NSE4_FGT-7.2: Fortinet NSE 4 -FortiOS 7-2 - Free download from Exam Hub

Which two statements explain antivirus scanning modes? (Choose two.)

In proxy-based inspection mode, files bigger than the buffer size are scanned.
In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.
In flow-based inspection mode, files bigger than the buffer size are scanned.

Correct answer: BC

Explanation:

An antivirus profile in full scan mode buffers up to your specified file size limit. The default is 10 MB. That is large enough for most files, except video files. If your FortiGate model has more RAM, you may be able to increase this threshold. Without a limit, very large files could exhaust the scan memory. So, this threshold balances risk and performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is because of the difference between scans in theory, that have no limits, and scans on real-world devices, that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM--something that no device has in the real world. Most viruses are very small. This table shows a typical tradeoff. You can see that with the default 10 MB threshold, only 0.01% of viruses pass through.

Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

Social networking web filter category is configured with the action set to authenticate.
The action on firewall policy ID 1 is set to warning.
Access to the social networking web filter category was explicitly blocked to all users.
The name of the firewall policy is all_users_web.

Correct answer: A

Explanation:

We have two logs, first with action deny and second with passthrough. Remember ... action="passthrough" mean that authentication has occurred

We have two logs, first with action deny and second with passthrough.

Remember ... action="passthrough" mean that authentication has occurred

An administrator wants to configure timeouts for users. Regardless of the user’s behavior, the timer should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?

auth-on-demand
soft-timeout
idle-timeout
new-session
hard-timeout

Correct answer: E

Explanation:

Security Guide P167 Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

Security Guide P167

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To allow for out-of-order packets that could arrive after the FIN/ACK packets
To finish any inspection operations
To remove the NAT operation
To generate logs.

Correct answer: A

Explanation:

TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

SSH
HTTPS
FTM
FortiTelemetry

Correct answer: AB

Explanation:

Security Guide P29 Reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/99buildingsecurity-into-fortios

Security Guide P29

Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/99buildingsecurity-into-fortios

How does FortiGate act when using SSL VPN in web mode?

FortiGate acts as an FDS server.
FortiGate acts as an HTTP reverse proxy.
FortiGate acts as DNS server.
FortiGate acts as router.

Correct answer: B

Explanation:

Infrastructure Guide P196 Reference: https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/Fortigate_v4.0MR3/fortigatesslvpn-40-mr3.pdf

Infrastructure Guide P196

Reference:

https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/Fortigate_v4.0MR3/fortigatesslvpn-40-mr3.pdf

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up
The secondary tunnel must be used only if the primary tunnel goes down
In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
Enable Dead Peer Detection.
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Correct answer: BC

Explanation:

Infrastructure Guide P256, P276 Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network. When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up. There are three DPD modes. On demand is the default mode. Study Guide – IPsec VPN – Redundant VPNs. Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends. Add at least one phase 2 definition for each phase 1. Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing. Configure FW policies for each IPsec interface.

Infrastructure Guide P256, P276

Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network.

When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.

There are three DPD modes. On demand is the default mode.

Study Guide – IPsec VPN – Redundant VPNs.

Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.

Add at least one phase 2 definition for each phase 1.

Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup).

Alternatively, use dynamic routing.

Configure FW policies for each IPsec interface.

Which statement about video filtering on FortiGate is true?

Full SSL Inspection is not required.
It is available only on a proxy-based firewall policy.
It inspects video files hosted on file sharing services.
Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Correct answer: B

Explanation:

Security Guide P279 Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

Security Guide P279

Reference:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output.

Which two statements are correct? (Choose two.)

Administrators can access FortiGate only through the console port.
FortiGate has entered conserve mode.
FortiGate will start sending all files to FortiSandbox for inspection.
Administrators cannot change the configuration.

Correct answer: BD

Explanation:

Infrastructure Guide P367, P168 configurable thresholds Though it is recommended to keep the default memory threshold, a new CLI command has been added to allow administrators to adjust the thresholds. Default values are : red : 88% of total memory is considered "used memory" extreme : 95% of total memory is considered "used memory" green : 82% of total memory is considered "used memory Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Conserve-mode-changes/tap/198502

Infrastructure Guide P367, P168

configurable thresholds

Though it is recommended to keep the default memory threshold, a new CLI command has been added to allow administrators to adjust the thresholds.

Default values are :

red : 88% of total memory is considered "used memory"
extreme : 95% of total memory is considered "used memory"
green : 82% of total memory is considered "used memory

Reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Conserve-mode-changes/tap/198502

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

System time
FortiGuaid update servers
Operating mode
NGFW mode

Correct answer: CD

Explanation:

C - "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate. D - "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspectionmode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide

C - "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.

D - "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspectionmode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide