NSE4 Exam Questions - Online Test


NSE4 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

surepassexam.com

Your success in Fortinet NSE4 is our sole target and we develop all our NSE4 braindumps in a way that facilitates the attainment of this target. Not only is our NSE4 study material the best you can find, it is also the most detailed and the most updated. NSE4 Practice Exams for Fortinet {category} NSE4 are written to the highest standards of technical accuracy.

NEW QUESTION 1
A FortiGate devices is configured with four VDOMs: 'root' and 'vdom1' are in NAT/route mode; 'vdom2' and 'vdom2' are in transparent mode. The management VDOM is 'root'. Which of the following statements are true? (Choose two.)

  • A. An inter-VDOM link between 'root' and 'vdom1' can be created.
  • B. An inter-VDOM link between 'vdom1' and vdom2' can created.
  • C. An inter-VDOM link between 'vdom2' and vdom3' can created.
  • D. Inter-VDOM link links must be manually configured for FortiGuard traffic.

Answer: AB

NEW QUESTION 2
Examine the exhibit; then answer the question below.
NSE4 dumps exhibit
The Vancouver FortiGate initially had the following information in its routing table:
S 172.20.0.0/16 [10/0] via 172.21.1.2, port2
C 172.21.0.0/16 is directly connected, port2
C 172.11.11.0/24 is directly connected, port1
Afterwards, the following static route was added:
config router static edit 6
set dst 172.20.1.0 255.255.255.0
set priority 0
set device port1
set gateway 172.11.12.1 next
Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?

  • A. The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.
  • B. The 'gateway' IP address is NOT in the same subnet as the IP address of port1.
  • C. The priority is 0, which means that the route will remain inactive.
  • D. The static route configuration is missing the distance setting.

Answer: B

NEW QUESTION 3
Which portion of the configuration does an administrator specify the type of IPsec configuration (either policy-based or route-based)?

  • A. Under the IPsec VPN global settings.
  • B. Under the phase 2 settings.
  • C. Under the phase 1 settings.
  • D. Under the firewall policy settings.

Answer: D

NEW QUESTION 4
To which remote device can the FortiGate send logs? (Choose three.)

  • A. Syslog
  • B. FortiAnalyzer
  • C. Hard drive
  • D. Memory
  • E. FortiCloud

Answer: ABE

NEW QUESTION 5
Which of the following actions can be used with the FortiGuard quota feature? (Choose three.)

  • A. Allow
  • B. Block
  • C. Monitor
  • D. Warning
  • E. Authenticate

Answer: CDE

NEW QUESTION 6
If there are no changes in the routing table and in the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate in NAT
/Route mode, when searching for a suitable gateway?

  • A. A lookup is done only when the first packet coming from the client (SYN) arrives.
  • B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives.
  • C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK).
  • D. A lookup is always done each time a packet arrives, from either the server or the client side.

Answer: B

NEW QUESTION 7
Which is NOT true about source matching with firewall policies?

  • A. A source address object must be selected in the firewall policy.
  • B. A source user/group may be selected in the firewall policy.
  • C. A source device may be defined in the firewall policy.
  • D. A source interface must be selected in the firewall policy.
  • E. A source user/group and device must be specified in the firewall policy.

Answer: E

NEW QUESTION 8
Which operating system vulnerability can you protect when selecting signatures to include in an IPS sensor? (choose three)

  • A. Irix
  • B. QNIX
  • C. Linux
  • D. Mac OS
  • E. BSD

Answer: CDE

NEW QUESTION 9
Which of the following items does NOT support the Logging feature?

  • A. File Filter
  • B. Application control
  • C. Session timeouts
  • D. Administrator activities
  • E. Web URL filtering

Answer: C

NEW QUESTION 10
Which of the following IPsec configuration modes can be used when the FortiGate is running in NAT mode?

  • A. Policy-based VPN only
  • B. Both policy-based and route-based VPN.
  • C. Route-based VPN only.
  • D. IPSec VPNs are not supported when the FortiGate is running in NAT mode.

Answer: B

NEW QUESTION 11
A new version of FortiOS firmware has just been released. When you upload new firmware, which is true?

  • A. If you upload the firmware image via the boot loader's menu from a TFTP server, it will not preserve the configuratio
  • B. But if you upload new firmware via the GUI or CLI, as long as you are following a supported upgrade path, FortiOS will attempt to convert the existing configuration to be valid with any new or changed syntax.
  • C. No settings are preserve
  • D. You must completely reconfigure.
  • E. No settings are preserve
  • F. After the upgrade, you must upload a configuration backup fil
  • G. FortiOS will ignore any commands that are not valid in the new O
  • H. In those cases, you must reconfigure settings that are not compatible with the new firmware.
  • I. You must use FortiConverter to convert a backup configuration file into the syntax required by the new FortiOS, then upload it to FortiGate.

Answer: A

NEW QUESTION 12
Which of the following Fortinet products can receive updates from the FortiGuard Distribution Network?

  • A. FortiGate
  • B. FortiClient
  • C. FortiMail
  • D. FortiAnalyzer

Answer: ABC

NEW QUESTION 13
Acme Web Hosting is replacing one of their firewalls with a FortiGate. It must be able to apply port forwarding to their back-end web servers while blocking virus uploads and TCP SYN floods from attackers. Which operation mode is the best choice for these requirements?

  • A. NAT/route
  • B. NAT mode with an interface in one-arm sniffer mode
  • C. Transparent mode
  • D. No appropriate operation mode exists

Answer: A

NEW QUESTION 14
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled?

  • A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.
  • B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.
  • C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.
  • D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.

Answer: B

NEW QUESTION 15
Review the static route configuration for IPsec shown in the exhibit; then answer the question below.
NSE4 dumps exhibit
Which statements are correct regarding this configuration? (Choose two.)

  • A. Interface remote is an IPsec interface.
  • B. A gateway address is not required because the interface is a point-to-point connection.
  • C. A gateway address is not required because the default route is used.
  • D. Interface remote is a zone.

Answer: AB

NEW QUESTION 16
With FSSO DC-agent mode, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent.
If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.)

  • A. The login event is sent to a collector agent.
  • B. The FortiGate receives the user information directly from the receiving domain controller agent of the secondary domain controller.
  • C. The domain collector agent may perform a DNS lookup for the authenticated client's IP address.
  • D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent.

Answer: AC

NEW QUESTION 17
Which statements are true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)

  • A. Only one proxy is supported.
  • B. Can be manually imported to the browser.
  • C. The browser can automatically download it from a web server.
  • D. Can include a list of destination IP subnets where the browser can connect directly to without using a proxy.

Answer: CD

NEW QUESTION 18
Bob wants to send Alice a file that is encrypted using public key cryptography.
Which of the following statements is correct regarding the use of public key cryptography in this scenario?

  • A. Bob will use his private key to encrypt the file and Alice will use her private key to decrypt the file.
  • B. Bob will use his public key to encrypt the file and Alice will use Bob’s private key to decrypt the file.
  • C. Bob will use Alice’s public key to encrypt the file and Alice will use her private key to decrypt the file.
  • D. Bob will use his public key to encrypt the file and Alice will use her private key to decrypt the file.

Answer: C

NEW QUESTION 19
Examine the output below from the diagnose sys top command:
NSE4 dumps exhibit
Which statements are true regarding the output above (Choose two.)

  • A. The sshd process is the one consuming most CPU.
  • B. The sshd process is using 123 pages of memory.
  • C. The command diagnose sys kill miglogd will restart the miglogd process.
  • D. All the processes listed are in sleeping state.

Answer: AD

NEW QUESTION 20
A static route is configured for a FortiGate unit from the CLI using the following commands:
config router static edit 1
set device “wan1” set distance 20
set gateway 192.168.100.1 next
end
Which of the following conditions are required for this static default route to be displayed in the FortiGate unit's routing table? (Choose two.)

  • A. The administrative status of the wan1 interface is displayed as down.
  • B. The link status of the wan1 interface is displayed as up.
  • C. All other default routers should have a lower distance.
  • D. The wan1 interface address and gateway address are on the same subnet.

Answer: BD

NEW QUESTION 21
Which IP packets can be hardware-accelerated by a NP6 processor? (Choose two.)

  • A. Fragmented packets.
  • B. Multicast packet.
  • C. SCTP packet.
  • D. GRE packet.

Answer: BC

NEW QUESTION 22
Which does FortiToken use as input when generating a token code? (Choose two.)

  • A. User password
  • B. Time
  • C. User name
  • D. Seed

Answer: AD

Explanation:
The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.

NEW QUESTION 23
Which statement best describes the objective of the SYN proxy feature available in SP processors?

  • A. Accelerate the TCP 3-way handshake
  • B. Collect statistics regarding traffic sessions
  • C. Analyze the SYN packet to decide if the new session can be offloaded to the SP processor
  • D. Protect against SYN flood attacks.

Answer: D

NEW QUESTION 24
Which two web filtering inspection modes inspect the full URL? (Choose two.)

  • A. DNS-based
  • B. Proxy-based
  • C. Flow-based
  • D. URL-based

Answer: BC

NEW QUESTION 25
Which statement describes what the CLI command diagnose debug authd fsso list is used for?

  • A. Monitors communications between the FSSO collector agent and FortiGate unit.
  • B. Displays which users are currently logged on using FSSO.
  • C. Displays are listing of all connected FSSO collector agents.
  • D. Lists all DC Agents installed on all domain controllers.

Answer: B

NEW QUESTION 26
The exhibit shows a FortiGate routing table.
NSE4 dumps exhibit
Which of the following statements are correct?(Choose two)

  • A. There is only one active default route.
  • B. The distance values for the route to 192.168.1.0/24 is 200
  • C. An IP address in the subnet 172.16.78.0/24 has been assigned to the dmz interface.
  • D. The FortiGate will route the traffic to 172.17.1.2 to next hop with the IP address 192.168.11.254

Answer: AD

NEW QUESTION 27
Which of the following combinations of two FortiGate device configurations (side A and side B), can be used to successfully establish an IPsec VPN between them? (choose two)

  • A. Side A:main mode, remote gateway as static IP address, policy based VP
  • B. Side B: aggressive mode, remote Gateway as static IP address policy-based VPN.
  • C. Side A:main mode, remote gateway as static IP address, policy based VP
  • D. Side B: main mode, remote gateway as static IP address, route-based VPN
  • E. Side A:main mode, remote gateway as static IP address, policy based VP
  • F. Side B: main mode, remote gateway as dialup, route-based VPN.
  • G. Side A: main mode, remote gateway as dialup policy based VPN, Side B: main mode, remote gateway as dialup, policy based VPN.

Answer: BC

NEW QUESTION 28
An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?

  • A. The IPsec firewall policies must be placed at the top of the list.
  • B. This VPN cannot be used as a part of a hub and spoke topology.
  • C. Routes are automatically created based on the quick mode selectors.
  • D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.

Answer: D

NEW QUESTION 29
Which changes to IPS will reduce resource usage and improve performance? (Choose three)

  • A. In custom signature, remove unnecessary keywords to reduce how far into the signature tree that FortiGate must compare in order to determine whether the packet matches.
  • B. In IPS sensors, disable signatures and rate based statistics (anomaly detection) for protocols, applications and traffic directions that are not relevant.
  • C. In IPS filters, switch from 'Advanced' to 'Basic' to apply only the most essential signatures.
  • D. In firewall policies where IPS is not needed, disable IPS.
  • E. In firewall policies where IPS is used, enable session start logs.

Answer: ABD

NEW QUESTION 30
......

P.S. Surepassexam now are offering 100% pass ensure NSE4 dumps! All NSE4 exam questions have been updated with correct answers: https://www.surepassexam.com/NSE4-exam-dumps.html (301 New Questions)