• Home
  • Articles
  • [Dec 26, 2021] Powerful NSE4_FGT-6.4 PDF Dumps for NSE4_FGT-6.4 Questions [Q19-Q43]

[Dec 26, 2021] Powerful NSE4_FGT-6.4 PDF Dumps for NSE4_FGT-6.4 Questions [Q19-Q43]

Share

[Dec 26, 2021] Powerful NSE4_FGT-6.4 PDF Dumps for NSE4_FGT-6.4 Questions

Authentic NSE4_FGT-6.4 Dumps - Free PDF Questions to Pass

NEW QUESTION 19
Refer to the exhibits.


Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

  • A. Administrators cannot change the configuration.
  • B. FortiGate has entered conserve mode.
  • C. Administrators can access FortiGate only through the console port.
  • D. FortiGate will start sending all files to FortiSandbox for inspection.

Answer: A,D

 

NEW QUESTION 20
Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server?

  • A. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]
  • B. 0.0.0.0/0 [20/0] via 10.4.200.2, port2
  • C. 172.16.32.0/24 is directly connected, port1
  • D. 10.4.200.0/30 is directly connected, port2

Answer: C

 

NEW QUESTION 21
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

  • A. On HQ-FortiGate, set IKE mode to
  • B. On both FortiGate devices, set
  • C. On Remote-FortiGate, set port2
  • D. On HQ-FortiGate, disable Diffie-Helman group 2

Answer: A,B

 

NEW QUESTION 22
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre- shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

  • A. On Remote-FortiGate, set port2 as Interface.
  • B. On HQ-FortiGate, set IKE mode to Main (ID protection).
  • C. On both FortiGate devices, set Dead Peer Detection to On Demand.
  • D. On HQ-FortiGate, disable Diffie-Helman group 2.

Answer: C,D

 

NEW QUESTION 23
Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

  • A. Set the maximum session TTL value for the TELNET service object.
  • B. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
  • C. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
  • D. Create a new service object for TELNET and set the maximum session TTL.

Answer: A,C

 

NEW QUESTION 24
Refer to the exhibit.

The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

  • A. 'host 10.0.0.50 and port 80'
  • B. 'host 192.168.0.1 and port 80'
  • C. 'host 10.0.0.50 and port 8080'
  • D. 'host 192.168.0.2 and port 8080'

Answer: D

 

NEW QUESTION 25
View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

  • A. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
  • B. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
  • C. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
  • D. port-VLAN1 is the native VLAN for the port1 physical interface.

Answer: A,C

 

NEW QUESTION 26
Refer to the exhibits. Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.
Based on the system performance output, which two statements are correct? (Choose two.)

  • A. Administrators cannot change the configuration.
  • B. FortiGate has entered conserve mode.
  • C. Administrators can access FortiGate only through the console port.
  • D. FortiGate will start sending all files to FortiSandbox for inspection.

Answer: A,D

 

NEW QUESTION 27
Which two statements are true about the RPF check? (Choose two.)

  • A. The RPF check is run on the first reply packet of any new session.
  • B. The RPF check is run on the first sent and reply packet of any new session.
  • C. The RPF check is run on the first sent packet of any new session.
  • D. RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

Answer: C,D

 

NEW QUESTION 28
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

  • A. A DoS policy should be used, instead of an IPS sensor.
  • B. The HTTPS signatures have not been added to the sensor.
  • C. A DoS policy should be used, instead of an IPS sensor.
  • D. The firewall policy is not using a full SSL inspection profile.
  • E. The IPS filter is missing the Protocol: HTTPS option.

Answer: D

 

NEW QUESTION 29
Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http://www.fortinet.com? (Choose two.)

  • A. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.
  • B. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.
  • C. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.
  • D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

Answer: C,D

 

NEW QUESTION 30
Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

  • A. 10.200.1.1
  • B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
  • C. 10.0.1.254
  • D. 10.200.1.10

Answer: B

Explanation:
Explanation: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall- 52/Firewall%20Objects/Virtual%20IPs.htm

 

NEW QUESTION 31
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

  • A. Subject Alternative Name
  • B. SMMIE Capabilitiesvalue
  • C. Subjectvalue
  • D. Subject Key Identifiervalue

Answer: C

 

NEW QUESTION 32
Refer to the exhibit.



The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2.
Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

  • A. Set the Destination address as
  • B. Disable match-vip in the Deny
  • C. Set the Destination address as Web_server in the Deny policy.
  • D. Enable match vip in the Deny policy.

Answer: A,B

 

NEW QUESTION 33
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

  • A. A DoS policy should be used, instead of an IPS sensor.
  • B. The HTTPS signatures have not been added to the sensor.
  • C. A DoS policy should be used, instead of an IPS sensor.
  • D. The firewall policy is not using a full SSL inspection profile.
  • E. The IPS filter is missing the Protocol: HTTPS option.

Answer: D

 

NEW QUESTION 34
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

  • A. Captive portal is enabled in the interface.
  • B. The interface is a member of a zone.
  • C. The interface is a member of a virtual wire pair.
  • D. The operation mode is transparent.
  • E. The interface has been configured for one-arm sniffer.

Answer: C,D,E

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new- 54/Top_VirtualWirePair.htm

 

NEW QUESTION 35
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

  • A. The private key of the CA certificate that signed the browser certificate must be installed on the browser.
  • B. The CA certificate that signed the web-server certificate must be installed on the browser.
  • C. The public key of the web servercertificate must be installed on the browser.
  • D. The web-server certificate must be installed on the browser.

Answer: B

 

NEW QUESTION 36
Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  • A. To finish any inspection operations
  • B. To generate logs
  • C. To allow for out-of-order packets that could arrive after the FIN/ACK packets
  • D. To remove the NAT operation

Answer: C

 

NEW QUESTION 37
Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

  • A. It is allowed and inspected as long as the inspection is flow based
  • B. It is dropped.
  • C. It is allowed, but with no inspection
  • D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: B

 

NEW QUESTION 38
Refer to the exhibits.


The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but they areunableto leavereactions on videos or other types ofposts.
Which part ofthe policy configuration must you change to resolve the issue?

  • A. Additional application signatures arerequired to add to thesecurity policy.
  • B. Add Facebook in the URL category in the security policy.
  • C. Force access to Facebook using the HTTP service.
  • D. The SSL inspection needs tobe a deep content inspection.

Answer: D

 

NEW QUESTION 39
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

  • A. The server name indication (SNI) extension in the client hello message
  • B. The subject field in the server certificate
  • C. The subject alternative name (SAN) field in the server certificate
  • D. The serial number in the server certificate
  • E. The host field in the HTTP header

Answer: C,D,E

Explanation:
Explanation/Reference: https://checkthefirewall.com/blogs/fortinet/ssl-inspection

 

NEW QUESTION 40
Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

  • A. The IPS engine will continue to run in a normal state.
  • B. The IPS engine was unable to prevent an intrusion attack.
  • C. The IPS engine was blocking all traffic.
  • D. The IPS engine was inspecting high volume of traffic.

Answer: D

 

NEW QUESTION 41
Refer to the exhibit.

The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

  • A. 'host 10.0.0.50 and port 80'
  • B. 'host 192.168.0.1 and port 80'
  • C. 'host 10.0.0.50 and port 8080'
  • D. 'host 192.168.0.2 and port 8080'

Answer: D

 

NEW QUESTION 42
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  • A. System time
  • B. Operating mode
  • C. NGFW mode
  • D. FortiGuaid update servers

Answer: B,C

Explanation:
C: "Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: "Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM" Page 125 of FortiGate_Infrastructure_6.4_Study_Guide

 

NEW QUESTION 43
......

Guaranteed Accomplishment with Newest Dec-2021 FREE : https://www.premiumvcedump.com/Fortinet/valid-NSE4_FGT-6.4-premium-vce-exam-dumps.html

Related Articles

more
Fortinet NSE4_FGT-6.4 Certification Practice Exam