Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

NSE4_FGT-6.0 by Fortinet - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

When using WPAD DNS method, which FQDN format do browsers use to query the DNS server?

A srv_proxy.<local-domain>/wpad.dat
B srv_tcp.wpad.<local-domain>
C wpad.<local-domain>
D proxy.<local-domain>.wpad

Question 4

Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

Question 5

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

A Traffic to botnetservers
B Traffic to inappropriate web sites
C Server information disclosure attacks
D Credit card data leaks
E SQL injection attacks

Question 6

Which statement about DLP on FortiGate is true?

A It can archive files and messages.
B It can be applied to a firewall policy in a flow-based VDOM
C Traffic shaping can be applied to DLP sensors.
D Files can be sent to FortiSandbox for detecting DLP threats.

Question 7

Examine this PAC file configuration.

Question 8

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

A The firmware image must be manually uploaded to each FortiGate.
B Only secondary FortiGate devices are rebooted.
C Uninterruptable upgrade is enabled by default.
D Traffic load balancing is temporally disabled while upgrading the firmware.

Question 9

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

A It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
B ADVPN is only supported with IKEv2.
C Tunnels are negotiated dynamically between spokes.
D Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 10

An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark Port Forward. What step is required for this configuration?

A Configure an SSL VPN realm for clients to use the port forward bookmark.
B Configure the client application to forward IP traffic through FortiClient.
C Configure the virtual IP address to be assigned t the SSL VPN users.
D Configure the client application to forward IP traffic to a Java applet proxy.

Question 11

What FortiGate configuration is required to actively prompt users for credentials?

A You must enable one or more protocols that support active authentication on a firewall policy.
B You must position the firewall policy for active authentication before a firewall policy for passive authentication
C You must assign users to a group for active authentication
D You must enable the Authentication setting on the firewall policy

Question 12

Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.)

A This is known as many-to-one NAT.
B Source IP is translated to the outgoing interface IP.
C Connections are tracked using source port and source MAC address.
D Port address translation is not used.

Question 13

Which statement is true regarding the policy ID number of a firewall policy?

A Defines the order in which rules are processed.
B Represents the number of objects used in the firewall policy.
C Required to modify a firewall policy using the CLI.
D Changes when firewall policies are reordered.

Question 14

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A It limits the scope of application control to the browser-based technology category only.
B It limits the scope of application control to scan application traffic based on application category only.
C It limits the scope of application control to scan application traffic using parent signatures only
D It limits the scope of application control to scan application traffic on DNS protocol only.

Question 15

The FSSO Collector Agent set to advanced access mode for the Windows Active Directory uses which of the following?

A LDAP convention
B NTLM convention
C Windows convention "" NetBios\Username
D RSSO convention

Question 16

Examine the following web filtering log.

Question 17

Which of the following SD-WAN load ""balancing method use interface weight value to distribute traffic? (Choose two.)

A Source IP
B Spillover
C Volume
D Session

Question 18

Which is a requirement for creating an inter-VDOM link between two VDOMs?

A The inspection mode of at least one VDOM must be proxy-based.
B At least one of the VDOMs must operate in NAT mode.
C The inspection mode of both VDOMs must match.
D Both VDOMs must operate in NAT mode.

Question 19

Which statement regarding the firewall policy authentication timeout is true?

A It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
B It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
C It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
D It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

Question 20

How do you format the FortiGate flash disk?

A Load a debug FortiOS image.
B Load the hardware test (HQIP) image.
C Execute the CLI command execute formatlogdisk.
D Select the format boot device option from the BIOS menu.

Question 21

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

A Warning
B Exempt
C Allow
D Learn

Question 22

Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

Question 23

NGFW mode allows policy-based configured for most inspection rules. Which security profile's configuration does not change when you enable policy-based inspection?

A Antivirus
B Web proxy
C Web filtering
D Application control

Question 24

An administrator wants to block HTTP uploads. Examine the exhibit, which contains the proxy address created for that purpose.

Question 25

Which statement about the IP authentication header (AH) used by IPsec is true?

A AH does not provide any data integrity or encryption.
B AH does not support perfect forward secrecy.
C AH provides data integrity bur no encryption.
D AH provides strong data integrity but weak encryption.

Page 1 of 6 • Questions 1-25 of 127

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

What files are sent to FortiSandbox for inspection in flow-based inspection mode?

A All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.
B All suspicious files that are above the defined oversize limit value in the protocol options.
C All suspicious files that match patterns defined in the antivirus profile.
D All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.

View the exhibit.

Based on this output, which statements are correct? (Choose two.)

A The all VDOM is not synchronized between the primary and secondary FortiGate devices.
B The root VDOM is not synchronized between the primary and secondary FortiGate devices.
C The global configuration is synchronized between the primary and secondary FortiGate devices.
D The FortiGate devices have three VDOMs.

An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

A The IPS filter is missing the Protocol: HTTPS option.
B The HTTPS signatures have not been added to the sensor.
C A DoS policy should be used, instead of an IPS sensor.
D A DoS policy should be used, instead of an IPS sensor.
E The firewall policy is not using a full SSL inspection profile.

Which of the following statements are true? (Choose two.)

A Browsers can be configured to retrieve this PAC file from the FortiGate.
B Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
C All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
D Any web request fortinet.com is allowed to bypass the proxy.

Which statement about the log message is true?

A The action for the category Games is set to block.
B The usage quota for the IP address 10.0.1.10 has expired
C The name of the applied web filter profile is default.
D The web site miniclip.com matches a static URL filter whose action is set to Warning.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

A SMTP.Login.Brute.Force
B IMAP.Login.brute.Force
C ip_src_session
D Location: server Protocol: SMTP

Where must the proxy address be used?

A As the source in a firewall policy.
B As the source in a proxy policy.
C As the destination in a firewall policy.
D As the destination in a proxy policy.

NSE4_FGT-6.0Preview