Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

NSE4_FGT-7.2Free trial

By fortinet

Verified

25Q per page

Question 1

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A: It limits the scanning of application traffic to the browser-based technology category only.
B: It limits the scanning of application traffic to the DNS protocol only.
C: It limits the scanning of application traffic to use parent signatures only.
D: It limits the scanning of application traffic to the application category only.

—

Question 2

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

A: 192.168.2.0/24
B: 192.168.0.0/8
C: 192.168.1.0/24
D: 192.168.3.0/24

—

Question 3

How can you disable RPF checking?

A: Disable fail-detect on the interface level settings.
B: Disable strict-src-check under system settings.
C: Unset fail-alert-interfaces on the interface level settings.
D: Disable src-check on the interface level settings.

—

Question 4

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.

What must the administrator do to achieve this objective?

A: The administrator must register the same FortiToken on more than one FortiGate device.
B: The administrator must use the user self-registration server.
C: The administrator must use a FortiAuthenticator device.
D: The administrator must use a third-party RADIUS OTP server.

—

Question 5

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.

A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching central SNAT policies will be applied.

Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

A: 10.200.1.99
B: 10.200.1.1
C: 10.200.1.49
D: 10.200.1.149

—

Question 6

Refer to the exhibits.

The exhibits contain a network interface configuration, firewall policies, and a CLI console configuration.

How will the FortiGate device handle user authentication for traffic that arrives on the LAN interface?

A: All users will be prompted for authentication; users from the HR group can authenticate successfully with the correct credentials.
B: If there is a fall-through policy in place, users will not be prompted for authentication.
C: All users will be prompted for authentication; users from the sales group can authenticate successfully with the correct credentials.
D: Authentication is enforced only at a policy level; all users will be prompted for authentication.

—

Question 7

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.

What should the administrator do next, to troubleshoot the problem?

A: Execute a debug flow.
B: Capture the traffic using an external sniffer connected to port1.
C: Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".
D: Run a sniffer on the web server.

—

Question 8

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A: The client FortiGate requires a manually added route to remote subnets.
B: The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C: The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D: The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.

—

Question 9

Which statement correctly describes the use of reliable logging on FortiGate?

A: Reliable logging is enabled by default in all configuration scenarios.
B: Reliable logging is required to encrypt the transmission of logs.
C: Reliable logging can be configured only using the CLI.
D: Reliable logging prevents the loss of logs when the local disk is full.

—

Question 10

Refer to the exhibits.
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

A: 10.200.1.1
B: 10.0.1.254
C: 10.200.1.10
D: 10.200.1.100

—

Question 11

Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

A: Configure a loopback interface with address 203.0.113.2/32.
B: In the VIP configuration, enable arp-reply.
C: Enable port forwarding on the server to map the external service port to the internal service port.
D: In the firewall policy configuration, enable match-vip.

—

Question 12

Which two statements are true about the FGCP protocol? (Choose two.)

A: FGCP elects the primary FortiGate device.
B: FGCP is not used when FortiGate is in transparent mode.
C: FGCP runs only over the heartbeat links.
D: FGCP is used to discover FortiGate devices in different HA groups.

—

Question 13

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

A: Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B: Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
C: Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
D: Enable Dead Peer Detection.

—

Question 14

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A: FortiGate uses fewer resources.
B: FortiGate performs a more exhaustive inspection on traffic.
C: FortiGate adds less latency to traffic.
D: FortiGate allocates two sessions per connection.

—

Question 15

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

A: www.example.com
B: www.example.com/index.html
C: www.example.com:443
D: example.com

—

Question 16

Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

A: On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.
B: On the Static URL Filter configuration, set Type to Simple.
C: On the Static URL Filter configuration, set Action to Exempt.
D: On the Static URL Filter configuration, set Action to Monitor.

—

Question 17

Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

A: Policy with ID 4.
B: Policy with ID 5.
C: Policies with ID 2 and 3.
D: Policy with ID 4.

—

Question 18

Which three statements explain a flow-based antivirus profile? (Choose three.)

A: Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
B: If a virus is detected, the last packet is delivered to the client.
C: The IPS engine handles the process as a standalone.
D: FortiGate buffers the whole file but transmits to the client at the same time.
E: Flow-based inspection optimizes performance compared to proxy-based inspection.

—

Question 19

Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

A: Services defined in the firewall policy
B: Highest to lowest priority defined in the firewall policy
C: Destination defined as Internet Services in the firewall policy
D: Lowest to highest policy ID number
E: Source defined as Internet Services in the firewall policy

—

Question 20

What are two functions of ZTNA? (Choose two.)

A: ZTNA manages access through the client only.
B: ZTNA manages access for remote users only.
C: ZTNA provides a security posture check.
D: ZTNA provides role-based access.

—

Question 21

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

A: Pre-shared key
B: Dialup user
C: Dynamic DNS
D: Static IP address

—

That’s the end of your free questions

You’ve reached the preview limit for NSE4_FGT-7.2

Consider upgrading to gain full access!

Page 1 of 5 • Questions 1-25 of 104

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!