running in NAT.
The question is asked specifically regarding the (security fabric) not the FortiGate device so I would say the answer is more to "C"
upvoted 2 times

Not the answer C.
A minimum of two FortiGate devices is required in the core Security Fabric.
Answer C says two fortinet. (two fortinet can be any equipment like Fortiswitch, FortiAP, etc.). The keyword is Fortigate not fortinet.
upvoted 1 times

Answeer is: B
Fortigate Security 7.2 Study Guide Page 428.
upvoted 3 times
  al12345 5 months ago

Selected Answer: C
The security fabric is an integrated and collaborative approach to security, where multiple Fortinet devices work together as a cohesive system to
provide enhanced security, visibility, and control across the entire network. The security fabric allows different Fortinet devices, such as FortiGate
firewalls, FortiSwitches, FortiAPs, and FortiAnalyzer, to share information and coordinate actions to detect and respond to security threats more
effectively.
upvoted 2 times
  cje77 5 months ago

B NSE 4 SEC 7.2 pg 428
upvoted 3 times
Selected Answer: D
The asnwer is D
upvoted 1 times

Not the answer D.
FortiAnalyzer Cloud or Fortigate Cloud can as the cloud logging solution.
Fortigate Security 7.2 Study Guide Page 42
upvoted 1 times
Refer to the exhibit showing a FortiGuard connection debug output.
Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)
A. One server was contacted to retrieve the contract information.
B. There is at least one server that lost packets consecutively.
C. A local FortiManager is one of the servers FortiGate communicates with.
D. FortiGate is using default FortiGuard communication settings.
Correct Answer: AD

AD (92%) 8%
  Halmonte0780 Highly Voted  4 months, 4 weeks ago

A and D
A is because the "I" in the flag "DI" means it contacted a server. (pg 287, FortiGate Security Study Guide 7.2).
D because https on port 443 is used. page 288, FortiGate Security 7.2 Study Guide:
"by default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with FortiGuard or FortiManager"
upvoted 7 times
  krisu96 Highly Voted  5 months ago
Selected Answer: AD
A - one server has DI flag wich means it was contacted

D - anycast is enable and https port is 443 which are default options
upvoted 6 times
  itzuy06 Most Recent  2 months, 3 weeks ago
Selected Answer: AD
Answer is A & D
upvoted 1 times
Selected Answer: AD
A. One server was contacted to retrieve the contract information.

D. FortiGate is using default FortiGuard communication settings.
FortiGate Security 7.2 Study Guide (p.287-288):

"Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)"
"By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with FortiGuard or FortiManager. Other ports and
protocols are available by disabling the FortiGuard anycast setting on the CLI."

upvoted 3 times
Answer is A & D
FortiGate Security 7.2 Study Guide EXACTLY page 288
upvoted 1 times

Correct answer A and D Pages 287 and 288 Study guide 7.2 (Security module)
upvoted 2 times

En FortiOS administration guide 7.2 en la pag. 2884 y 2885 se tiene mas detalle del escenario.
upvoted 1 times
Selected Answer: AD
The real answers are A and D

upvoted 1 times
Selected Answer: BD
The answers are B and D

upvoted 1 times
Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on
FortiGate?
A. CLI diagnostics commands permission
B. Read/Write permission for Log & Report
C. Read/Write permission for Firewall
D. Custom permission for Network
Correct Answer: A

A (100%)
Selected Answer: A
A. CLI diagnostics commands permission

upvoted 2 times

config system accprofile
Description: Configure access profiles for system administrators.
edit <name>
set system-diagnostics [ enable | disable ]
system-diagnostics:
Enable/disable permission to run system diagnostic commands.
upvoted 3 times
redistricted from using diagnose commands in the CLI:
set system-diagnostics disable
la resouesta correcta es A.
upvoted 1 times

The correct answer is A.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220
upvoted 2 times

Selected Answer: A
Only anserw is A
upvoted 1 times

Selected Answer: A
The answer is A
upvoted 1 times
Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
A. Apple FaceTime will be allowed, based on the Categories configuration.
B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
C. Apple FaceTime will be allowed, based on the Apple filter configuration.
D. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Correct Answer: B

B (75%) C (25%)
Selected Answer: B
B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

"Then, FortiGate scans packets for matches, in this order, for the application control profile:
1. Application and filter overrides: If you have configured any application overrides or filter overrides, the application control profile considers those
first. It looks for a matching override starting at the top of the list, like firewall policies.
2. Categories: Finally, the application control profile applies the action that you’ve configured for applications in your selected categories."

upvoted 4 times

B is the correct answer, this is just a tricky question, It says "if there are only a few calls originating or incoming?" and additionally the name of the
filter is "excessive bandwidth"
IN this case we only need to take into account the position of the filter, the application, and the action. Fortigate will analyze the filter from top to
bottom like a regular firewall policy. Therefore we have position, then facetime and then action block the final result will be "Block face time"
upvoted 3 times

I mean First position.
Page 310 Study guide Security module 7.2

upvoted 2 times

B. correct
upvoted 2 times

Selected Answer: B
Similar example page 311 in the FortiGate Security study guide.

upvoted 3 times

B, Because matching the override, and contains FACETIME
Fortigate Security Guide 7.2 page 310 order of scan and blocking behavior:
1 - Application and filter overrides
2- Categories
1 application overrides in this case, blocking

upvoted 2 times
Selected Answer: B
B due to there is no threshold defined in the Exessive Bandwith filter

upvoted 1 times
  muttley1 5 months ago

B, based on priority of rule
upvoted 1 times
Selected Answer: C
"if there are only a few calls originating or incoming?" indicates Facetime does not trigger the excessive bandwidth filter.
upvoted 2 times
  bgod 4 months, 1 week ago

this is wrong, its based on priority. the traffic will be blocked becuase of excessive bandwidth. if you wanted this to operate in this way you need
to place the apple filter above the excessive bandwidth filter.
ref. security page 311-312.
upvoted 2 times
Selected Answer: B
The answer is B
upvoted 1 times

Selected Answer: C
Since the question states "if there are only a few calls originating or incoming?:
C should be the correct answer
upvoted 1 times
Why did FortiGate drop the packet?
A. It failed the RPF check.
B. The next-hop IP address is unreachable.
C. It matched an explicitly configured firewall policy with the action DENY.
D. It matched the default implicit firewall policy.
Correct Answer: C

D (100%)
Selected Answer: D

upvoted 3 times

Answer is D
As the default implicit deny policy ID is 0
upvoted 2 times

D is correct.
Policy ID 0 is default implicit deny
upvoted 3 times
Selected Answer: D
Right anserw is D
upvoted 1 times
Selected Answer: D
The answer is D
upvoted 1 times
  Lapegues 5 months, 1 week ago
Selected Answer: D

upvoted 2 times
Selected Answer: D
Policy ID 0 is implicit deny policy.

upvoted 2 times

Selected Answer: D
D is the correct answer.
Policy ID 0 is the default policy (the implicit deny) that comes by default on the FortiGate.
upvoted 4 times
Selected Answer: D
https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/
upvoted 3 times

Answer id D
upvoted 2 times
  skappa_exams 5 months, 1 week ago

Policy 0 seems to be implicit deny so D
upvoted 2 times
What is a reason for triggering IPS fail open?
A. The IPS socket buffer is full and the IPS engine cannot process additional packets.
B. The IPS engine cannot decode a packet.
C. The IPS engine is upgraded.
D. The administrator enabled NTurbo acceleration.
Correct Answer: C

A (100%)
  shilp21 2 months, 2 weeks ago
Selected Answer: A
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-socket-size-and-fail-open-mode/ta-p/191254
upvoted 1 times

Tambien hay una referencia en administration guide pag. 1313
A fail-open scenario is triggered when IPS raw socket buffer is full. Therefore IPS engine has no space in memory to create more sessions and
needs to decide whether to drop the sessions or bypass the sessions without inspection
upvoted 3 times

A is the correct answer.
FortiGate_Security_7.2_Study_Guide Page 418
upvoted 2 times

Selected Answer: A

upvoted 1 times
Selected Answer: A
The answer is A
upvoted 1 times
  Lapegues 5 months ago
Selected Answer: A
source : Fortinet community: Technical Tip: IPS - 'socket size' and 'fail-open' mode
upvoted 1 times

A is correct
upvoted 1 times
Selected Answer: A
Answer is A.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-socket-size-and-fail-open-mode/ta-
p/191254#:~:text=A%20'fail%2Dopen'%20scenario,or%20bypass%20them%20without%20inspection.
upvoted 1 times

A is the right answer.
upvoted 1 times
Selected Answer: A
The IPS socket buffer is full, see Infrastructure Guide p.368

upvoted 2 times
Selected Answer: A
Sec 7.2 p.418

upvoted 1 times

Answer is A
upvoted 1 times
Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?
A. VDOMs without ports with connected devices are not displayed in the topology.
B. Downstream devices can connect to the upstream device from any of their VDOMs.
C. Security rating reports can be run individually for each configured VDOM.
D. Each VDOM in the environment can be part of a different Security Fabric.
Correct Answer: B

A (91%) 9%
Selected Answer: A
A. VDOMs without ports with connected devices are not displayed in the topology.

"When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed
when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of
this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices
are not displayed. All VDOMs configured must be part of a single Security Fabric."

upvoted 2 times

Answer is A.
Security study guide 7.2 page 436.
upvoted 2 times
Selected Answer: A
Answer is A.
Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM.
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/721683/deploying-the-security-fabric-in-a-multi-vdom-environment
upvoted 3 times

Selected Answer: A
Answer is A
upvoted 1 times

Selected Answer: A
The answer is A
upvoted 1 times
Selected Answer: A
Answer is A. C is not correct because cannot generated individually

upvoted 1 times
Selected Answer: A
Answer is A.
Security study guide 7.2 page 436.
upvoted 1 times

Selected Answer: C
C is correct. Security Guide p.450 "in multi-vdom mode, reports can be generated in the global vdom for all the vdoms"
upvoted 1 times
Selected Answer: A
Sec 7.2 p.436

upvoted 1 times

Answer is A
upvoted 1 times
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
A. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
B. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
C. FortiGate automatically negotiates different local and remote addresses with the remote peer.
D. FortiGate automatically negotiates a new security association after the existing security association expires.
Correct Answer: D

B (94%) 6%
Selected Answer: B
B. FortiGate automatically brings up the IPsec tunnel...

"...then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do
this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away."
"Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When
you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic.
However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you
enable Auto-negotiate, Autokey Keep Alive is implicitly enabled."

upvoted 6 times
Selected Answer: B
B. FortiGate automatically brings up the IPsec tunnel...

upvoted 2 times

Selected Answer: D
Looking at this document:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536
it sounds like "B" is directed at the keep-alive feature, which (AFAIK) doesn't re-establish the P2 if it is down, while D appears to be the correct
answer in this case ... also that document references the fact that enabling auto-neg also implicitly activates the keep-alive feature for the tunnel ...
upvoted 1 times
  Jumpy007 2 months, 3 weeks ago

In answer D before it expires not after is probably incorrect.
upvoted 2 times

La respuesta correcta es B:
Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic.
upvoted 2 times

B is correct.
FortiGate infrastructure 7.2 page 264
upvoted 2 times

D is correct
upvoted 1 times
Selected Answer: B
B is correct
upvoted 2 times
Selected Answer: B
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Auto-negotiate initiates the phase 2 SA
negotiation automatically, repeating every five seconds until the SA is established.
upvoted 2 times

Selected Answer: B
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536
upvoted 2 times

Selected Answer: B
The answer is B
upvoted 1 times
  Lapegues 5 months ago
Selected Answer: B
answer
upvoted 1 times

B is correct see FortiGate infrastructure 7.2 page 264
upvoted 3 times
Selected Answer: B
Infra 7.2 page 264.

upvoted 1 times

B is the right answer . It is not after it is before a SA fails the SA re negotiates.
upvoted 3 times
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports
certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
A. The matching firewall policy is set to proxy inspection mode.
B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
C. The full SSL inspection feature does not have a valid license.
D. The browser does not trust the certificate used by FortiGate for SSL inspection.
Correct Answer: D

D (100%)
Selected Answer: D
D. The browser does not trust the certificate used by FortiGate for SSL inspection.

"If FortiGate receives a trusted SSL certificate, then it generates a temporary certificate signed by the built-in Fortinet_CA_SSL certificate and sends
it to the browser. If the browser trusts the Fortinet_CA_SSL certificate, the browser completes the SSL handshake. Otherwise, the browser also
presents a warning message informing the user that the site is untrusted. In other words, for this function to work as intended, you must import
the Fortinet_CA_SSL certificate into the trusted root CA certificate store of your browser."

upvoted 1 times

D is the Answer.
Fortigate Security 7.2 page 235
upvoted 2 times
Selected Answer: D
The answer is D
upvoted 1 times

Selected Answer: D
Yep, the answer is D.

upvoted 2 times
An employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?
A. idle-timeout
B. login-timeout
C. udp-idle-timer
D. session-ttl
Correct Answer: B

B (100%)
Selected Answer: B
B. login-timeout

"When connected to SSL VPN over high latency connections, FortiGate can time out the client before the client can finish the negotiation process,
such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added to address this. The first
command allows you to set up the login timeout, replacing the previous hard timeout value. The second command allows you to set up the
maximum DTLS hello timeout for SSL VPN connections."

upvoted 3 times

la respuesta es B:
Latency or poor network connectivity can cause the login timeout on the FortiGate. In FortiOS 5.6.0 and later, use the following commands to allow
a user to increase the SSL VPN login timeout setting.
upvoted 2 times

B is correct, FortiGate infrastructure 7.2 page 222
upvoted 2 times
Selected Answer: B
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
upvoted 2 times
Selected Answer: B
The answer is B
upvoted 1 times

B is correct, FortiGate infra 7.2 page 222
upvoted 1 times
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.
Which order must FortiGate use when the web filter profile has features such as safe search enabled?
A. DNS-based web filter and proxy-based web filter
B. Static URL filter, FortiGuard category filter, and advanced filters
C. FortiGuard category filter and rating filter
D. Static domain filter, SSL inspection filter, and external connectors filters
Correct Answer: B

B (100%)
Selected Answer: B
B. Static URL filter, FortiGuard category filter, and advanced filters

"Remember that the web filtering profile has several features. So, if you have enabled many of them, the inspection order flows as follows:
1. The local static URL filter
2. FortiGuard category filtering (to determine a rating)
3. Advanced filters (such as safe search or removing Active X components)"

upvoted 3 times

The answer is B
Fortigate Security 7.2 Study Guide page 285
upvoted 2 times
Selected Answer: B
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filtering-order-of-execution/ta-p/196179
upvoted 1 times

Selected Answer: B
The answer is B
upvoted 1 times
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must
also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
C. Set the Freeware and Software Downloads category Action to Warning.
D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
Correct Answer: AD

BD (80%) AD (20%)
Selected Answer: BD
B. Configure a web override rating for download.com and select Malicious...

D. Configure a static URL filter entry for download.com with Type and Action...
FortiGate Security 7.2 Study Guide (p.268-269):

"If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed
category. You can also do the reverse. You can block a website that belongs to an allowed category."
"Static URL filtering is another web filter feature. Configured URLs in the URL filter are checked against the visited websites. If a match is found, the
configured action is taken. URL filtering has the same patterns as static domain filtering: simple, regular expressions, and wildcard."
A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com... (incorrect because you still allow root
domain)
Download study guide:

upvoted 5 times
Selected Answer: BD
FortiGate Security 7.2 Study Guide (p.268-269)

upvoted 1 times
  jeroenptrs93 3 months, 3 weeks ago
Selected Answer: BD
I don't think it's A because of "object for *.download.com"

you can still reach it with https://download.com. The *. don't exclude apply on https://download.com iirc
upvoted 1 times

Selected Answer: BD
Such as Brazillian guys says "Confia no pai!..."

Correct answers: BD
upvoted 1 times

Hola creo B y D son correctas:
B: If you want to make an exception, for example, rather than unblock access to a potentially unwanted category,
change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category.
Remember that changing categories does not automatically result in a different action for the website. This depends on the settings within the
web filter profile.
en la imagen nos muestra una categoria como denegada dentro del perfil (malicious Websites).
upvoted 1 times
  Tedmus 4 months ago

Selected Answer: BD
I would go for B & D.

C is definitivly wrong, and A is to complicated to achieve this.
NSE4-SEC Page 268+269 for reference.
Even the "wildcard" statement should not be a problem.
upvoted 4 times
  alessandro2039 4 months ago

Could anyone tell me why B,D isnt the correct answer? I would never create a new firewall policy to block a single site but i have many times in the
past used web override ratings to block or unblock sites while leaving the rest intact.
upvoted 1 times
  pramodbs 4 months, 1 week ago

My vote is AB
upvoted 1 times

I think D is incorrect because the type should be "simple" not "wildcard". My vote is A & B.
upvoted 1 times
Selected Answer: AD
FortiGate Security 7.2 study guide

A. web filter profiles flow based Page 263
D. URL Filtering Page 269
upvoted 3 times
  TommyMaru 4 months, 3 weeks ago

I think B should work.
upvoted 1 times

Why not B?
upvoted 2 times
  Javier2021 4 months, 3 weeks ago

I believe it is because the profile is in Flow-based mode.
upvoted 1 times
The administrator disabled the WebServer firewall policy.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?
A. 10.200.1.10
B. 10.0.1.254
C. 10.200.1.1
D. 10.200.3.1
Correct Answer: C
C (71%) A (29%)
  Gorgoyle Highly Voted  3 months, 3 weeks ago
Selected Answer: C
If WebServer firewall policy was active it would be A because: SNAT changes it to 10.200.1.10 due to VIP.
But correct is C due to the disabled WebServer firewall policy.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
upvoted 7 times

Even if WebServer firewall policy was active it would be C the correct answer. This traffic is coming from LAN to WAN, so match is in the first
policy which has NAT enable so use outgoing interface IP address.
upvoted 6 times
  ccnax2 Highly Voted  5 months ago
Selected Answer: A
SNAT changes it to 10.200.1.10 due to VIP.

upvoted 5 times
  alaaomar1985 2 days, 21 hours ago

The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
upvoted 1 times

Disregard. Correct is C due to disabled the WebServer firewall policy.
upvoted 4 times
  MrSherman 2 months ago

Disabling the policy of the VIP does not deactivate the VIP.
On a VIP called one-on-one or with no port forwarding assign. The external ip address will be used to snat the internal ip address.
Try it on a lab.
upvoted 1 times
  DC095 1 month ago

The caveat is that there has to be an active firewall policy with the vip as the destination address object for the external vip to be used in
SNAT as well.
upvoted 1 times

You are correct.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
upvoted 3 times
  yxpoh Most Recent  22 hours, 57 minutes ago

C
Fortigate Security 7.2 Study Guide Pg 112
If policy with VIP is disabled, FG will not used it for SNAT purposes.
Therefore the alternative would be the NAT rule used in Full_access, which since there’s no pool specified, it will be PAT which is the egress
interface IP of 10.200.1.1.
upvoted 1 times

upvoted 1 times
  e86cb90 2 weeks ago
Selected Answer: C
VIPs are DNAT and this traffic is originating from LAN to WAN which would then use SNAT if enabled on the firewall policy.
upvoted 1 times
  MtoE 3 weeks, 5 days ago

Selected Answer: A
ChatGPT answer (XD): "Disabling a security policy on a Fortigate device will not deactivate the NAT VIP configured in it. The VIP will still translate
traffic regardless of the policy being disabled. The security policy and NAT VIP are separate configurations on the Fortigate device, and disabling
the security policy will not affect the operation of the NAT VIP"
upvoted 1 times

upvoted 1 times
  Hummer1 1 month, 3 weeks ago
Selected Answer: C
The question is about SNAT so LAN to WAN rule, if traffic is destined from the LAN to WAN then it would NAT out over the WAN IP or if a IPPOOL
was present it would NAT out over that.
DNAT is inbound WAN to LAN so incoming traffic sent towards the VIP rule would be affected by the NAT.
I think the correct answer is C.
upvoted 1 times
  Sfeleka 1 month, 4 weeks ago

Selected Answer: C
c is the correct anser

upvoted 1 times

Selected Answer: A
10.0.1.10 has been natted with 10.200.1.10 as one-on-one nat.

Disabling the VIP policy does not deactivate the VIP.
upvoted 1 times

CORRECTION, C is the right one because the VIP policy is disabled.
upvoted 1 times
Selected Answer: C
C. 10.200.1.1
Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface.
Simple SNAT.

upvoted 2 times

Selected Answer: C
C. 10.200.1.1
Simple SNAT.

upvoted 2 times

C. 10.200.1.1
Simple SNAT.

upvoted 2 times
  kittituch01 3 months, 4 weeks ago

Selected Answer: C
C is correct
upvoted 3 times
  Retro 3 months, 4 weeks ago
Selected Answer: C
NAT enabled will use outgoing interface address

upvoted 3 times
Selected Answer: A
Correct answer: A
upvoted 2 times

es la C
a pesar de que se configura un VIP el escenario descrito es a la inversa.
The example on this slide shows the most common use case for NAT: SNAT. FortiGate, acting as a NAT
device, translates the private IP address assigned to the PC to the public address assigned by your ISP. The private-to-public source address
translation is needed for the PC to access the internet web server.
Uses the outgoing interface address
upvoted 2 times
  Tedmus 4 months ago
Selected Answer: A
I would go for answer A.

- B: is the internal GW address for the LAN subnet
- D: is the desination address not the source
- C: is the WAN interface address, but this is not used to static one-to-one NAT - even when the Policy 2 is disabled the VIP is still active.
Reference: NSE4-SEC, 7.2, Page 112 - same with DNS.
upvoted 3 times
  tinugeorge 3 months, 1 week ago

Actually page 112 of NSE4-SEC 7.2 says fortigate doesn't use the external IP for translating the source address of the web server if the policy, in
which the vip is referenced, is disabled or not referenced at all.
upvoted 1 times
  jeroenptrs93 3 months, 2 weeks ago

I understand what you're saying. But that rule is from Port 1 to Port 3. From WAN to LAN basically. The question here is what is source IP, when
packets go from LAN to WAN to the internet. Then it's simple NAT I think, and it uses the outgoing interface IP address
upvoted 1 times
Refer to the exhibit to view the firewall policy.
Why would the firewall policy not block a well-known virus, for example eicar?
A. Web filter is not enabled on the firewall policy to complement the antivirus profile.
B. The firewall policy is not configured in proxy-based inspection mode.
C. The firewall policy does not apply deep content inspection.
D. The action on the firewall policy is not set to deny.
Correct Answer: C

C (100%)
Selected Answer: C
Halmonte0780 2 months, 1 week ago

C is correct
FortiGate Security 7.2 Study Guide page 368
upvoted 1 times

C is correct
upvoted 3 times

Selected Answer: C
C is correct
upvoted 1 times
Selected Answer: C
The answer is C
upvoted 1 times
What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
A. Virtual IP addresses are used to distinguish between cluster members.
B. Heartbeat interfaces have virtual IP addresses that are manually assigned.
C. The primary device in the cluster is always assigned IP address 169.254.0.1.
D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
Correct Answer: AD

AD (100%)
Selected Answer: AD
A. Virtual IP addresses are used to distinguish between cluster members.

D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

"FGCP automatically assigns the heartbeat IP addresses based on the serial number of each device. The IP address 169.254.0.1 is assigned to the
device with the highest serial number."
"A change in the heartbeat IP addresses may happen when a FortiGate device joins or leaves the cluster."
"The HA cluster uses the heartbeat IP addresses to distinguish the cluster members and synchronize data."

upvoted 2 times

Answers are A and D
Fortigate Infrastructure 7.2 Study Guide page 301
upvoted 2 times

Selected Answer: AD
The answers are A and D

upvoted 1 times

Selected Answer: AD
Yes A and D.
Infra 7.2 page 301.
upvoted 1 times
Selected Answer: AD
https://networkinterview.com/fortigate-ha-high-availability/
upvoted 1 times

A and D is correct
upvoted 1 times
An administrator wants to simplify remote access without asking users to provide user credentials.
Which access control method provides this solution?
A. ZTNA IP/MAC filtering mode
B. ZTNA access proxy
C. SSL VPN
D. L2TP
Correct Answer: B

B (89%) 11%
  Ahabib80 2 months, 3 weeks ago
Selected Answer: A
IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to implement role-based zero trust
access.
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/855420/zero-trust-network-access-introduction
upvoted 1 times

IP/MAC is not for remote users
upvoted 2 times
Selected Answer: B
B. ZTNA access proxy

"ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by
eliminating the use of VPNs."

upvoted 3 times

Answer is B
Fortigate Infrastructure 7.2 Study Guide page 165
upvoted 3 times

Selected Answer: B
The answer is B
upvoted 2 times

Selected Answer: B
Infra 7.2 ZTNA page 165

upvoted 3 times
What are two features of collector agent advanced mode? (Choose two.)
A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
B. In advanced mode, security profiles can be applied only to user groups, not individual users.
C. Advanced mode uses the Windows convention—NetBios: Domain\Username.
D. Advanced mode supports nested or inherited groups.
Correct Answer: AD

AD (100%)
Selected Answer: AD
A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
D. Advanced mode supports nested or inherited groups.

"Also, advanced mode supports nested or inherited groups; that is, users can be members of subgroups that belong to monitored parent groups."
"In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate. You can also configure group filters
on the collector agent."

upvoted 2 times

A and D. Infrastructure guide 7.2, pag. 146:
- In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate.
- Also, advanced mode supports nested or inherited groups.
C. Incorrect, Netbios is Standard mode.

B. Incorrect, in Advanced mode, FortiGate can apply security profiles to individual users, user groups, and OUs
upvoted 3 times

Infra p. 146
A and D is correct
upvoted 1 times

Selected Answer: AD
The answer are A and D

upvoted 1 times
Which three CLI commands can you use to troubleshoot Layer 3 issues, if the issue is in neither the physical layer nor the link layer? (Choose
three.)
A. diagnose sniffer packet any
B. execute ping
C. diagnose sys top
D. execute traceroute
E. get system arp
Correct Answer: ABD

ABD (100%)
Selected Answer: ABD
A. diagnose sniffer packet any

B. execute ping
D. execute traceroute

upvoted 2 times

INFRA - 366 (for A)
upvoted 1 times

A,B & D correct , layer 3
diagnose sys top - list of processes with most CPU

get system arp - show interface, IP, MAC (physical layer)
upvoted 4 times

A, B and D are correct

upvoted 2 times
The answer are A, B and D

upvoted 1 times
What are two scanning techniques supported by FortiGate? (Choose two.)
A. Machine learning scan
B. Antivirus scan
C. Ransomware scan
D. Trojan scan
Correct Answer: AB

AB (100%)
Selected Answer: AB
A. Machine learning scan

B. Antivirus scan

"Like viruses, which use many methods to avoid detection, FortiGate uses many techniques to detect viruses. These detection techniques include:
• Antivirus scan
• Grayware scan
• Machine learning (AI) scan
If all antivirus features are enabled, FortiGate applies the following scanning order: antivirus scan, followed by grayware scan, followed by AI scan."

upvoted 1 times

Answer are A and B
upvoted 2 times
Selected Answer: AB
The answer are A and B

upvoted 1 times
Selected Answer: AB
Security 7.2 Antivirus page 341.

upvoted 1 times
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate
device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third
PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for
PC3? (Choose three.)
A. In the IP pool configuration, set type to overload.
B. Configure 192.2.0.12/24 as the secondary IP address on port1.
C. In the firewall policy configuration, disable ippool.
D. In the IP pool configuration, set endip to 192.2.0.12.
E. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
Correct Answer: ADE

ACD (91%) 9%
  PiotrSwi 1 month, 3 weeks ago
ACD it is.
upvoted 1 times
Correct Answer: ADE

upvoted 1 times

upvoted 2 times
Correct answers: ACD

upvoted 2 times

A, C and D are correct.
upvoted 1 times
  krisu96 4 months, 3 weeks ago
A,C and D right anserws

upvoted 1 times

The three fix options are A, C, and D

E is incorrect
upvoted 1 times

A, C and D is correct
upvoted 1 times
The answer are A, C and D

upvoted 1 times

D: If we disable Ippool via cli, the default will be overload. E: we create a new firewall policy but don't say anything about enable NAT, so this will
fail.
upvoted 2 times

I mean C disable ippool, A and D
upvoted 1 times

D only will work by iteself, dunno why we have to select three things
upvoted 3 times
Based on the raw log, what can you conclude from the output? (Choose two.)
A. Traffic is blocked because Action is set to DENY in the firewall policy.
B. Traffic belongs to the root VDOM.
C. This is a security log.
D. Log severity is set to error on FortiGate.
Correct Answer: AC

BC (85%) Other

B. VDOM=root
C. Security=UTM
D. Log severity is set to error on FortiGate. obviously wrong

B. Traffic belongs to the root VDOM. correct (vd="root")
A. Traffic is blocked because Action is set to DENY in the firewall policy. wrong (msg="URL belongs to a DENIED CATEGORY in policy" It's meaning
traffic blocked with "Security Profiles" but Action is allow int the firewall policy)
C. This is a security log. correct (type="utm")
upvoted 9 times
Selected Answer: AC
A: action=blocked; msg = "URL belongs to a dnied categoy in policy" it's the same example of te FortiGate Security pg: 178
C: Security: type=UTM
upvoted 1 times

Selected Answer: BC
FortiGate_Security_7.2_Course p. 176
B. vd="root"
C. Security log, log type = utm
upvoted 1 times
Selected Answer: BC
B. Traffic belongs to the root VDOM.

C. This is a security log.

upvoted 1 times
Selected Answer: BC
Correct answers= BD
upvoted 1 times
Selected Answer: BC
Answer is B, C.
upvoted 1 times

Selected Answer: BC
The answer are B and C

upvoted 1 times

Selected Answer: BD

upvoted 1 times

Selected Answer: BC
B and C is correct,
A is not correct, because the log does not state that the firewall policy drops the packet. The log states it drop the packet because the web filter
profile blocks it. Profile is not the firewall policy.
upvoted 3 times

Selected Answer: BC
"vd=root"
"type=utm"
upvoted 3 times
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
A. System time
B. FortiGuard update servers
C. Operating mode
D. NGFW mode
Correct Answer: CD

CD (100%)
  PiotrSwi 1 month, 3 weeks ago
Selected Answer: CD
C and D.
upvoted 1 times
Selected Answer: CD
*Operating mode (transparent mode and Nat Mode)

*NGFW mode (profile-based, policy-based)
Infrastructure guide 7.2, pages 90 and 91

upvoted 1 times

Selected Answer: CD
C. Operating mode
D. NGFW mode

upvoted 1 times

The Correct Answer are C, D
*Operating mode (transparent mode and Nat Mode)

*NGFW mode (profile-based, policy-based)

upvoted 2 times
Selected Answer: CD
The answer are C and D

upvoted 1 times
Which inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?
A. Flow-based inspection
B. Full content inspection
C. Certificate inspection
D. Proxy-based inspection
Correct Answer: A

A (100%)
Selected Answer: A
A. Flow-based inspection

"However, if NGFW mode is Policy-based, then the inspection mode for all policies in that VDOM is always flow and there is no option available in
the policy to change it."

upvoted 1 times

A is correct.
Infrastructure guide 7.2, pages 90
upvoted 3 times

Selected Answer: A
A is correct.
FortiGate_Infrastructure_7.2 page 90.
upvoted 1 times
Selected Answer: A
The answer is A
upvoted 1 times
What are two features of the NGFW policy-based mode? (Choose two.)
A. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.
B. NGFW policy-based mode does not require the use of central source NAT policy.
C. NGFW policy-based mode policies support only flow inspection.
D. NGFW policy-based mode can only be applied globally and not on individual VDOMs.
Correct Answer: AC

AC (100%)
Selected Answer: AC
A. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.
C. NGFW policy-based mode policies support only flow inspection.

"Policy-based mode is actually a new policy mode. You can add applications and web filtering categories directly to a policy without having to first
create and configure application control or web filtering profiles."
"However, if NGFW mode is Policy-based, then the inspection mode for all policies in that VDOM is always flow and there is no option available in
the policy to change it."

upvoted 3 times

A, C is correct.
upvoted 2 times

Selected Answer: AC
The answer are A and C

upvoted 1 times
What is the primary FortiGate election process when the HA override setting is disabled?
A. Connected monitored ports > Priority > HA uptime > FortiGate serial number
B. Connected monitored ports > System uptime > Priority > FortiGate serial number
C. Connected monitored ports > Priority > System uptime > FortiGate serial number
D. Connected monitored ports > HA uptime > Priority > FortiGate serial number
Correct Answer: D

D (100%)
Selected Answer: D
D. Connected monitored ports > HA uptime > Priority > FortiGate serial number

"Order when the HA override setting is disabled, which is the default behavior:
1. The cluster compares the number of monitored interfaces that have a status of up. The member with the most available monitored interfaces
becomes the primary.
2. The cluster compares the HA uptime of each member. The member with the highest HA uptime, by at least five minutes, becomes the primary.
3. The member with the highest priority becomes the primary.
4. The member with the lowest serial number becomes the primary."

upvoted 4 times

INF > 295
Connected Ports >> Priority >> HA uptime >> SN
The higher number = primary
upvoted 1 times

Answer Correct is D.
If Override DISABLED then: ports > HA Uptime > Priority > SN.
If Override ENABLED then: ports > Priority > HA Uptime > SN

upvoted 4 times

Selected Answer: D
The answer is D
upvoted 1 times

Selected Answer: D
Correct
upvoted 1 times
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled?
(Choose three.)
A. The host field in the HTTP header
B. The subject alternative name (SAN) field in the server certificate
C. The subject field in the server certificate
D. The server name indication (SNI) extension in the client hello message
E. The serial number in the server certificate
Correct Answer: BCD

BCD (100%)
B. The subject alternative name (SAN) field in the server certificate

C. The subject field in the server certificate
D. The server name indication (SNI) extension in the client hello message

"FortiGate parses server name indication (SNI) from client Hello, which is an extension of the TLS protocol. The SNI tells FortiGate the hostname of
the SSL server, which is validated against the DNS name before receipt of the server certificate. If there is no SNI exchanged, then FortiGate
identifies the server by the value in the Subject field or SAN (subject alternative name) field in the server certificate."

upvoted 2 times

To determine hostname when looking at SSL certificate inspection
Fortigate uses the SNI (server name indication)
If there is no SNI then the FG will look at the Subject field and SAN (Subject alternative name)
B,C,D - Halmonte is correct
upvoted 1 times

Answer are B,C, D
During the exchange of hello messages at the beginning of an SSL handshake, FortiGate parses server name indication (SNI) from client Hello,
which is an extension of the TLS protocol.
The SNI tells FortiGate the hostname of the SSL server, which is validated against the DNS name before receipt of the server certificate.
If there is no SNI exchanged, then FortiGate identifies the server by the value in the Subject field or SAN (subject alternative name) field in the
server certificate.
upvoted 2 times

The answer are B,C and D

upvoted 1 times
How can you disable RPF checking?
A. Disable fail-detect on the interface level settings.
B. Disable strict-src-check under system settings.
C. Unset fail-alert-interfaces on the interface level settings.
D. Disable src-check on the interface level settings.
Correct Answer: D

D (100%)
Selected Answer: D
D. Disable src-check on the interface level settings.

"config system interface
edit <interface>
set src-check disable
next
end"

upvoted 2 times

Config sys interface
edit < interface>
set src-check disable
next
end
D
upvoted 1 times

answer is D

upvoted 2 times

Selected Answer: D
The answer is D
upvoted 1 times

Selected Answer: D
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338
upvoted 1 times
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must the administrator do to achieve this objective?
A. The administrator must register the same FortiToken on more than one FortiGate device.
B. The administrator must use the user self-registration server.
C. The administrator must use a FortiAuthenticator device.
D. The administrator must use a third-party RADIUS OTP server.
Correct Answer: C

C (100%)
  raydel92 3 months ago
Selected Answer: C
C. The administrator must use a FortiAuthenticator device.

"You cannot register the same FortiToken on more than one FortiGate. If you want to use the same FortiToken for authentication on multiple
FortiGate devices, you must use a central validation server, such as FortiAuthenticator. In that case, FortiTokens are registered and assigned to
users on FortiAuthenticator, and FortiGate uses FortiAuthenticator as its validation server."

upvoted 3 times

Answer is C

upvoted 1 times
Selected Answer: C
The answer is C
upvoted 1 times
Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool configuration.
A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching central SNAT policies will be applied.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate
(10.200.3.1)?
A. 10.200.1.99
B. 10.200.1.1
C. 10.200.1.49
D. 10.200.1.149
Correct Answer: A

A (92%) 8%
  besi05 Highly Voted  5 months ago
Selected Answer: A
A is correct , pings is ICMP so protocol 1. Protocol 1 is enabled on access list id 2 which has destination address SNAT-remote 1
upvoted 8 times

It's A because of the protocol number.
Ping = icmp
Ping is ICMP protocol - protocol number = 1

=> SNAT policy ID 1 is policy that used.
=> Translated address is "SNAT-Remote1" that 10.200.1.99
upvoted 6 times
Selected Answer: A
Protocol number 1 ICMP Internet Control Message Protocol

https://www.fortinetguru.com/2018/12/protocol-number/
upvoted 1 times

Selected Answer: A
A. 10.200.1.99

upvoted 1 times

A. Correct - is for ICMP
B. Incorrect -
C. Incorrect - is for TCP protocol
D. Incorrect - is for IGMP protocol
upvoted 4 times
Selected Answer: A
The real answer es A

upvoted 2 times

Selected Answer: D
The answer is D
upvoted 1 times
The exhibits contain a network interface configuration, firewall policies, and a CLI console configuration.
How will the FortiGate device handle user authentication for traffic that arrives on the LAN interface?
A. All users will be prompted for authentication; users from the HR group can authenticate successfully with the correct credentials.
B. If there is a fall-through policy in place, users will not be prompted for authentication.
C. All users will be prompted for authentication; users from the sales group can authenticate successfully with the correct credentials.
D. Authentication is enforced only at a policy level; all users will be prompted for authentication.
Correct Answer: A

A (89%) 11%

Answer is A
Captive portal will not allow traffic without valid authentication. It happen at interface level, before firewall policy
configure on Fortigate:
- captive portal authentication required
- Authentication failed message for Sales users
- Authentication success for HR users
- second policy used by HR users
Interface LAN (port3) is configured to authenticate and only allow HR to access. " All users will be prompted for authentication, users from the HR
group can authenticate successfully with the correct credentials
upvoted 8 times
  laberitcanarias Most Recent  3 months ago

Answer is A
Not B: "Alternatively, only on the CLI, you can change the auth-on-demand option to always. This instructs FortiGate to trigger an authentication
request, if there is a firewall policy with active authentication enabled. In this case, the traffic is allowed until authentication is successful."
upvoted 1 times

Selected Answer: A
A. All users will be prompted for authentication; users from the HR group can authenticate successfully with the correct credentials.

"If you want to have all users connect to a specific interface, then it is better to enable captive portal authentication at the interface level. This way,
all devices must authenticate before they are allowed to access any resources."

upvoted 4 times
  azmiit 4 months, 1 week ago
Selected Answer: A
answer is A
upvoted 2 times
  Sreput33 4 months, 1 week ago

The answer B is definitely
upvoted 1 times

Selected Answer: B
The answer is B
upvoted 1 times
Selected Answer: A
The answer is A
upvoted 2 times
In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and
gets the output shown in the exhibit.
What should the administrator do next, to troubleshoot the problem?
A. Execute a debug flow.
B. Capture the traffic using an external sniffer connected to port1.
C. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".
D. Run a sniffer on the web server.
Correct Answer: A

A (78%) D (22%)
  crose Highly Voted  3 months, 3 weeks ago

I can't see questions 105-109????
upvoted 5 times

Same here.
upvoted 3 times
  Engrmunna Most Recent  1 week, 6 days ago

which answer should be used during the exam? suggested answer or the answer from Community vote distribution?
upvoted 1 times
  e86cb90 2 weeks ago

Selected Answer: A
Interface is set to any and is checking all traffic on port 80. The webserver is directly connected to the FortiGate. We would see traffic destined to
port 80 with this sniffer. The only thing that makes sense is A.
upvoted 1 times
Selected Answer: D
The answer is D, not A. It's not mentionned the packet is blocked somewhere. As we can see the sniffer command, we capture packet on all
interfaces. Packet arrives on the interface, is captured before being blocked if a policy exist.
We can see on the capture thre are syn flood send by the host, but we cannot see the reply from the web server (reply from port 80 to host
destination port). If the server replies (sysn ack), It should be on the capture.
We need to check on the server why there is no response. That's why we need to Run a sniffer on the web server (answer D).
upvoted 2 times
  GCISystemIntegrator 2 months, 3 weeks ago

Hi guys, by any chance can anyone tell me if all the examtopics nse4 questions are on the exam?
upvoted 1 times

debug flow on the Fortigate will only help to confirm we do not receive anything from the server.
upvoted 1 times
Selected Answer: A
A. Execute a debug flow.

"If FortiGate is dropping packets, can a packet capture (sniffer) be used to identify the reason? To find the cause, you should use the debug
(packet) flow."

upvoted 4 times

Answer is A, because sniffer shows the ingressing and egressing packets . but we cannot see dropped packets by fortigate in a sniffer. Debugging
can show the packets are not entering for any reasons caused by fortigate. So believe if a packed is reached to fortigate and dropped , debug will
show us.
Debug flow will definitely provide the reason why the packets are dropped.

upvoted 3 times

Selected Answer: A
The answer is A
upvoted 2 times

Fortinet NSE4 FGT Jan 2024

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortinet NSE4 FGT Jan 2024

Uploaded by

Copyright:

Available Formats

- Expert Verified, Online, Free.

Prepare for your NSE4_FGT-7.2 exam with additional products

 Custom View Settings

B. It limits the scanning of application traffic to the DNS protocol only.

C. It limits the scanning of application traffic to use parent signatures only.

D. It limits the scanning of application traffic to the application category only.

Community vote distribution

  BoostBoris Highly Voted  10 months, 1 week ago

  redSTORM Most Recent  3 weeks ago

  joaomrogerio 3 weeks, 6 days ago

  Ygrec 1 month, 4 weeks ago

  cdcogbuji 1 month, 1 week ago

  raydel92 3 months, 1 week ago

FortiGate Security 7.2 Study Guide (p.317):

Reference and download study guide:

  TW2083 3 months, 2 weeks ago

  Slash_JM 3 months, 3 weeks ago

FortiGate Security 7.2 Study Guide p.317

  AhmedZkry 5 months ago

  LaScarD 6 months, 2 weeks ago

  itashraf 7 months ago

  Libexec 7 months, 3 weeks ago

  PaulGo 8 months, 1 week ago

  PaulGo 8 months, 1 week ago

  dogeatdog 8 months, 3 weeks ago

  Rodri96 9 months ago

  santi1509 10 months ago

  Reyne 11 months ago

So correct answer should be A.

  tattybizzy 11 months, 1 week ago

Refer to the exhibits.

Which policy will be highlighted, based on the input criteria?

C. Policies with ID 2 and 3.

Community vote distribution

  shadow2020 Highly Voted  9 months, 3 weeks ago

  dacmick 3 months, 1 week ago

  Slash_JM Highly Voted  3 months, 3 weeks ago

  SpikeDad Most Recent  1 month ago

  TiagoFigur 1 month ago

A resposta certa é a letra B.

  eroman220 1 month, 1 week ago

  Ygrec 1 month, 4 weeks ago

  Possa 2 months, 4 weeks ago

Unica Politica que sai da Porta 3

Mas a opção 3 Não tem https

  raydel92 3 months, 1 week ago

Reference and download study guide:

  Vic2911 3 months, 2 weeks ago

  lucas09 3 months, 4 weeks ago

  rian00z_ 4 months ago

  ragnax 4 months, 2 weeks ago

  bunnyrabbit 4 months, 2 weeks ago

  AhmedZkry 5 months ago

  YahyaB 5 months ago

  AgentSmith 5 months, 3 weeks ago

  f52f6e6 6 months ago

C. The two VLAN subinterfaces must have different VLAN IDs.

Community vote distribution

  Garry_G Highly Voted  8 months ago

  Garry_G 3 months, 2 weeks ago

  GeniusA Most Recent  14 hours, 57 minutes ago

  TheManDude 3 weeks, 3 days ago