NSE4_FGT-6.2 Premium PDF & Test Engine Files with 142 Questions & Answers [Q70-Q90]

Share

NSE4_FGT-6.2 Premium PDF & Test Engine Files with 142 Questions & Answers

Get 100% Real NSE4_FGT-6.2 Exam Questions, Accurate & Verified Answers As Seen in the Real Exam!

NEW QUESTION # 70
Which statement about FortiGuard services for FortiGate is true?

  • A. FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates.
  • B. The web filtering database is downloaded locally on FortiGate.
  • C. FortiGate downloads IPS updates using UDP port 53 or 8888.
  • D. Antivirus signatures are downloaded locally on FortiGate.

Answer: D


NEW QUESTION # 71
Refer to the exhibits.


Given the antivirus profile and file transfer output shown in the exhibits, why is FortiGate not blocking the eicar.comfile over FTP download?

  • A. Because deep-inspection must be enabled for FortiGate to fully scan FTP traffic
  • B. Because FortiGate needs to be operating in flow-based inspection mode in order to scan FTP traffic
  • C. Because the proxy options profile needs to scan FTP traffic on a non-standard port
  • D. Because the FortiSandbox signature database is required to successfully scan FTP traffic

Answer: C


NEW QUESTION # 72
Which condition must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

  • A. The public key of the web server certificate must be installed on the web browser.
  • B. The CA certificate that signed the web server certificate must be installed on the browser.
  • C. The web-server certificate must be installed on the browser.
  • D. The private key of the CA certificate that is signed the browser certificate must be installed on the browser.

Answer: B


NEW QUESTION # 73
Examine the network diagram shown in the exhibit, and then answer the following question:

A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of the following static routes will satisfy this requirement on FGT1? (Choose two.)

  • A. 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]
  • B. 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]
  • C. 172.20.2.0/24 (1/150) via 10.10.1.2, port3 [10/0]
  • D. 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]

Answer: B,C


NEW QUESTION # 74
Which statements about a One-to-One IP pool are true? (Choose two.)

  • A. It is used for destination NAT.
  • B. It does not use port address translation.
  • C. It allows the fixed mapping of an internal address range to an external address range.
  • D. It allows the configuration of ARP replies.

Answer: B,D


NEW QUESTION # 75
View the exhibit.

A
user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

  • A. Addicting.Games is allowed based on the Application Overrides configuration.
  • B. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
  • C. Addicting.Games is blocked on the Filter Overrides configuration.
  • D. Addcting.Games is allowed based on the Categories configuration.

Answer: A


NEW QUESTION # 76
An employee connects to the https://example.com on the Internet using a web browser. The web server's certificate was signed by a private internal CA. The FortiGate that is inspecting this traffic is configured for full SSL inspection.
This exhibit shows the configuration settings for the SSL/SSH inspection profile that is applied to the policy that is invoked in this instance. All other settings are set to defaults. No certificates have been imported into FortiGate. View the exhibit and answer the question that follows.

Which certificate is presented to the employee's web browser?

  • A. The user's personal certificate signed by a private internal CA.
  • B. A certificate signed by Fortinet_CA_SSL.
  • C. The web server's certificate.
  • D. A certificate signed by Fortinet_CA_Untrusted.

Answer: B


NEW QUESTION # 77
Which of the following statements about central NAT are true? (Choose two.)

  • A. IP tool references must be removed from existing firewall policies before enabling central NAT.
  • B. Source NAT, using central NAT, requires at least one central SNAT policy.
  • C. Central NAT can be enabled or disabled from the CLI only.
  • D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Answer: A,C


NEW QUESTION # 78
Which statement about the IP authentication header (AH) used by IPsec is true?

  • A. AH does not provide any data integrity or encryption.
  • B. AH does not support perfect forward secrecy.
  • C. AH provides data integrity bur no encryption.
  • D. AH provides strong data integrity but weak encryption.

Answer: C


NEW QUESTION # 79
What information is flushed when the chunk-size value is changed in the config dlp settings?

  • A. The supported file types in the DLP filters
  • B. The file name patterns in the DLP filters
  • C. The database for DLP document fingerprinting
  • D. The archived files and messages

Answer: C

Explanation:
Explanation
https://help.fortinet.com/cli/fos50hlp/56/Content/FortiOS/fortiOS-cli-ref-56/config/dlp/settings.htm


NEW QUESTION # 80
View the exhibit.


What does this raw log indicate? (Choose two.)

  • A. FortiGate blocked the traffic.
  • B. 10.0.1.20 is the IP address for lavito.tk.
  • C. type indicates that a security event was recorded.
  • D. policyid indicates that traffic went through the IPS firewall policy.

Answer: A,C


NEW QUESTION # 81
What FortiGate configuration is required to actively prompt users for credentials?

  • A. You must assign users to a group for active authentication
  • B. You must position the firewall policy for active authentication before a firewall policy for passive authentication
  • C. You must enable one or more protocols that support active authentication on a firewall policy.
  • D. You must enable the Authentication setting on the firewall policy

Answer: A


NEW QUESTION # 82
HTTP public key pinning (HPKP) can be an obstacle to implementing full SSL inspection.
In which two ways can you resolve this problem? (Choose two.)

  • A. Enable Allow Invalid SSL Certificates for the relevant security profile.
  • B. Exempt those web sites that use HPKP from full SSL inspection.
  • C. Install the CA certificate (that is required to verify the web server certificate) in the certificate stores of users' computers.
  • D. Use a web browser that does not support HPKP.

Answer: B,D


NEW QUESTION # 83
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

  • A. Subject value
  • B. SMMIE Capabilities value
  • C. Subject Key Identifier value
  • D. Subject Alternative Name value

Answer: A


NEW QUESTION # 84
Examine this output from a debug flow:

Why did the FortiGate drop the packet?

  • A. It matched an explicitly configured firewall policy with the action DENY.
  • B. The next-hop IP address is unreachable.
  • C. It failed the RPF check.
  • D. It matched the default implicit firewall policy.

Answer: D

Explanation:
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=13900


NEW QUESTION # 85
Which two conditions are required for establishing an IPsec VPN between two FortiGate devices? (Choose two.)

  • A. If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer.
  • B. If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or Dynamic DNS in the other peer.
  • C. If the VPN is configured as policy-based in one peer, it must also be configured as policy-based in the other peer.
  • D. If the VPN is configured as route-based, there must be at least one firewall policy with the action set to IPsec.

Answer: A,B


NEW QUESTION # 86
Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

  • A. FortiGate will use the port1 route as the primary candidate.
  • B. FortiGate will only actuate the port1 route in the routing table
  • C. FortiGate will route twice as much traffic to the port2 route
  • D. FortiGate will load balance all traffic across both routes.

Answer: A

Explanation:
Explanation
"If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path."


NEW QUESTION # 87
View the exhibit.

Based on this output, which statements are correct? (Choose two.)

  • A. The FortiGate devices have three VDOMs.
  • B. The root VDOM is not synchronized between the primary and secondary FortiGate devices.
  • C. The global configuration is synchronized between the primary and secondary FortiGate devices.
  • D. The all VDOM is not synchronized between the primary and secondary FortiGate devices.

Answer: B,C


NEW QUESTION # 88
Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

  • A. The port3 default route has the lowest metric.
  • B. The port1 and port2 default routes are active in the routing table.
  • C. The port3 default route has the highest distance.
  • D. There will be eight routes active in the routing table.

Answer: B,C


NEW QUESTION # 89
An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

  • A. A phase 2 configuration is not required.
  • B. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
  • C. This VPN cannot be used as part of a hub-and-spoke topology.
  • D. The IPsec firewall policies must be placed at the top of the list.

Answer: B

Explanation:
Explanation
In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name (Infrastructure Study Guide, 206)


NEW QUESTION # 90
......


The Fortinet NSE 4 - FortiOS 6.2 certification exam is intended for network security professionals who are responsible for designing, implementing, and managing networks that use Fortinet’s security products. NSE4_FGT-6.2 exam is also suitable for network engineers, administrators, and security analysts who want to improve their understanding of the Fortinet security platform. Fortinet NSE 4 - FortiOS 6.2 certification is a valuable asset for individuals who want to advance their careers in the network security industry and for organizations that want to ensure that their IT staff has the necessary skills and knowledge to manage their network security effectively.

 

NSE4_FGT-6.2 Premium Files Practice Valid Exam Dumps Question: https://www.dumpstorrent.com/NSE4_FGT-6.2-exam-dumps-torrent.html