Fortinet NSE4_FGT-7.2 Exam Practice Questions (P. 1)
- Full Access (104 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #1
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- AIt limits the scanning of application traffic to the browser-based technology category only.Most Voted
- BIt limits the scanning of application traffic to the DNS protocol only.
- CIt limits the scanning of application traffic to use parent signatures only.
- DIt limits the scanning of application traffic to the application category only.
Correct Answer:
A
A

When configuring both a URL list and application control in a Fortinet NGFW policy, application scanning becomes restricted to only the browser-based technology category. This means that only web applications, for example, those accessed through popular sites like Facebook, are monitored under these settings. Implementing a URL filter specifically narrows down the application control's scope to how applications function within a web browser, which can be critical to remember when designing policies intended for broad application monitoring across various platforms.
send
light_mode
delete
Question #2
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.


Which policy will be highlighted, based on the input criteria?
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.


Which policy will be highlighted, based on the input criteria?
- APolicy with ID 4.
- BPolicy with ID 5.Most Voted
- CPolicies with ID 2 and 3.
- DPolicy with ID 4.
Correct Answer:
A
A
send
light_mode
delete
Question #3
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
- AThe two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
- BThe two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.Most Voted
- CThe two VLAN subinterfaces must have different VLAN IDs.Most Voted
- DThe two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
Correct Answer:
CD
CD

In FortiGate configurations, ensuring uniqueness in VLAN IDs across subinterfaces on the same physical interface is crucial, a rule enforced through system error messages if attempted otherwise. When dealing with VLAN subinterfaces in NAT mode on the same physical interface, each must have a distinct VLAN ID. Furthermore, assigning the same VLAN ID to different subinterfaces, even in varied subnets, requires switching VLAN protocols to, for example, from 802.1Q to 802.1AD, demonstrating the VLAN ID requirement’s critical nature for proper network segmentation and traffic management.
send
light_mode
delete
Question #4
An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
How does strict RPF check work?
- AStrict RPF allows packets back to sources with all active routes.
- BStrict RPF checks the best route back to the source using the incoming interface.Most Voted
- CStrict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
- DStrict RPF check is run on the first sent and reply packet of any new session.
Correct Answer:
C
C

Sure! It looks like strict RPF indeed requires the incoming packet to match the best route in the routing table for the source address. The initial thought that the RPF simply verifies any active route is incorrect; instead, it confirms that the matched route must be the most efficient or optimal one available. If a better route exists through another interface, the RPF check would fail to prevent potential routing loops and ensure optimal network performance. Thanks for weaving through the specifics, it helps sharpen the understanding!
send
light_mode
delete
Question #5
An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
- ADevice detection on all interfaces is enforced for 30 minutes.
- BDenied users are blocked for 30 minutes.
- CThe number of logs generated by denied traffic is reduced.Most Voted
- DA session for denied traffic is created.Most Voted
Correct Answer:
AB
AB

The configuration set in place extends the duration in which blocked or denied user sessions are maintained on the system. By enabling `ses-denied-traffic`, the FortiGate creates a session entry for traffic that is denied based on security policies, which aids in reducing CPU load by preventing repetitive policy checks for the same denied traffic. The configured `block-session-timer` to 30 seconds ensures that these sessions are stored temporarily in the session table, hence also reducing system log clutter and improving overall system performance. This setup does not, however, imply that device detection is enforced or that it affects all interfaces for a set duration independently. Rather, it optimizes the handling and logging of denied traffic at specified intervals.
send
light_mode
delete
All Pages