Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

NSE4-FGT-7-2 by Fortinet - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Refer to the exhibits.

Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

Question Image

A Apple FaceTime will be allowed, based on the Categories configuration.
B Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
C Apple FaceTime will be allowed, based on the Apple filter configuration.
D Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

Question 4

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

Which CLI command must the administrator use to view the route?

Question Image

A get router info routing-table database
B diagnose firewall route list
C get internet-service route list
D get router info routing-table all

Question 5

Refer to the exhibit.
The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Question Image

A The sensor will gather a packet log for all matched traffic.
B The sensor will reset all connections that match these signatures.
C The sensor will block all attacks aimed at Windows servers.
D The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

Question 6

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A The collector agent must search Windows application event logs.
B The NetSessionEnum function is used to track user logouts.
C NetAPI polling can increase bandwidth usage in large networks.
D The collector agent uses a Windows API to query DCs for user logins.

Question 7

Refer to the exhibits.
The exhibits show a network diagram and firewall configurations.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.

In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Question Image

A Disable match-vip in the Deny policy.
B Set the Destination address as Webserver in the Deny policy.
C Enable match-vip in the Deny policy.
D Set the Destination address as Deny_IP in the Allow_access policy.

Question 8

Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

Question Image

A For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
B The traffic sourced from the client and destined to the server is sent to FGT-1.
C The cluster can load balance ICMP connections to the secondary.
D For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Question 9

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)

A The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
B The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C The two VLAN subinterfaces must have different VLAN IDs.
D The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

Question 10

Which statement correctly describes the use of reliable logging on FortiGate?

A Reliable logging is enabled by default in all configuration scenarios.
B Reliable logging is required to encrypt the transmission of logs.
C Reliable logging can be configured only using the CLI.
D Reliable logging prevents the loss of logs when the local disk is full.

Question 11

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A The client FortiGate requires a manually added route to remote subnets.
B The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.

Question 12

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

A 192.168.2.0/24
B 192.168.0.0/8
C 192.168.1.0/24
D 192.168.3.0/24

Question 13

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

Question Image

A The debug flow is for ICMP traffic.
B The default route is required to receive a reply.
C Anew traffic session was created.
D A firewall policy allowed the connection.

Question 14

FortiGate is integrated with FortiAnalyzer and FortiManager.

When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?

A Policy ID
B Log ID
C Sequence ID
D Universally Unique Identifier

Question 15

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

Which order must FortiGate use when the web filter profile has features such as safe search enabled?

A DNS-based web filter and proxy-based web filter
B Static URL filter, FortiGuard category filter, and advanced filters
C FortiGuard category filter and rating filter
D Static domain filter, SSL inspection filter, and external connectors filters

Question 16

What are two features of FortiGate FSSO agentless polling mode? (Choose two.)

A FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
B FortiGate uses the AD server as the collector agent.
C FortiGate directs the collector agent to use a remote LDAP server.
D FortiGate does not support workstation check.

Question 17

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.

Based on the information shown in the exhibit, which three configuration changes should the administrator make to fix the connectivity issue for PC3? (Choose three.)

Question Image

A In the IP pool configuration, set type to overload.
B Configure 192.2.0.12/24 as the secondary IP address on port1.
C In the firewall policy configuration, disable ippool.
D In the IP pool configuration, set endip to 192.2.0.12.
E Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.

Question 18

Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

Question Image

A FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
B FortiGate allocates port blocks on a first-come, first-served basis.
C FortiGate generates a system event log for every port block allocation made per user.
D FortiGate allocates 128 port blocks per user.

Question 19

Refer to the exhibit.
The exhibit shows the output of a diagnose command.

What does the output reveal about the policy route?

Question Image

A It is an ISDB route in policy route.
B It is a regular policy route.
C It is an ISDB policy route with an SDWAN rule.
D It is an SDWAN rule in policy route.

Question 20

Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Question Image

A Force access to Facebook using the HTTP service.
B Make the SSL inspection a deep content inspection.
C Add Facebook in the URL category in the security policy.
D Get the additional application signatures required to add to the security policy.

Question 21

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

A Virtual IP addresses are used to distinguish between cluster members.
B Heartbeat interfaces have virtual IP addresses that are manually assigned.
C The primary device in the cluster is always assigned IP address 169.254.0.1.
D A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

That's the end of the Preview

Create a free account to unlock all questions for this exam.

Log In / Sign Up

Page 1 of 5 • Questions 1-25 of 101

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A It limits the scanning of application traffic to the browser-based technology category only.
B It limits the scanning of application traffic to the DNS protocol only.
C It limits the scanning of application traffic to use parent signatures only.
D It limits the scanning of application traffic to the application category only.

Refer to the exhibits.
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

Question Image

A 10.200.1.1
B 10.0.1.254
C 10.200.1.10
D 10.200.1.100

NSE4-FGT-7-2Preview

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

That's the end of the Preview