Far Out NSE4_FGT-6.2 Testing Engine 2021

NEW QUESTION 1
Which of the following statements about virtual domains (VDOMs) are true? (Choose two.)

• A. The root VDOM is the management VDOM by default.
• B. A FortiGate device has 64 VDOMs, created by default.
• C. Each VDOM maintains its own system time.
• D. Each VDOM maintains its own routing table.

Answer: AD

NEW QUESTION 2
Which of the following statements about policy-based IPsec tunnels are true? (Choose two.)

• A. They can be configured in both NAT/Route and transparent operation modes.
• B. They support L2TP-over-IPsec.
• C. They require two firewall policies: one for each directions of traffic flow.
• D. They support GRE-over-IPsec.

Answer: AB

NEW QUESTION 3
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

• A. The public key of the web server certificate must be installed on the browser.
• B. The web-server certificate must be installed on the browser.
• C. The CA certificate that signed the web-server certificate must be installed on the browser.
• D. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

Answer: C

NEW QUESTION 4
What FortiGate configuration is required to actively prompt users for credentials?

• A. You must enable one or more protocols that support active authentication on a firewall policy.
• B. You must position the firewall policy for active authentication before a firewall policy for passive authentication
• C. You must assign users to a group for active authentication
• D. You must enable the Authentication setting on the firewall policy

Answer: C

NEW QUESTION 5
What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two.)

• A. Services defined in the firewall policy.
• B. Incoming and outgoing interfaces
• C. Highest to lowest priority defined in the firewall policy.
• D. Lowest to highest policy ID number.

Answer: AB

NEW QUESTION 6
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

• A. SMTP.Login.Brute.Force
• B. IMAP.Login.brute.Force
• C. ip_src_session
• D. Location: server Protocol: SMTP

Answer: B

NEW QUESTION 7
How does FortiGate select the central SNAT policy that is applied to a TCP session?

• A. It selects the SNAT policy specified in the configuration of the outgoing interface.
• B. It selects the first matching central SNAT policy, reviewing from top to bottom.
• C. It selects the central SNAT policy with the lowest priority.
• D. It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.

Answer: A

NEW QUESTION 8
View the exhibit.

Based on this output, which statements are correct? (Choose two.)

• A. The all VDOM is not synchronized between the primary and secondary FortiGate devices.
• B. The root VDOM is not synchronized between the primary and secondary FortiGate devices.
• C. The global configuration is synchronized between the primary and secondary FortiGate devices.
• D. The FortiGate devices have three VDOMs.

Answer: BC

NEW QUESTION 9
An administrator wants to create a policy-based IPsec VPN tunnel betweeb two FortiGate devices. Which configuration steps must be performed on both devices to support this scenario? (Choose three.)

• A. Define the phase 1 parameters, without enabling IPsec interface mode
• B. Define the phase 2 parameters.
• C. Set the phase 2 encapsulation method to transport mode
• D. Define at least one firewall policy, with the action set to IPsec.
• E. Define a route to the remote network over the IPsec tunnel.

Answer: ABD

Explanation:
A) FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf —> “Enable to reate route-based. Disable to create policy-based.”
B)
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Defining_VPN_Policies/Defin
—> “Specify the Phase 2 parameters”
D) FortiGate_Infrastructure_6.0_Study_Guide_v2-Online.pdf —> “In a policy-based configuration, only one firewall policy with the action IPsec is usually requerid”

NEW QUESTION 10
View the exhibit.


What does this raw log indicate? (Choose two.)

• A. FortiGate blocked the traffic.
• B. type indicates that a security event was recorded.
• C. 10.0.1.20 is the IP address for lavito.tk.
• D. policyid indicates that traffic went through the IPS firewall policy.

Answer: AB

NEW QUESTION 11
View the exhibit.

VDOM1 is operating in transparent mode VDOM2 is operating in NAT Route mode. There is an inteface VDOM link between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is connected to port2. A web server with the IP address 10.200.1.2/24 is connected to port1.
What is required in the FortiGate configuration to route and allow connections from the client workstation to the web server? (Choose two.)

• A. A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination.
• B. A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination.
• C. One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the destination interface.
• D. One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the destination interface.

Answer: C

NEW QUESTION 12
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

• A. Source IP
• B. Spillover
• C. Volume
• D. Session

Answer: CD

NEW QUESTION 13
Which statement is true regarding SSL VPN timers? (Choose two.)

• A. Allow to mitigate DoS attacks from partial HTTP requests.
• B. SSL VPN settings do not have customizable timers.
• C. Disconnect idle SSL VPN users when a firewall policy authentication timeout occurs.
• D. Prevent SSL VPN users from being logged out because of high network latency.

Answer: AD

NEW QUESTION 14
View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

• A. Addicting.Games is allowed based on the Application Overrides configuration.
• B. Addicting.Games is blocked on the Filter Overrides configuration.
• C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
• D. Addcting.Games is allowed based on the Categories configuration.

Answer: A

NEW QUESTION 15
When using SD-WAN, how do you configure the next-hop gateway address for a member interface so that FortiGate can forward Internet traffic?

• A. It must be configured in a static route using the sdwan virtual interface.
• B. It must be provided in the SD-WAN member interface configuration.
• C. It must be configured in a policy-route using the sdwan virtual interface.
• D. It must be learned automatically through a dynamic routing protocol.

Answer: B

NEW QUESTION 16
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. The IPS filter is missing the Protocol: HTTPS option.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. A DoS policy should be used, instead of an IPS sensor.
• E. The firewall policy is not using a full SSL inspection profile.

Answer: E

NEW QUESTION 17
View the exhibit.

Which of the following statements are correct? (Choose two.)

• A. This setup requires at least two firewall policies with the action set to IPsec.
• B. Dead peer detection must be disabled to support this type of IPsec setup.
• C. The TunnelB route is the primary route for reaching the remote sit
• D. The TunnelA route is used only if the TunnelB VPN is down.
• E. This is a redundant IPsec setup.

Answer: CD

NEW QUESTION 18
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

• A. A CRL
• B. A person
• C. A subordinate CA
• D. A root CA

Answer: D

NEW QUESTION 19
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

• A. To delete intermediary NAT devices in the tunnel path.
• B. To dynamically change phase 1 negotiation mode aggressive mode.
• C. To encapsulation ESP packets in UDP packets using port 4500.
• D. To force a new DH exchange with each phase 2 rekey.

Answer: AC

NEW QUESTION 20
View the exhibit:

Whichhe FortiGate handle web proxy traffic rue? (Choose two.)

• A. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
• B. port-VLAN1 is the native VLAN for the port1 physical interface.
• C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
• D. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

Answer: AC

NEW QUESTION 21
Which statements correctly describe transparent mode operation? (Choose three.)

• A. All interfaces of the transparent mode FortiGate device must be on different IP subnets.
• B. Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
• C. The transparent FortiGate is visible to network hosts in an IP traceroute.
• D. It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
• E. FortiGate acts as transparent bridge and forwards traffic at Layer 2.

Answer: BDE

NEW QUESTION 22
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

• A. By default, FortiGate uses WINS servers to resolve names.
• B. By default, the SSL VPN portal requires the installation of a client’s certificate.
• C. By default, split tunneling is enabled.
• D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Answer: D

NEW QUESTION 23
......