Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

NSE4_FGT-6.2Free trial

By fortinet

Verified

25Q per page

Question 1

Examine the FortiGate configuration:

What will happen to unauthenticated users when an active authentication policy is followed by a fall through policy without authentication?

A: The user must log in again to authenticate.
B: The user will be denied access to resources without authentication.
C: The user will not be prompted for authentication.
D: User authentication happens at an interface level.

—

Question 2

When using WPAD DNS method, which FQDN format do browsers use to query the DNS server?

A: srv_proxy.<local-domain>/wpad.dat
B: srv_tcp.wpad.<local-domain>
C: wpad.<local-domain>
D: proxy.<local-domain>.wpad

—

Question 3

Which statement about a One-to-One IP pool is true?

A: It is used for destination NAT.
B: It limits the client to 64 connections per IP pool.
C: It allows the fixed mapping of an internal address range to an external address range.
D: It does not use port address translation.

—

Question 4

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A: The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
B: The sensor will block all attacks aimed at Windows servers.
C: The sensor will reset all connections that match these signatures.
D: The sensor will gather a packet log for all matched traffic.

—

Question 5

An administrator wants to throttle the total volume of SMTP sessions to their email server.
Which DoS sensor can the administrator use to achieve this?

A: ip_src_session
B: ip_dst_session
C: udp_flood
D: tcp_port_scan

—

Question 6

A FortiGate device has multiple VDOMs.
Which statement about an administrator account configured with the default prof_admin profile is true?

A: It can upgrade the firmware on the FortiGate device.
B: It can reset the password for the admin account.
C: It can create administrator accounts with access to the same VDOM.
D: It cannot have access to more than one VDOM.

—

Question 7

During the digital verification process, comparing the original and fresh hash results satisfies which security requirement?

A: Signature verification
B: Authentication
C: Data integrity
D: Non-deniability

—

Question 8

Which three statements correctly describe transparent mode operation? (Choose three.)

A: The transparent FortiGate is visible to network hosts in an IP traceroute.
B: FortiGate acts as a transparent bridge and forwards traffic at Layer 2.
C: Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
D: It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
E: All interfaces on the transparent mode FortiGate device must be on different IP subnets.

—

Question 9

Which two statements about conserve mode are true? (Choose two.)

A: Administrators can access the FortiGate only through the console port.
B: FortiGate stops doing RPF checks over incoming packets.
C: FortiGate stops sending files to FortiSandbox for inspection.
D: Administrators cannot change the configuration.

—

Question 10

Which two features are supported by web filter in flow-based inspection mode with NGFW mode set to profile-based? (Choose two.)

A: Search engines
B: FortiGuard Quotas
C: Static URL
D: Rating option

—

Question 11

Refer to the exhibit.

Given the FortiGate CLI output, why is the administrator getting the error shown in the exhibit?

A: The administrator must first enter the command edit global.
B: The administrator admin does not have the privileges required to configure global settings.
C: The command config system global does not exist in FortiGate.
D: The global settings cannot be configured from the root VDOM context.

—

Question 12

An administrator has configured a dialup IPsec VPN with XAuth.
Which statement best describes what occurs during this scenario?

A: Dialup clients must provide their local ID during phase 2 negotiations.
B: Only digital certificates will be accepted as an authentication method in phase 1.
C: Phase 1 negotiations will skip preshared key exchange.
D: Dialup clients must provide a username and password for authentication.

—

Question 13

Consider a new IPsec deployment with the following criteria:
✑ All satellite offices must connect to the two HQ sites.
✑ The satellite offices do not need to communicate directly with other satellite offices.
✑ Backup VPN is not required.
✑ The design should minimize the number of tunnels being configured.
Which topology should you use to satisfy all of the requirements?

A: Partial mesh
B: Redundant
C: Full mesh
D: Hub-and-spoke

—

Question 14

When override is enabled, which option shows the process and selection criteria that is used to elect the primary FortiGate in an HA cluster?

A: Connected monitored ports > HA uptime > priority > serial number
B: HA uptime > priority > Connected monitored ports > serial number
C: Priority > Connected monitored ports > HA uptime > serial number
D: Connected monitored ports > priority > HA uptime > serial number

—

Question 15

HTTP public key pinning (HPKP) can be an obstacle to implementing full SSL inspection.
In which two ways can you resolve this problem? (Choose two.)

A: Enable Allow Invalid SSL Certificates for the relevant security profile.
B: Exempt those web sites that use HPKP from full SSL inspection.
C: Install the CA certificate (that is required to verify the web server certificate) in the certificate stores of users' computers.
D: Use a web browser that does not support HPKP.

—

Question 16

A company needs to provide SSL VPN access to two user groups. The company also needs to display a different welcome message for each group, on the SSL
VPN login.
To meet these requirements, what is required in the SSL VPN configuration?

A: Different virtual SSL VPN IP addresses for each group
B: Two separate SSL VPNs in different interfaces mapping the same ssl.root
C: Two firewall policies with different captive portals
D: Different SSL VPN realms for each group

—

Question 17

Which two route attributes must be equal for static routes to be eligible for equal cost multipath (ECMP) routing? (Choose two.)

A: Metric
B: Priority
C: Cost
D: Distance

—

Question 18

Which two statements are true when using WPAD with the DHCP discovery method? (Choose two.)

A: If the DHCP method fails, browsers will try the DNS method.
B: The browser sends a DHCPINFORM request to the DHCP server.
C: The DHCP server provides the PAC file for download.
D: The browser needs to be preconfigured with the DHCP server IP address.

—

Question 19

Refer to the exhibit.

Based on the firewall configuration shown in the exhibit, which two statements about application control behavior are true? (Choose two.)

A: Access to browser-based Social.Media applications will be blocked.
B: Access to mobile social media applications will be blocked.
C: Access to all applications in the Social.Media category will be blocked.
D: Access to all unknown applications will be allowed.

—

Question 20

Which two statements about SSL VPN timers are true? (Choose two.)

A: SSL VPN settings do not have customizable timers.
B: SSL VPN timers prevent SSL VPN users from being logged out because of high network latency.
C: SSL VPN timers disconnect idle SSL VPN users when a firewall policy authentication timeout occurs.
D: SSL VPN timers allow to mitigate DoS attacks from partial HTTP requests.

—

Question 21

Refer to the exhibit.

The exhibit contains a session diagnostic output.
Which statement about the session diagnostic output is true?

A: The session is in CLOSE_WAIT state.
B: The session is in TIME_WAIT state.
C: The session is in LISTEN state.
D: The session is in ESTABLISHED state.

—

Question 22

Refer to the exhibit.

The exhibit shows a raw log and firewall policies.
What information does this raw log provide? (Choose two.)

A: type indicates that a security event was recorded.
B: FortiGate blocked the traffic.
C: 10.0.1.20 is the IP address for lavito.tk.
D: policyid indicates that traffic went through the IPS firewall policy.

—

Question 23

Which two statements about virtual domains (VDOMs) are true? (Choose two.)

A: A FortiGate device has 64 VDOMs, created by default.
B: The root VDOM is the management VDOM, by default.
C: Each VDOM maintains its own system time.
D: Each VDOM maintains its own routing table.

—

Question 24

What criteria does FortiGate use to look for a matching firewall policy to process traffic? (Choose two.)

A: Services defined in the firewall policy.
B: Incoming and outgoing interfaces
C: Highest to lowest priority defined in the firewall policy.
D: Lowest to highest policy ID number.

—

That’s the end of your free questions

You’ve reached the preview limit for NSE4_FGT-6.2

Consider upgrading to gain full access!

Page 1 of 5 • Questions 1-25 of 119

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!