Question No. 1

Refer to the exhibits.

Exhibit A

Exhibit B

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.

How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

AIf there is a fall-through policy in place, users will not be prompted for authentication.

BAuthentication is enforced at a policy level; all users will be prompted for authentication.

CAll users will be prompted for authentication, users from the Sales group can authenticate successfully with the correct credentials.

DAll users will be prompted for authentication, users from the HR group can authenticate successfully with the correct credentials.

Show Answer

Correct Answer: D

Question No. 2

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

AThe server name indication (SNI) extension in the client hello message

BThe subject alternative name (SAN) field in the server certificate

CThe host field in the HTTP header

DThe serial number in the server certificate

EThe subject field in the server certificate

Show Answer

Correct Answer: A, B, E

A) The server name indication (SNI) extension in the client hello message. This is correct. This is a piece of information that FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled. The SNI extension is a feature of the TLS protocol that allows a client to indicate the hostname of the server it wants to connect to during the TLS handshake.This helps the server to present the appropriate certificate for the requested hostname, especially when the server hosts multiple domains on the same IP address1.FortiGate can use the SNI extension in the client hello message to identify the hostname of the SSL server and verify it against the server certificate2.

B) The subject alternative name (SAN) field in the server certificate. This is correct. This is a piece of information that FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled. The SAN field is an extension of the X.509 certificate standard that allows a certificate to specify multiple hostnames or IP addresses that are valid for the certificate.This helps the certificate to support multiple domains or subdomains on the same server, or multiple servers with different IP addresses3.FortiGate can use the SAN field in the server certificate to identify the hostname of the SSL server and verify it against the client request2.

E) The subject field in the server certificate. This is correct. This is a piece of information that FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled. The subject field is a part of the X.509 certificate standard that contains information about the identity of the entity that owns the certificate, such as common name, organization, country, and so on.The common name usually specifies the hostname or domain name of the server that owns the certificate4.FortiGate can use the subject field in the server certificate to identify the hostname of the SSL server and verify it against the client request2.

Question No. 3

How can you disable RPF checking?

ADisable strict-src-check under system settings.

BDisable src-check on the interface level settings

CUnset fail-alert-interfaces on the interface level settings.

DDisable fail-detect on the interface level settings.

Show Answer

Correct Answer: B

Question No. 4

What are two features of the NGFW policy-based mode? (Choose two.)

ANGFW policy-based mode does not require the use of central source NAT policy.

BNGFW policy-based mode can only be applied globally and not on individual VDOMs_

CNGFW policy-based mode policies support only flow inspection.

DNGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

Show Answer

Correct Answer: C, D

C) NGFW policy-based mode policies support only flow inspection. This is correct.This is a feature of the NGFW policy-based mode, according to the Fortinet documentation 'Profile-based NGFW vs policy-based NGFW'1. The documentation states that ''In policy-based NGFW mode, you can only select flow inspection. Proxy inspection is not supported.''

D) NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy. This is correct.This is a feature of the NGFW policy-based mode, according to the Fortinet documentation 'Profile-based NGFW vs policy-based NGFW'1. The documentation states that ''In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.''

Question No. 5

What is the primary FortiGate election process when the HA override setting is disabled?

AConnected monitored ports > Priority > HA uptime > FortiGate serial number

BConnected monitored ports > Priority > System uptime > FortiGate serial number

CConnected monitored ports > HA uptime > Priority > FortiGate serial number

DConnected monitored ports > System uptime > Priority > FortiGate serial number

Show Answer

Correct Answer: C

Free Fortinet NSE4_FGT-7.2 Exam Actual Questions

The questions for NSE4_FGT-7.2 were last updated On May 6, 2024