Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

NSE4_FGT-6.4Free trial

By fortinet

Verified

25Q per page

Question 1

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

A: By default, all interfaces are part of the same broadcast domain.
B: The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.
C: Static routes are required to allow traffic to the next hop.
D: FortiGate forwards frames without changing the MAC address.

—

Question 2

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A: FortiGate automatically negotiates different local and remote addresses with the remote peer.
B: FortiGate automatically negotiates a new security association after the existing security association expires.
C: FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
D: FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

—

Question 3

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

A: Disabled
B: On Demand
C: Enabled
D: On Idle

—

Question 4

Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on
FortiGate?

A: Read/Write permission for Firewall
B: Custom permission for Network
C: Read/Write permission for Log & Report
D: CLI diagnostics commands permission

—

Question 5

In an explicit proxy setup, where is the authentication method and database configured?

A: Proxy Policy
B: Authentication Rule
C: Firewall Policy
D: Authentication scheme

—

Question 6

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A: The port3 default route has the lowest metric
B: The port3 default route has the highest distance
C: The port1 and port2 default routes are active in the routing table
D: There will be eight routes active in the routing table

—

Question 7

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

A: Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection
B: Optimized performance compared to proxy-based inspection
C: FortiGate buffers the whole file but transmits for the client simultaneously
D: If the virus is detected, the last packet is delivered to the client
E: IPS engine handles the process as a standalone

—

Question 8

Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

A: Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
B: Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
C: Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
D: Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 1.

—

Question 9

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

A: udp-echo
B: DNS
C: TWAMP
D: ping

—

Question 10

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A: Proxy-based inspection
B: Certificate inspection
C: Flow-based inspection
D: Full Content inspection

—

Question 11

Refer to the exhibit to view the authentication rule configuration.

In this scenario, which statement is true?

A: Session-based authentication is enabled
B: Policy-based authentication is enabled
C: IP-based authentication is enabled
D: Route-based authentication is enabled

—

Question 12

Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

A: Apple FaceTime will be allowed, based on the Apple filter configuration.
B: Apple FaceTime will be allowed, based on the Categories configuration.
C: Apple FaceTime will be allowed, based on the Excessive-Bandwidth filter configuration.
D: Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn.

—

Question 13

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A: Web filter in flow-based inspection
B: Antivirus in flow-based inspection
C: DNS filter
D: Web application firewall
E: Application control

—

Question 14

Refer to the exhibit -

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

A: Run a sniffer on the web server.
B: Capture the traffic using an external sniffer connected to port1.
C: Execute another sniffer in the FortiGate, this time with the filter ג€host 10.0.1.10ג€
D: Execute a debug flow.

—

Question 15

Refer to the exhibit -

The exhibit shows a FortiGate configuration.
How does FortiGate handle web proxy traffic coming from the IP address 10.2.1.200, that requires authorization?

A: It authenticates the traffic using the authentication scheme SCHEME2.
B: It drops the traffic.
C: It authenticates the traffic using the authentication scheme SCHEME1.
D: It always authorizes the traffic without requiring authentication.

—

Question 16

Which two statements are true about collector agent advanced mode? (Choose two.)

A: Advanced mode supports nested or inherited groups.
B: Advanced mode uses Windows convention-NetBios: Domain\Username.
C: FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
D: Security profiles can be applied only to user groups, nor individual users.

—

Question 17

IPS Engine is used by which three security features? (Choose three.)

A: Application control
B: Antivirus in flow-based inspection
C: Web filter in flow-based inspection
D: DNS filter
E: Web application firewall

—

Question 18

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

A: User or User Group
B: IP address
C: No other object can be added
D: FQDN address

—

Question 19

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A: It limits the scanning of application traffic to the DNS protocol only.
B: It limits the scanning of application traffic to use parent signatures only.
C: It limits the scanning of application traffic to the browser-based technology category only.
D: It limits the scanning of application traffic to the application category only.

—

Question 20

An administrator has a requirement to keep an application session from timing out on port 80.
What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

A: Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
B: Set the session TTL on the HTTP policy to maximum.
C: Create a new service object for HTTP service and set the session TTL to never.
D: Set the TTL value to never under config system-ttl.

—

Question 21

Which feature in the Security Fabric takes one or more actions based on event triggers?

A: Security Rating
B: Fabric Connectors
C: Automation Stitches
D: Logical Topology

—

Question 22

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not.
Which configuration option is the most effective way to support this request?

A: Implement web filter authentication for the specified website.
B: Implement a web filter category override for the specified website.
C: Implement a DNS filter for the specified website.
D: Implement web filter quotas for the specified website.

—

Question 23

In which two ways can RPF checking be disabled? (Choose two.)

A: Enable anti-replay in firewall policy.
B: Enable asymmetric routing.
C: Disable strict-src-check under system settings.
D: Disable the RPF check at the FortiGate interface level for the source check.

—

Question 24

Refer to the exhibit.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

A: There are five devices that are part of the security fabric.
B: Device detection is disabled on all FortiGate devices.
C: This security fabric topology is a logical topology view.
D: There are 19 security recommendations for the security fabric.

—

That’s the end of your free questions

You’ve reached the preview limit for NSE4_FGT-6.4

Consider upgrading to gain full access!

Page 1 of 5 • Questions 1-25 of 119

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!