手に入れよう！は2024年最新の有効な実践問題であなたのNSE4_FGT-7.2試験を合格させる（本日更新された183問) [Q25-Q45]

手に入れよう！は2024年最新の有効な実践問題であなたのNSE4_FGT-7.2試験を合格させる（本日更新された183問)

Fortinet NSE 4 NSE4_FGT-7.2試験実践テスト問題集解答豪華セットを使おう！

質問 # 25
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
B. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
C. The client FortiGate requires a manually added route to remote subnets.
D. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

正解：A、B

解説：
https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/508779/fortigate-as-ssl-vpn-client

質問 # 26
Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

A. Packet payload
B. Ethernet header
C. Interface name
D. IP header
E. Application header

正解：A、C、D

解説：
Reference:
Study Guide - Routing - Diagnostics - Packet Capture Verbosity Level.
# diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <timestamp> <frame size> In the example, verbosity is 5.
The verbosity level specifies how much info you want to display.
1 (default): IP Headers.
2: IP Headers, Packet Payload.
3. IP Headers, Packet Payload, Ethernet Headers.
4: IP Headers, Interface Name.
5: IP Headers, Packet Payload, Interface Name.
6: IP Headers, Packet Payload, Ethernet Headers, Interface Name.

質問 # 27
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

A. Dynamic DNS
B. Pre-shared Key
C. Dialup User
D. Static IP Address

正解：C

解説：
Explanation
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

質問 # 28
Which statement correctly describes the use of reliable logging on FortiGate?

A. Reliable logging is required to encrypt the transmission of logs.
B. Reliable logging is enabled by default in all configuration scenarios.
C. Reliable logging can be configured only using the CLI.
D. Reliable logging prevents the loss of logs when the local disk is full.

正解：D

解説：
Explanation
On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full disk, allowing administrators to maintain an accurate record of activity on the network. Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to enable in order to maintain a comprehensive record of activity on the network and help with troubleshooting and security analysis.

質問 # 29
Which statement describes a characteristic of automation stitches?

A. They can be created on any device in the fabric.
B. They can have one or more triggers.
C. They can run multiple actions simultaneously.
D. They can be run only on devices in the Security Fabric.

正解：C

解説：
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creating-automation-stitches

質問 # 30
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

A. Enable port forwarding on the server to map the external service port to the internal service port.
B. Configure a loopback interface with address 203.0.113.2/32.
C. In the VIP configuration, enable arp-reply.
D. In the firewall policy configuration, enable match-vip.

正解：D

質問 # 31
Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

A. The session is in TCP ESTABLISHED state.
B. The session is a bidirectional UDP connection.
C. The session is a UDP unidirectional state.
D. The session is a bidirectional TCP connection.

正解：B

解説：
Explanation
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

質問 # 32
An employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A. login-timeout
B. idle-timeout
C. session-ttl
D. udp-idle-timer

正解：A

解説：
FortiGate Infrastructure 7.2 Study Guide (p.222):
"When connected to SSL VPN over high latency connections, FortiGate can time out the client before the client can finish the negotiation process, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added to address this. The first command allows you to set up the login timeout, replacing the previous hard timeout value. The second command allows you to set up the maximum DTLS hello timeout for SSL VPN connections."

質問 # 33
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

A. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
C. Enable Dead Peer Detection.
D. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

正解：C、D

解説：
Explanation
Study Guide - IPsec VPN - IPsec configuration - Phase 1 Network.
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.
There are three DPD modes. On demand is the default mode.
Study Guide - IPsec VPN - Redundant VPNs.
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.
Add at least one phase 2 definition for each phase 1.
Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.
Configure FW policies for each IPsec interface.

質問 # 34
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A. Antivirus engine
B. Flow engine
C. Detection engine
D. Intrusion prevention system engine

正解：D

解説：
http://docs.fortinet.com/document/fortigate/6.0.0/handbook/240599/application-control

質問 # 35
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.

Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)

A. FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
B. FortiGate allocates 128 port blocks per user.
C. FortiGate allocates port blocks on a first-come, first-served basis.
D. FortiGate generates a system event log for every port block allocation made per user.

正解：A、B

質問 # 36
Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.

If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

A. 10.200.3.1, 10.0.1.10, and 443, respectively
B. 10.0.1.254, 10.0.1.10, and 443, respectively
C. 10.0.1.254, 10.0.1.10, and 10443, respectively

正解：A

質問 # 37
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

A. Security logs
B. Forward traffic logs
C. Local traffic logs
D. System event logs

正解：C

解説：
Reference:
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
FortiGate Security 7.2 Study Guide (p.176): "Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries."

質問 # 38
Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A. The port3 default route has the lowest metric.
B. The port1 and port2 default routes are active in the routing table.
C. The port3 default route has the highest distance.
D. There will be eight routes active in the routing table.

正解：B、C

質問 # 39
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

A. On HQ-FortiGate, disable Diffie-Helman group 2.
B. On Remote-FortiGate, set port2 as Interface.
C. On HQ-FortiGate, set IKE mode to Main (ID protection).
D. On both FortiGate devices, set Dead Peer Detection to On Demand.

正解：B、C

質問 # 40
Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

A. On the Static URL Filter configuration, set Action to Monitor.
B. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking
C. On the Static URL Filter configuration, set Type to Simple
D. On the Static URL Filter configuration, set Action to Exempt.

正解：D

解説：
Reference:
Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com. To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration change: On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking sites will still be blocked.

質問 # 41
An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

A. The number of logs generated by denied traffic is reduced.
B. Device detection on all interfaces is enforced for 30 minutes.
C. A session for denied traffic is created.
D. Denied users are blocked for 30 minutes.

正解：A、C

解説：
Explanation
ses-denied-traffic
Enable/disable including denied session in the session table.
https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/20620/config-system-settings block-session-timer Duration in seconds for blocked sessions .
integer
Minimum value: 1 Maximum value: 300
30
https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/1620/config-system-global

質問 # 42
Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

A. Subject Alternative Name value
B. SMMIE Capabilities value
C. Subject value
D. Subject Key Identifier value

正解：D

質問 # 43
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

A. File filter
B. DNS filter
C. Intrusion prevention
D. Antivirus scanning

正解：C、D

質問 # 44
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

A. The issuer must be a public CA.
B. The CA extension must be set to TRUE.
C. The keyUsage extension must be set to keyCertSign.
D. The common name on the subject field must use a wildcard name.

正解：B、C

解説：
"In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."

質問 # 45
......

完全版最新の問題集PDFで最新NSE4_FGT-7.2試験問題と解答：https://www.jpntest.com/shiken/NSE4_FGT-7.2-mondaishu

本日更新された最新のNSE4_FGT-7.2のPDFはNSE4_FGT-7.2無料お試し可能です：https://drive.google.com/open?id=1ghReZc0NS2V2TdCEgSWfpX2B2luZmrnG