NSE4_FGT-7.0リアルな試験問題NSE4_FGT-7.0練習問題集 [Q34-Q58]

NSE4_FGT-7.0リアルな試験問題NSE4_FGT-7.0練習問題集

厳密検証されたNSE4_FGT-7.0試験問題集と解答で無料提供のNSE4_FGT-7.0問題と正解付き

質問 # 34
Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A. Certificate inspection
B. Proxy-based inspection
C. Full Content inspection
D. Flow-based inspection

正解：B、D

質問 # 35
An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

A. Redundant interface
B. Software Switch interface
C. Aggregate interface
D. VLAN interface

正解：C

質問 # 36
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

A. To encapsulation ESP packets in UDP packets using port 4500.
B. To force a new DH exchange with each phase 2 rekey.
C. To detect intermediary NAT devices in the tunnel path.
D. To dynamically change phase 1 negotiation mode aggressive mode.

正解：A、C

解説：
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48755

質問 # 37
Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

A. Administrators cannot change the configuration.
B. Administrators can access FortiGate only through the console port.
C. FortiGate has entered conserve mode.
D. FortiGate will start sending all files to FortiSandbox for inspection.

正解：A、C

質問 # 38
Which two statements are correct about SLA targets? (Choose two.)

A. You can configure only two SLA targets per one Performance SLA.
B. SLA targets are used only when referenced by an SD-WAN rule.
C. SLA targets are required for SD-WAN rules with a Best Quality strategy.
D. SLA targets are optional.

正解：B、D

解説：
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/382233/performance-sla-sla-targets Fortigate Infrastructure 7.0 Study Guide P.81

質問 # 39
Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
With this configuration, which statement is true?

A. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
B. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
C. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
D. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

正解：C

質問 # 40
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

A. FTM
B. FortiTelemetry
C. HTTPS
D. SSH

正解：C、D

質問 # 41
Refer to the exhibit.

The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A. The sensor will reset all connections that match these signatures.
B. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
C. The sensor will gather a packet log for all matched traffic.
D. The sensor will block all attacks aimed at Windows servers.

正解：B、D

質問 # 42
What is the primary FortiGate election process when the HA override setting is disabled?

A. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
C. Connected monitored ports > System uptime > Priority > FortiGate Serial number
D. Connected monitored ports > Priority > System uptime > FortiGate Serial number

正解：B

質問 # 43
Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

A. 10.200.1.1
B. 10.200.1.149
C. 10.200.1.99
D. 10.200.1.49

正解：C

解説：
Explanation
Ping is ICMP protocol - protocol number = 1 => SNAT policy ID 1 is policy that used. => Translated address is "SNAT-Remote1" that 10.200.1.99

質問 # 44
Which of statement is true about SSL VPN web mode?

A. It supports a limited number of protocols.
B. The external network application sends data through the VPN.
C. It assigns a virtual IP address to the client.
D. The tunnel is up while the client is connected.

正解：A

解説：
Explanation
FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.

質問 # 45
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A. FortiSandbox
B. FortiSIEM
C. FortiAnalyzer
D. FortiCache
E. FortiCloud

正解：B、C、E

質問 # 46
Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.
What CLI command must the administrator use to view the route?

A. get internet service route list
B. diagnose firewall proute list
C. get router info routing-table database
D. get router info routing-table all

正解：B

解説：
Reference:
Fortigate Infrastructure 7.0 Study Guide P.55
ISDB static route will not create entry directly in routing-table. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for-Predefined-Internet/ta-p/198756 and here https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-route/ta-p/190640

質問 # 47
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
B. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
C. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
D. FortiGate automatically negotiates a new security association after the existing security association expires.

正解：C

解説：
https://kb.fortinet.com/kb/documentLink.do?externalID=12069

質問 # 48
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

A. Log backups from the CLI cannot be restored to another FortiGate.
B. Log backups from the CLI can be configured to upload to FTP as a scheduled time
C. Log downloads from the GUI are stored as LZ4 compressed files.
D. Log downloads from the GUI are limited to the current filter view

正解：A、D

質問 # 49
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

A. Search option will be disabled
B. Policy lookup will be disabled.
C. By Sequence view will be disabled.
D. Interface Pair view will be disabled.

正解：D

解説：
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47821

質問 # 50
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?

A. The Services field prevents SNAT and DNAT from being combined in the same policy.
B. The Services field is used when you need to bundle several VIPs into VIP groups.
C. The Services field prevents multiple sources of traffic from using multiple services to connect to a single
D. The Services field removes the requirement to create multiple VIPs for different services.

正解：D

解説：
computer.
Explanation:
The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port.This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping

質問 # 51
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

A. The client FortiGate requires a manually added route to remote subnets.
B. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
C. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

正解：A、B

解説：
Explanation
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificateauthentication

質問 # 52
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

A. ip_src_session
B. SMTP.Login.Brute.Force
C. IMAP.Login.brute.Force
D. Location: server Protocol: SMTP

正解：C

質問 # 53
Which three statements about a flow-based antivirus profile are correct? (Choose three.)

A. IPS engine handles the process as a standalone.
B. Optimized performance compared to proxy-based inspection.
C. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.
D. If the virus is detected, the last packet is delivered to the client.
E. FortiGate buffers the whole file but transmits to the client simultaneously.

正解：B、C、E

質問 # 54
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

A. The strict RPF check is run on the first sent and reply packet of any new session.
B. Strict RPF allows packets back to sources with all active routes.
C. Strict RPF checks the best route back to the source using the incoming interface.
D. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

正解：C

質問 # 55
Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.
How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

A. If there is a full-through policy in place, users will not be prompted for authentication.
B. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials.
C. Authentication is enforced at a policy level; all users will be prompted for authentication.
D. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

正解：C

質問 # 56
Which of the following statements about central NAT are true? (Choose two.)

A. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
B. IP tool references must be removed from existing firewall policies before enabling central NAT.
C. Source NAT, using central NAT, requires at least one central SNAT policy.
D. Central NAT can be enabled or disabled from the CLI only.

正解：B、D

質問 # 57
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?