Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

NSE4_FGT-6.4 by Fortinet - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

A Disabled
B On Demand
C Enabled
D On Idle

Question 4

Refer to the exhibit.

Question 5

In an explicit proxy setup, where is the authentication method and database configured?

A Proxy Policy
B Authentication Rule
C Firewall Policy
D Authentication scheme

Question 6

Refer to the exhibit.

Question 7

Which three statements about a flow-based antivirus profile are correct? (Choose three.)

A Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection
B Optimized performance compared to proxy-based inspection
C FortiGate buffers the whole file but transmits for the client simultaneously
D If the virus is detected, the last packet is delivered to the client
E IPS engine handles the process as a standalone

Question 8

Refer to the exhibit.

Question 9

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

A udp-echo
B DNS
C TWAMP
D ping

Question 10

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A Proxy-based inspection
B Certificate inspection
C Flow-based inspection
D Full Content inspection

Question 11

Refer to the exhibit to view the authentication rule configuration.

Question 12

Refer to the exhibit to view the application control profile.

Question 13

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A Web filter in flow-based inspection
B Antivirus in flow-based inspection
C DNS filter
D Web application firewall
E Application control

Question 14

Refer to the exhibit -

Question 15

Refer to the exhibit -

Question 16

Which two statements are true about collector agent advanced mode? (Choose two.)

A Advanced mode supports nested or inherited groups.
B Advanced mode uses Windows convention-NetBios: Domain\Username.
C FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
D Security profiles can be applied only to user groups, nor individual users.

Question 17

IPS Engine is used by which three security features? (Choose three.)

A Application control
B Antivirus in flow-based inspection
C Web filter in flow-based inspection
D DNS filter
E Web application firewall

Question 18

If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy?

A User or User Group
B IP address
C No other object can be added
D FQDN address

Question 19

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A It limits the scanning of application traffic to the DNS protocol only.
B It limits the scanning of application traffic to use parent signatures only.
C It limits the scanning of application traffic to the browser-based technology category only.
D It limits the scanning of application traffic to the application category only.

Question 20

An administrator has a requirement to keep an application session from timing out on port 80.
What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

A Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
B Set the session TTL on the HTTP policy to maximum.
C Create a new service object for HTTP service and set the session TTL to never.
D Set the TTL value to never under config system-ttl.

Question 21

Which feature in the Security Fabric takes one or more actions based on event triggers?

A Security Rating
B Fabric Connectors
C Automation Stitches
D Logical Topology

Question 22

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not.
Which configuration option is the most effective way to support this request?

A Implement web filter authentication for the specified website.
B Implement a web filter category override for the specified website.
C Implement a DNS filter for the specified website.
D Implement web filter quotas for the specified website.

Question 23

In which two ways can RPF checking be disabled? (Choose two.)

A Enable anti-replay in firewall policy.
B Enable asymmetric routing.
C Disable strict-src-check under system settings.
D Disable the RPF check at the FortiGate interface level for the source check.

Question 24

Refer to the exhibit.

That's the end of the Preview

Create a free account to unlock all questions for this exam.

Log In / Sign Up

Page 1 of 5 • Questions 1-25 of 119

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Which two statements are true when FortiGate is in transparent mode? (Choose two.)

A By default, all interfaces are part of the same broadcast domain.
B The existing network IP schema must be changed when installing a transparent mode FortiGate in the network.
C Static routes are required to allow traffic to the next hop.
D FortiGate forwards frames without changing the MAC address.

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A FortiGate automatically negotiates different local and remote addresses with the remote peer.
B FortiGate automatically negotiates a new security association after the existing security association expires.
C FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
D FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on
FortiGate?

A Read/Write permission for Firewall
B Custom permission for Network
C Read/Write permission for Log & Report
D CLI diagnostics commands permission

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A The port3 default route has the lowest metric
B The port3 default route has the highest distance
C The port1 and port2 default routes are active in the routing table
D There will be eight routes active in the routing table

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

A Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
B Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
C Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
D Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 1.

In this scenario, which statement is true?

A Session-based authentication is enabled
B Policy-based authentication is enabled
C IP-based authentication is enabled
D Route-based authentication is enabled

Based on the configuration, what will happen to Apple FaceTime?

A Apple FaceTime will be allowed, based on the Apple filter configuration.
B Apple FaceTime will be allowed, based on the Categories configuration.
C Apple FaceTime will be allowed, based on the Excessive-Bandwidth filter configuration.
D Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

A Run a sniffer on the web server.
B Capture the traffic using an external sniffer connected to port1.
C Execute another sniffer in the FortiGate, this time with the filter ג€host 10.0.1.10ג€
D Execute a debug flow.

The exhibit shows a FortiGate configuration.
How does FortiGate handle web proxy traffic coming from the IP address 10.2.1.200, that requires authorization?

A It authenticates the traffic using the authentication scheme SCHEME2.
B It drops the traffic.
C It authenticates the traffic using the authentication scheme SCHEME1.
D It always authorizes the traffic without requiring authentication.

Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

A There are five devices that are part of the security fabric.
B Device detection is disabled on all FortiGate devices.
C This security fabric topology is a logical topology view.
D There are 19 security recommendations for the security fabric.

NSE4_FGT-6.4Preview

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

That's the end of the Preview