Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

NSE4_FGT-7.0 by Fortinet - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not.
Which two configuration changes are the most effective way to support this requirement? (Choose two.)

A Implement web filter quotas for the specified website.
B Implement a firewall policy with authentication for the specified users.
C Implement a DNS filter for the specified website.
D Implement web category authentication for the specified website using a web filter profile.

Question 4

Refer to the exhibit to view the firewall policy.

Question 5

You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?

A No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.
B Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.
C No new log is recorded until you manually clear logs from the local disk.
D Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

Question 6

An administrator has a requirement to keep an application session from timing out on port 80.
What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)

A Set the TTL value to never under config system-ttl.
B Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
C Create a new service object for HTTP service and set the session TTL to never.
D Set the session TTL on the HTTP policy to maximum.

Question 7

Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?

A Denial of Service
B Web application firewall
C Antivirus
D Application control

Question 8

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

A Certificate inspection
B Flow-based inspection
C Proxy-based inspection
D Full Content inspection

Question 9

Refer to the exhibit.

Question 10

An administrator has configured outgoing interface any in a firewall policy.
Which statement is true about the policy list view?

A Interface Pair view will be disabled.
B Search option will be disabled.
C Policy lookup will be disabled.
D By Sequence view will be disabled.

Question 11

Refer to the exhibit.

Question 12

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up
✑ The secondary tunnel must be used only if the primary tunnel goes down
In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed in FortiGate to meet the design requirements? (Choose two.)

A Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B Enable Dead Peer Detection.
C Enable Auto-negotiate and Auto Keep Alive on the phase 2 configuration of both tunnels.
D Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Question 13

Refer to the exhibit.

Question 14

Refer to the exhibits.
Exhibit A shows system performance output.

Question 15

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address.
For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

A 192.168.3.0/24
B 192.168.1.0/24
C 192.168.0.0/8
D 192.168.2.0/24

Question 16

Refer to the exhibits.
Exhibit A.

Question 17

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

A The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B The client FortiGate requires a manually added route to remote subnets.
C The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Question 18

Refer to the exhibit.

Question 19

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating override for the home page? (Choose two.)

A www.exaple.com
B www.example.com/index.html
C example.com
D www.example.com:443

Question 20

Refer to the exhibits.
Exhibit A.

Question 21

Refer to the exhibit, which contains a session list output.

Question 22

Which two statements are correct about SLA targets? (Choose two.)

A You can configure only two SLA targets per one Performance SLA.
B SLA targets are optional.
C SLA targets are required for SD-WAN rules with a Best Quality strategy.
D SLA targets are used only when referenced by an SD-WAN rule.

That's the end of the Preview

Create a free account to unlock all questions for this exam.

Log In / Sign Up

Page 1 of 5 • Questions 1-25 of 106

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.)

A FortiGate uses the AD server as the collector agent.
B FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
C FortiGate does not support workstation check.
D FortiGate directs the collector agent to use a remote LDAP server.

Which two statements are true about the Security Fabric rating? (Choose two.)

A The Security Fabric rating is a free service that comes bundled with all FortiGate devices.
B Many of the security issues can be fixed immediately by clicking Apply where available.
C The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
D It provides executive summaries of the four largest areas of security focus.

Which statement is correct if well-known viruses are not being blocked?

A The firewall policy must be configured in proxy-based inspection mode.
B The firewall policy does not apply deep content inspection.
C The action on the firewall policy must be set to deny.
D Web filter should be enabled on the firewall policy to complement the antivirus profile.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on
FortiGate?

A Read/Write permission for Firewall
B CLI diagnostics commands permission
C Custom permission for Network
D Read/Write permission for Log & Report

Given the interfaces shown in the exhibit, which two statements are true? (Choose two.)

A Traffic between port2 and port2-vlan1 is allowed by default.
B port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
C port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
D port1 is a native VLAN.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
The override setting is enable for the FortiGate with SN FGVM010000064692.
Which two statements are true? (Choose two.)

A FortiGate SN FGVM010000065036 HA uptime has been reset.
B FortiGate devices are not in sync because one device is down.
C FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
D FortiGate SN FGVM010000064692 has the higher HA priority.

Exhibit B shows s FortiGate configured with the default configuration of high memory usage thresholds.

Based on the system performance output, which two statements are correct? (Choose two.)

A FortiGate will start sending all files to FortiSandbox for inspection.
B FortiGate has entered conserve mode.
C Administrators cannot change the configuration.
D Administrators can access FortiGate only through the console port.

Exhibit B.

The SSL VPN connection fails when a user attempts to connect to it.
What should the user do to successfully connect to SSL VPN?

A Change the SSL VPN port on the client.
B Change the Server IP address.
C Change the idle-timeout.
D Change the SSL VPN portal to the tunnel.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
With this configuration, which statement is true?

A Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
B A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.
C Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
D Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

Exhibit B.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

A Change the csf setting on Local-FortiGate (root) to set configuration-sync local.
B Change the csf setting on ISFW (downstream) to set configuration-sync local.
C Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
D Change the csf setting on ISFW (downstream) to set fabric-object-unification default.

Based on the information shown in the exhibit, which statement is true?

A One-to-one NAT IP pool is used in the firewall policy.
B Destination NAT is disabled in the firewall policy.
C Port block allocation IP pool is used in the firewall policy.
D Overload NAT IP pool is used in the firewall policy.

NSE4_FGT-7.0Preview

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

That's the end of the Preview