How to pass Jun 14,2022 Newest NSE4_FGT-6.4 QAs exam easily with less time? We provides the most valid NSE4_FGT-6.4 exam questions to boost your success rate in NSE4 Latest NSE4_FGT-6.4 practice Fortinet NSE 4 – FortiOS 6.4 exam. If you are one of the successful candidates with We NSE4_FGT-6.4 new questions, do not hesitate to share your reviews on our NSE4 materials.
We Geekcert has our own expert team. They selected and published the latest NSE4_FGT-6.4 preparation materials from Official Exam-Center.
The following are the NSE4_FGT-6.4 free dumps. Go through and check the validity and accuracy of our NSE4_FGT-6.4 dumps.NSE4_FGT-6.4 free dumps are questions from the latest full NSE4_FGT-6.4 dumps. Check NSE4_FGT-6.4 free questions to get a better understanding of NSE4_FGT-6.4 exams.
Question 1:
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
A. The IPS engine was inspecting high volume of traffic.
B. The IPS engine was unable to prevent an intrusion attack.
C. The IPS engine was blocking all traffic.
D. The IPS engine will continue to run in a normal state.
Correct Answer: A
Question 2:
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)
A. Lookup is done on the first packet from the session originator
B. Lookup is done on the last packet sent from the responder
C. Lookup is done on every packet, regardless of direction
D. Lookup is done on the trust reply packet from the responder
Correct Answer: AD
Question 3:
Which of the following statements about central NAT are true? (Choose two.)
A. IP tool references must be removed from existing firewall policies before enabling central NAT.
B. Central NAT can be enabled or disabled from the CLI only.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
Correct Answer: AB
Question 4:
Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?
A. Fabric Coverage
B. Automated Response
C. Security Posture
D. Optimization
Correct Answer: C
Reference: https://www.fortinet.com/content/dam/fortinet/assets/support/fortinet-recommended-securitybestpractices.pdf
Question 5:
Refer to the exhibit.
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?
A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
Correct Answer: D
Question 6:
Refer to the exhibit.
Which contains a session diagnostic output. Which statement is true about the session diagnostic output?
A. The session is in SYN_SENT state.
B. The session is in FIN_ACK state.
C. The session is in FTN_WAIT state.
D. The session is in ESTABLISHED state.
Correct Answer: A
Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) https://kb.fortinet.com/kb/ viewContent.do?externalId=FD30042
Question 7:
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?
A. Subject Key Identifier value
B. SMMIE Capabilities value
C. Subject value
D. Subject Alternative Name value
Correct Answer: A
Question 8:
Examine this PAC file configuration.
Which of the following statements are true? (Choose two.)
A. Browsers can be configured to retrieve this PAC file from the FortiGate.
B. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
C. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
D. Any web request fortinet.com is allowed to bypass the proxy.
Correct Answer: AD
Question 9:
Refer to the exhibit to view the firewall policy.
Which statement is correct if well-known viruses are not being blocked?
A. The firewall policy does not apply deep content inspection.
B. The firewall policy must be configured in proxy-based inspection mode.
C. The action on the firewall policy must be set to deny.
D. Web filter should be enabled on the firewall policy to complement the antivirus profile.
Correct Answer: A
Question 10:
Refer to the exhibit.
According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?
A. A user
B. A root CA
C. A bridge CA
D. A subordinate
Correct Answer: A
Question 11:
In an explicit proxy setup, where is the authentication method and database configured?
A. Proxy Policy
B. Authentication Rule
C. Firewall Policy
D. Authentication scheme
Correct Answer: D
Question 12:
Refer to the exhibit.
Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)
A. There are five devices that are part of the security fabric.
B. Device detection is disabled on all FortiGate devices.
C. This security fabric topology is a logical topology view.
D. There are 19 security recommendations for the security fabric.
Correct Answer: CD
Question 13:
Refer to the exhibit.
The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP
address of Remote-FortiGate (10.200.3.1)?
A. 10.200.1.149
B. 10.200.1.1
C. 10.200.1.49
D. 10.200.1.99
Correct Answer: D
Question 14:
Refer to the exhibit.
The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
A. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
B. The sensor will block all attacks aimed at Windows servers.
C. The sensor will reset all connections that match these signatures.
D. The sensor will gather a packet log for all matched traffic.
Correct Answer: AB
Question 15:
Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor Facebook.
Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?
A. The SSL inspection needs to be a deep content inspection.
B. Force access to Facebook using the HTTP service.
C. Additional application signatures are required to add to the security policy.
D. Add Facebook in the URL category in the security policy.
Correct Answer: A
