NSE4_FGT-6.

Number: NSE4_FGT-6.0
Passing Score: 800
Time Limit: 120 min
File Version: 1.0

NSE4_FGT-6.0

VCEConvert.com
Exam A

QUESTION 1
A company needs to provide SSL VPN access to two user groups. The company also needs to display different
welcome messages on the SSL VPN login screen for both user groups.

What is required in the SSL VPN configuration to meet these requirements?

A. Different SSL VPN realms for each group.

B. Two separate SSL VPNs in different interfaces mapping the same ssl.root.
C. Two firewall policies with different captive portals.
D. Different virtual SSL VPN IP addresses for each group.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 2
An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the
firewall policy Destination field?

A. A VIP group
B. The mapped IP address object of the VIP object
C. A VIP object
D. An IP pool

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 3
Which statement about FortiGuard services for FortiGate is true?

A. The web filtering database is downloaded locally on FortiGate.

B. Antivirus signatures are downloaded locally on FortiGate.
C. FortiGate downloads IPS updates using UDP port 53 or 8888.
D. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 4
View the exhibit.

VCEConvert.com
Based on this output, which statements are correct? (Choose two.)

A. The all VDOM is not synchronized between the primary and secondary FortiGate devices.
B. The root VDOM is not synchronized between the primary and secondary FortiGate devices.
C. The global configuration is synchronized between the primary and secondary FortiGate devices.
D. The FortiGate devices have three VDOMs.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 5

VCEConvert.com
Which statement is true regarding SSL VPN timers? (Choose two.)

A. Allow to mitigate DoS attacks from partial HTTP requests.

B. SSL VPN settings do not have customizable timers.
C. Disconnect idle SSL VPN users when a firewall policy authentication timeout occurs.
D. Prevent SSL VPN users from being logged out because of high network latency.

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 6
When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that
FortiGate can forward Internet traffic?

A. It must be configured in a static route using the sdwan virtual interface.

B. It must be provided in the SD-WAN member interface configuration.
C. It must be configured in a policy-route using the sdwan virtual interface.
D. It must be learned automatically through a dynamic routing protocol.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 7
Which of the following statements describe WMI polling mode for the FSSO collector agent? (Choose two.)

A. The NetSessionEnum function is used to track user logoffs.

B. WMI polling can increase bandwidth usage in large networks.
C. The collector agent uses a Windows API to query DCs for user logins.
D. The collector agent do not need to search any security event logs.

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 8
Which statements about DNS filter profiles are true? (Choose two.)

A. They can inspect HTTP traffic.

B. They can redirect blocked requests to a specific portal.
C. They can block DNS requests to known botnet command and control servers.
D. They must be applied in firewall policies with SSL inspection enabled.

Correct Answer: CD
Section: (none)

VCEConvert.com
Explanation

Explanation/Reference:

QUESTION 9
An administrator has configured a dialup IPsec VPN with XAuth. Which statement best describes what occurs
during this scenario?

A. Phase 1 negotiations will skip preshared key exchange.

B. Only digital certificates will be accepted as an authentication method in phase 1.C
C. Dialup clients must provide a username and password for authentication.
D. Dialup clients must provide their local ID during phase 2 negotiations.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 10
An administrator has configured two VLAN interfaces:

A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface.
However, the DHCP client cannot get a dynamic IP address from the DHCP server. What is the cause of the
problem?

A. Both interfaces must belong to the same forward domain.

B. The role of the VLAN10 interface must be set to server.
C. Both interfaces must have the same VLAN ID.
D. Both interfaces must be in different VDOMs.

Correct Answer: A
Section: (none)
Explanation

VCEConvert.com
Explanation/Reference:

QUESTION 11
You are configuring the root FortiGate to implement the security fabric. You are configuring port10 to
communicate with a downstream FortiGate. View the default Edit Interface in the exhibit below:

When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are required
to be configured? (Choose two.)

A. Device detection enabled.

B. Administrative Access: FortiTelemetry.
C. IP/Network Mask.
D. Role: Security Fabric.

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:

VCEConvert.com
QUESTION 12
Which statements correctly describe transparent mode operation? (Choose three.)

A. All interfaces of the transparent mode FortiGate device must be on different IP subnets.
B. Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
C. The transparent FortiGate is visible to network hosts in an IP traceroute.
D. It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
E. FortiGate acts as transparent bridge and forwards traffic at Layer 2.

Correct Answer: BDE

Section: (none)
Explanation

Explanation/Reference:

QUESTION 13
View the exhibit.

Which of the following statements are correct? (Choose two.)

A. This setup requires at least two firewall policies with the action set to IPsec.
B. Dead peer detection must be disabled to support this type of IPsec setup.
C. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the
TunnelB VPN is down.
D. This is a redundant IPsec setup.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 14

VCEConvert.com
Which one of the following processes is involved in updating IPS from FortiGuard?

A. FortiGate IPS update requests are sent using UDP port 443.
B. Protocol decoder update requests are sent to service.fortiguard.net.
C. IPS signature update requests are sent to update.fortiguard.net.
D. IPS engine updates can only be obtained using push updates.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 15
Which of the following conditions are required for establishing an IPSec VPN between two FortiGate devices?
(Choose two.)

A. If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer.
B. If the VPN is configured as route-based, there must be at least one firewall policy with the action set to
IPSec.
C. If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or
Dynamic DNS in the other peer.
D. If the VPN is configured as a policy-based in one peer, it must also be configured as policy-based in the
other peer.

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 16
View the exhibit.

VCEConvert.com
Why is the administrator getting the error shown in the exhibit?

A. The administrator must first enter the command edit global.

B. The administrator admin does not have the privileges required to configure global settings.
C. The global settings cannot be configured from the root VDOM context.
D. The command config system global does not exist in FortiGate.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 17
Examine the network diagram and the existing FGTI routing table shown in the exhibit, and then answer the
following question:

VCEConvert.com
An administrator has added the following static route on FGTI.

Since the change, the new static route is not showing up in the routing table. Given the information provided,
which of the following describes the cause of this problem?

A. The new route’s destination subnet overlaps an existing route.

B. The new route’s Distance value should be higher than 10.
C. The Gateway IP address is not in the same subnet as port1.
D. The Priority is 0, which means that this route will remain inactive.

Correct Answer: C
Section: (none)
Explanation

VCEConvert.com
Explanation/Reference:

QUESTION 18
View the exhibit.

Which users and user groups are allowed access to the network through captive portal?

A. Users and groups defined in the firewall policy.

B. Only individual users – not groups – defined in the captive portal configuration
C. Groups defined in the captive portal configuration
D. All users

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 19
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration
does not change when you enable policy-based inspection?

A. Web filtering
B. Antivirus
C. Web proxy
D. Application control

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 20
During the digital verification process, comparing the original and fresh hash results satisfies which security
requirement?

A. Authentication.
B. Data integrity.
C. Non-repudiation.
D. Signature verification.

Correct Answer: D
Section: (none)

VCEConvert.com
Explanation

Explanation/Reference:

QUESTION 21
Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple dialup tunnels?

A. In aggressive mode, the remote peers are able to provide their peer IDs in the first message.
B. FortiGate is able to handle NATed connections only in aggressive mode.
C. FortiClient only supports aggressive mode.
D. Main mode does not support XAuth for user authentication.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 22
An employee connects to the https://example.com on the Internet using a web browser. The web server’s
certificate was signed by a private internal CA. The FortiGate that is inspecting this traffic is configured for full
SSL inspection.

This exhibit shows the configuration settings for the SSL/SSH inspection profile that is applied to the policy that
is invoked in this instance. All other settings are set to defaults. No certificates have been imported into
FortiGate. View the exhibit and answer the question that follows.

Which certificate is presented to the employee’s web browser?

A. The web server’s certificate.

B. The user’s personal certificate signed by a private internal CA.
C. A certificate signed by Fortinet_CA_SSL.
D. A certificate signed by Fortinet_CA_Untrusted.

VCEConvert.com
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 23
Examine the exhibit, which shows the output of a web filtering real time debug.

Why is the site www.bing.com being blocked?

A. The web site www.bing.com is categorized by FortiGuard as Malicious Websites.

B. The user has not authenticated with the FortiGate yet.
C. The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites.
D. The rating for the web site www.bing.com has been locally overridden to a category that is being blocked.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 24
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

A. Include the group of guest users in a policy.

B. Extend timeout timers.
C. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.
D. Ensure all firewalls allow the FSSO required ports.

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 25
When override is enabled, which of the following shows the process and selection criteria that are used to elect
the primary FortiGate in an HA cluster?

VCEConvert.com
A. Connected monitored ports > HA uptime > priority > serial number
B. Priority > Connected monitored ports > HA uptime > serial number
C. Connected monitored ports > priority > HA uptime > serial number
D. HA uptime > priority > Connected monitored ports > serial number

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 26
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

What are the expected actions if traffic matches this IPS sensor? (Choose two.)

A. The sensor will gather a packet log for all matched traffic.
B. The sensor will not block attackers matching the A32S.Botnet signature.
C. The sensor will block all attacks for Windows servers.
D. The sensor will reset all connections that match these signatures.

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 27
How can you block or allow to Twitter using a firewall policy?

VCEConvert.com
A. Configure the Destination field as Internet Service objects for Twitter.
B. Configure the Action field as Learn and select Twitter.
C. Configure the Service field as Internet Service objects for Twitter.
D. Configure the Source field as Internet Service objects for Twitter.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 28
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement
about this IPsec VPN configuration is true?

A. A phase 2 configuration is not required.

B. This VPN cannot be used as part of a hub-and-spoke topology.
C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
D. The IPsec firewall policies must be placed at the top of the list.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 29
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate
issued to?

A. A CRL
B. A person
C. A subordinate CA
D. A root CA

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 30
What settings must you configure to ensure FortiGate generates logs for web filter activity on a firewall policy
called Full Access? (Choose two.)

A. Enable Event Logging.

B. Enable a web filter security profile on the Full Access firewall policy.
C. Enable Log Allowed Traffic on the Full Access firewall policy.
D. Enable disk logging.

Correct Answer: BC
Section: (none)

VCEConvert.com
Explanation

Explanation/Reference:

QUESTION 31
View the exhibit:

Which statement about the exhibit is true? (Choose two.)

A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

B. port-VLAN1 is the native VLAN for the port1 physical interface.
C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 32
Which action can be applied to each filter in the application control profile?

A. Block, monitor, warning, and quarantine

B. Allow, monitor, block and learn
C. Allow, block, authenticate, and warning
D. Allow, monitor, block, and quarantine

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 33
View the exhibit.

VCEConvert.com
Based on the configuration shown in the exhibit, what statements about application control behavior are true?
(Choose two.)

A. Access to all unknown applications will be allowed.

B. Access to browser-based Social.Media applications will be blocked.
C. Access to mobile social media applications will be blocked.
D. Access to all applications in Social.Media category will be blocked.

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 34
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What solutions could
resolve this problem? (Choose two.)

A. Enable Allow Invalid SSL Certificates for the relevant security profile.
B. Change web browsers to one that does not support HPKP.
C. Exempt those web sites that use HPKP from full SSL inspection.
D. Install the CA certificate (that is required to verify the web server certificate) stores of users’ computers.

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 35
View the exhibit.

VCEConvert.com
What does this raw log indicate? (Choose two.)

A. FortiGate blocked the traffic.

B. type indicates that a security event was recorded.
C. 10.0.1.20 is the IP address for lavito.tk.
D. policyid indicates that traffic went through the IPS firewall policy.

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 36
Which of the following statements are true when using WPAD with the DHCP discovery method? (Choose two.)

A. If the DHCP method fails, browsers will try the DNS method.
B. The browser needs to be preconfigured with the DHCP server’s IP address.
C. The browser sends a DHCPONFORM request to the DHCP server.
D. The DHCP server provides the PAC file for download.

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 37
Which of the following statements about the FSSO collector agent timers is true?

VCEConvert.com
A. The workstation verify interval is used to periodically check of a workstation is still a domain member.
B. The IP address change verify interval monitors the server IP address where the collector agent is
installed, and the updates the collector agent configuration if it changes.
C. The user group cache expiry is used to age out the monitored groups.
D. The dead entry timeout interval is used to age out entries with an unverified status.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 38
A FortiGate device has multiple VDOMs. Which statement about an administrator account configured with the
default prof_admin profile is true?

A. It can create administrator accounts with access to the same VDOM.

B. It cannot have access to more than one VDOM.
C. It can reset the password for the admin account.
D. It can upgrade the firmware on the FortiGate device.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 39
By default, when logging to disk, when does FortiGate delete logs?

A. 30 days
B. 1 year
C. Never
D. 7 days

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 40
Examine the exhibit, which contains a session diagnostic output.

VCEConvert.com
Which of the following statements about the session diagnostic output is true?

A. The session is in ESTABLISHED state.

B. The session is in LISTEN state.
C. The session is in TIME_WAIT state.
D. The session is in CLOSE_WAIT state.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

VCEConvert.com