Home » Fortinet Certification Exam » Free Fortinet NSE4_FGT-6.4 Practice Exam questions 2022 Updated With Free NSE4-FGT-6.4 Dumps

Free Fortinet NSE4_FGT-6.4 Practice Exam questions 2022 Updated With Free NSE4-FGT-6.4 Dumps

Are you Looking for Free NSE4-FGT-6.4 Practice Exam Questions, Practice the Below questions which are offered by Certspilot for NSE4 Exam, Download Complete 140 real Exam questions for Fortinet NES4-FGT-6.4 in PDF Dumps formate, Just prepare all questions well and practice on our Practice Exam and pass your NSE4 Exam on the first attempt, Our NSE4-FGT-6.4 Dumps Include real exam questions with verified answers. Learn more about Fortinet Certification here.

Practice on Free NSE4-FGT-6.4 Dumps, Below are Real Exam questions for Fortinet Exam - 2022

1. Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

Set the maximum session TTL value for the TELNET service object.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

Create a new service object for TELNET and set the maximum session TTL.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

2. Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

Fabric Coverage

Automated Response

Security Posture

Optimization

3. What is the primary FortiGate election process when the HA override setting is disabled?

Connected monitored ports > System uptime > Priority > FortiGate Serial number

Connected monitored ports > HA uptime > Priority > FortiGate Serial number

Connected monitored ports > Priority > HA uptime > FortiGate Serial number

Connected monitored ports > Priority > System uptime > FortiGate Serial number

4. Refer to the exhibit.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

Change the SSL VPN port on the client.

Change the Server IP address.

Change the idle-timeout.

Change the SSL VPN portal to the tunnel.

5. Which three statements are true regarding session-based authentication? (Choose three.)

HTTP sessions are treated as a single user.

IP sessions from the same source IP address are treated as a single user.

It can differentiate among multiple clients behind the same source IP address.

It requires more resources.

It is not recommended if multiple users are behind the source NAT

6. Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services. What CLI command must the administrator use to view the route?

get router info routing-table all

get internet service route list

get router info routing-table database

diagnose firewall proute list

7. An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

VLAN interface

Software Switch interface

Aggregate interface

Redundant interface

8. An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.

What must an administrator do to achieve this objective?

The administrator can register the same FortiToken on more than one FortiGate.

The administrator must use a FortiAuthenticator device.

The administrator can use a third-party radius OTP server.

The administrator must use the user self-registration server.

9. Refer to the exhibit.

Why did FortiGate drop the packet?

It matched an explicitly configured firewall policy with the action DENY.

The next-hop IP address is unreachable.

It failed the RPF check.

It matched the default implicit firewall policy.

10. Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

On HQ-FortiGate, set IKE mode to Main (ID protection).

On both FortiGate devices, set Dead Peer Detection to On Demand.

On HQ-FortiGate, disable Diffie-Helman group 2.

On Remote-FortiGate, set port2 as Interface.

11. An organizationâ€™s employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Change the session-ttl.

Change the login-timeout.

Change the idle-timeout.

Change the udp-idle-timer.

12. Which two statements are true about the RPF check? (Choose two.)

The RPF check is run on the first sent packet of any new session.

The RPF check is run on the first reply packet of any new session.

The RPF check is run on the first sent and reply packet of any new session.

RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

13. Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

14. A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

The browser requires a software update.

FortiGate does not support full SSL inspection when web filtering is enabled.

The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

There are network connectivity issues.

15. Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

NetAPI polling can increase bandwidth usage in large networks.

The NetSessionEnum function is used to track user logouts.

The collector agent uses a Windows API to query DCs for user logins.

The collector agent must search security event logs.

16. Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration. How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

If there is a fall-through policy in place, users will not be prompted for authentication.

Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

Authentication is enforced at a policy level; all users will be prompted for authentication.

Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.

17. Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-traffic

Mgmt

FG-Mgmt

Root

18. Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

FG-traffic

Mgmt

FG-Mgmt

Root

19. Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

diagnose sys top

execute ping

execute traceroute

diagnose sniffer packet any

get system arp

20. Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

FortiGuard update servers

System time

Operating mode

NGFW mode

21. An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?

Add the support of NTLM authentication

Add user accounts to the FortiGate group filter

Add user accounts to Active Directory (AD)

Add user accounts to the Ignore User List

22. Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the Internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.

Which two statements are true? (Choose two.)

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

A static route is required on the To_Internet VDOM to allow LAN users to access the Internet.

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

23. Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

To generate logs

To finish any inspection operations

To remove the NAT operation

To allow for out-of-order packets that could arrive after the FIN/ACK packets

24. Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for

Facebook.

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

Add Facebook in the URL category in the security policy

Force access to Facebook using the HTTP service

Additional application signatures are required to add to the security policy

The SSL inspection needs to be a deep content inspection

25. Which two statements are correct about a software switch on FortiGate? (Choose two.)

It can be configured only when FortiGate is operating in NAT mode

Can act as a Layer 2 switch as well as a Layer 3 router

All interfaces in the software switch share the same IP address

It can group only physical interfaces

26. Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

Enable restrict access to trusted hosts

Change password

Enable two-factor authentication

Change Administrator profile

27. Which two statements are correct about NGFW Policy-based mode? (Choose two.)

NGFW policy-based mode does not require the use of central source NAT policy

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

NGFW policy-based mode policies support only flow inspection

28. Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

The debug flow is of ICMP traffic

The default route is required to receive a reply

A firewall policy allowed the connection

A new traffic session is created

29. Refer to the exhibit, which contains a radius server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected

the Include in every user group option.

What will be the impact of using Include in every user group option in a RADIUS configuration?

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.

This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.

This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.

This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

30. Which statement is true about SSL VPN web mode?

The external network application sends data through the VPN

It assigns a virtual IP address to the client

It supports a limited number of protocols

The tunnel is up while the client is connected

31. Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Antivirus engine

Intrusion prevention system engine

Flow engine

Detection engine

32. An administrator has configured the following settings

What are the two results of this configuration? (Choose two.)

Device detection on all interfaces is enforced for 30 minutes

Denied users are blocked for 30 minutes

A session for denied traffic is created

The number of logs generated by denied traffic is reduced

33. Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

Interface name

Ethernet header

IP header

Application header

Packet payload

34. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Static IP Address

Dialup User

Dynamic DNS

Pre-shared Key

35. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Static IP Address

Dialup User

Dynamic DNS

Pre-shared Key

36. Which two statements are true about the Security Fabric rating? (Choose two.)

It provides executive summaries of the four largest areas of security focus

Many of the security issues can be fixed immediately by clicking Apply where available

The Security Fabric rating is a free service that comes bundled with all FortiGate devices

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

37. Refer to the exhibit, which contains a session list output

Based on the information shown in the exhibit, which statement is true?

Port block allocation IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

Overload NAT IP pool is used in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

38. Which two statements are true about the FGCP protocol? (Choose two.)

Is used to discover FortiGate devices in different HA groups

Not used when FortiGate is in Transparent mode

Runs only over the heartbeat links

Elects the primary FortiGate device

39. Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

The session is in ESTABLISHED state

The session is in SYN_SENT state

The session is in FIN_ACK state

The session is in FIN_WAIT state

40. Which statement about the policy ID number of a firewall policy is true?

It represents the number of objects used in the firewall policy

It is required to modify a firewall policy using the CLI

It defines the order in which rules are processed

It changes when firewall policies are reordered

41. An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

Configure Source IP Pools

Configure different SSL VPN realms

Configure host check

Configure split tunneling in tunnel mode

Download full version

Fortinet Dumps, NSE4 Dumps, NSE4 Dumps 2021, NSE4-FGT-6.4 Dumps, NSE4-FGT-6.4 Exam

Related Exams

Are Splunk certifications worth it?

Splunk is a popular software platform used for searching, analyzing, and visualizing machine-generated data. It’s commonly used in fields such as IT, security, and finance to help organizations make data-driven decisions. One way to increase

Latest Microsoft MS-700 Exam Dumps with Free Managing Microsoft Teams Exam preparation questions

Modern Desktop Certification Exam Dumps

About The Author

Certspilot

Certspilot is a platform where you can get to access to free Practice test questions for all IT certification like Microsoft, AWS, CompTIA, Salesforce, Cisco, CISSP and others certifications exam, you can download Updated and Valid Exam Dumps in PDF format and prepare yourself for certification exam in very short time. If you have any other question or need assistance regarding to your certification exam, click on Live Chat Icon and get in touch with our customer support agent, we are available 24/7 for customer support or send email at
[email protected].