無料更新されたFortinet NSE4_FGT-7.0テストエンジン問題には175問あります [Q70-Q94]

無料更新されたFortinet NSE4_FGT-7.0テストエンジン問題には175問あります

ベストな問題集を使おうFortinet NSE 4 NSE4_FGT-7.0専門試験問題

Fortinet NSE4_FGT-7.0試験は、90分以内に完了しなければならない60問の多肢選択問題で構成されています。試験に合格するには、少なくとも70％のスコアを取得する必要があります。試験は、世界中のPearson VUEテストセンターを通じて実施され、オンラインで登録が完了できます。試験を受けるには料金がかかり、正確な費用は場所によって異なります。

 

質問 # 70
A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.
What is the reason for the failed virus detection by FortiGate?

• A. Application control is not enabled
• B. Antivirus definitions are not up to date
• C. Antivirus profile configuration is incorrect
• D. SSL/SSH Inspection profile is incorrect

正解：D

解説：
Explanation
https traffic requires SSL decryption. Check the ssh inspection profile

質問 # 71
Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

• A. The port3 default route has the highest distance.
• B. The port3 default route has the lowest metric.
• C. The port1 and port2 default routes are active in the routing table.
• D. There will be eight routes active in the routing table.

正解：A、C

質問 # 72
Refer to the exhibits.


The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

• A. Change the SSL VPN portal to the tunnel.
• B. Change the SSL VPN port on the client.
• C. Change the Server IP address.
• D. Change the idle-timeout.

正解：B

質問 # 73
An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

• A. Device detection on all interfaces is enforced for 30 minutes.
• B. The number of logs generated by denied traffic is reduced.
• C. A session for denied traffic is created.
• D. Denied users are blocked for 30 minutes.

正解：B、C

解説：
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

質問 # 74
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

• A. The private key of the CA certificate that signed the browser certificate must be installed on the browser.
• B. The public key of the web server certificate must be installed on the browser.
• C. The CA certificate that signed the web-server certificate must be installed on the browser.
• D. The web-server certificate must be installed on the browser.

正解：C

質問 # 75
What devices form the core of the security fabric?

• A. One FortiGate device and one FortiAnalyzer device
• B. One FortiGate device and one FortiManager device
• C. Two FortiGate devices and one FortiAnalyzer device
• D. Two FortiGate devices and one FortiManager device

正解：C

質問 # 76
Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

• A. The session is a bidirectional TCP connection.
• B. The session is in TCP ESTABLISHED state.
• C. The session is a UDP unidirectional state.
• D. The session is a bidirectional UDP connection.

正解：D

解説：
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988

質問 # 77
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

• A. The internal IP address of the FortiGate device.
• B. The remote user's virtual IP address.
• C. remote user's public IP address
• D. The public IP address of the FortiGate device.

正解：A

解説：
Explanation
Source IP seen by the remote resources is FortiGate's internal IP address and not the user's IP address

質問 # 78
What is the primary FortiGate election process when the HA override setting is disabled?

• A. Connected monitored ports > Priority > System uptime > FortiGate Serial number
• B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
• C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
• D. Connected monitored ports > System uptime > Priority > FortiGate Serial number

正解：B

解説：
Reference:
FortiGate_Infrastructure_7.0 page 304 PUPS - Ports/Uptime/Priority/Serial

質問 # 79
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

• A. The Services field prevents SNAT and DNAT from being combined in the same policy.
• B. The Services field is used when you need to bundle several VIPs into VIP groups.
• C. The Services field prevents multiple sources of traffic from using multiple services to connect to a single
• D. The Services field removes the requirement to create multiple VIPs for different services.

正解：D

解説：
computer.
Explanation:
The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port.This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping

質問 # 80
View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

• A. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
• B. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
• C. port-VLAN1 is the native VLAN for the port1 physical interface.
• D. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.

正解：B、D

質問 # 81
Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

• A. The security actions applied on the web applications will also be explicitly applied on the third-party websites.
• B. The application signature database inspects traffic only from the original web application server.
• C. FortiGate can inspect sub-application traffic regardless where it was originated.
• D. FortiGuard maintains only one signature of each web application that is unique.

正解：C

質問 # 82
Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

• A. The port3 default route has the highest distance.
• B. The port3 default route has the lowest metric.
• C. The port1 and port2 default routes are active in the routing table.
• D. There will be eight routes active in the routing table.

正解：A、C

質問 # 83
Refer to the exhibit.

The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client and the explicit web proxy?

• A. 'host 10.0.0.50 and port 80'
• B. 'host 10.0.0.50 and port 8080'
• C. 'host 192.168.0.1 and port 80'
• D. 'host 192.168.0.2 and port 8080'

正解：D

質問 # 84
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

• A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
• B. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
• C. FortiGate automatically negotiates a new security association after the existing security association expires.
• D. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

正解：D

解説：
https://kb.fortinet.com/kb/documentLink.do?externalID=12069
"If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. "

質問 # 85
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

• A. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
• B. Any web request fortinet.com is allowed to bypass the proxy.
• C. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
• D. Browsers can be configured to retrieve this PAC file from the FortiGate.

正解：B、D

質問 # 86
Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

• A. FortiGate will route twice as much traffic to the port2 route
• B. FortiGate will use the port1 route as the primary candidate.
• C. FortiGate will only actuate the port1 route in the routing table
• D. FortiGate will load balance all traffic across both routes.

正解：B

解説：
"If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path."

質問 # 87
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

• A. A DoS policy should be used, instead of an IPS sensor.
• B. The HTTPS signatures have not been added to the sensor.
• C. A DoS policy should be used, instead of an IPS sensor.
• D. The firewall policy is not using a full SSL inspection profile.
• E. The IPS filter is missing the Protocol: HTTPS option.

正解：D

質問 # 88
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

• A. To dynamically change phase 1 negotiation mode aggressive mode.
• B. To detect intermediary NAT devices in the tunnel path.
• C. To encapsulation ESP packets in UDP packets using port 4500.
• D. To force a new DH exchange with each phase 2 rekey.

正解：B、C

解説：
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48755

質問 # 89
Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

• A. The first packet sent from Student failed the RPF check.
  This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• B. The first reply packet for Student failed the RPF check.
  This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• C. The first packet sent from Student failed the RPF check.
  This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
• D. The first reply packet for Student failed the RPF check.
  This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

正解：C

質問 # 90
Which statement regarding the firewall policy authentication timeout is true?

• A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
• B. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
• C. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
• D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

正解：B

質問 # 91
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24. How must the administrator configure the local quick mode selector for site B?

• A. 192.168.3.0/24
• B. 192.168.2.0/24
• C. 192.168.1.0/24
• D. 192.168.0.0/8

正解：B

質問 # 92
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

• A. Pre-shared Key
• B. Dialup User
• C. Static IP Address
• D. Dynamic DNS

正解：B

解説：
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

質問 # 93
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

• A. On Remote-FortiGate, set Seconds to 43200.
• B. On HQ-FortiGate, set Encryption to AES256.
• C. On HQ-FortiGate, enable Auto-negotiate.
• D. On HQ-FortiGate, enable Diffie-Hellman Group 2.

正解：B

解説：
Reference:
Encryption and authentication algorithm needs to match in order for IPSEC be successfully established.

質問 # 94
......

Fortinet NSE4_FGT-7.0試験は、FortinetのFortiOS 7.0セキュリティプラットフォームで作業するネットワークセキュリティプロフェッショナルにとって重要な認定試験です。この試験は、Fortinetのセキュリティプラットフォームの設定、管理、トラブルシューティングに必要な知識とスキルをテストし、プロフェッショナルがネットワークセキュリティの分野でのスキルと専門知識を証明するための優れた方法です。

Fortinet NSE4_FGT-7.0試験は、ネットワークセキュリティの専門家がFortinetのFortiOS 7.0オペレーティングシステムを使用するスキルと知識をテストする認定試験です。この試験は、ファイアウォール、VPN、侵入防止システムなどのFortinetセキュリティソリューションを管理および構成する責任がある個人を対象としています。試験は、ネットワークセキュリティの概念、FortiOSの構成と管理、VPN、ファイアウォールポリシーなど、多岐にわたるトピックをカバーしています。この試験に合格することは、ネットワークセキュリティの専門知識を証明し、この分野でのキャリアの見通しを向上させるための素晴らしい方法です。

 

100%の合格率を試そう！更新されたのはNSE4_FGT-7.0試験問題 [2023年更新]：https://www.jpntest.com/shiken/NSE4_FGT-7.0-mondaishu