次の認定試験に速く合格する!

簡単に認定試験を準備し、学び、そして合格するためにすべてが必要だ。

会員センター  カート (0)
  • ホーム
  • ブログ
  • NSE4_FGT-7.2問題集183問でFortinet NSE 4を確実実践 [Q53-Q78]

NSE4_FGT-7.2問題集183問でFortinet NSE 4を確実実践 [Q53-Q78]

Share

NSE4_FGT-7.2問題集183問でFortinet NSE 4を確実実践

リアル最新NSE4_FGT-7.2試験問題NSE4_FGT-7.2問題集


Fortinet NSE4_FGT-7.2認定試験は、Fortinet FortiOS 7.2のさまざまな領域における知識とスキルをテストするために設計された多肢選択問題から構成されています。試験は、ネットワークセキュリティ、ファイアウォール構成、脅威防止などのトピックをカバーしています。試験に合格するには、試験で少なくとも70%のスコアを取得する必要があります。

 

質問 # 53
Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

  • A. FortiGate is using default FortiGuard communication settings.
  • B. There is at least one server that lost packets consecutively.
  • C. A local FortiManager is one of the servers FortiGate communicates with.
  • D. One server was contacted to retrieve the contract information.

正解:A、D


質問 # 54
Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.


If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A. 10.0.1.254, 10.0.1.10, and 10443, respectively
  • B. 10.200.3.1, 10.0.1.10, and 443, respectively
  • C. 10.0.1.254, 10.0.1.10, and 443, respectively

正解:B


質問 # 55
Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.


Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

  • A. The traffic sourced from the client and destined to the server is sent to FGT-1.
  • B. The cluster can load balance ICMP connections to the secondary.
  • C. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
  • D. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

正解:A、D


質問 # 56
Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .
With this configuration, which statement is true?

  • A. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
  • B. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
  • C. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
  • D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

正解:C


質問 # 57
What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

  • A. Full Content inspection
  • B. Flow-based inspection
  • C. Proxy-based inspection
  • D. Certificate inspection

正解:B

解説:
FortiGate Infrastructure 7.2 Study Guide (p.90): "However, if NGFW mode is Policy-based, then the inspection mode for all policies in that VDOM is always flow and there is no option available in the policy to change it."


質問 # 58
Which of statement is true about SSL VPN web mode?

  • A. The external network application sends data through the VPN.
  • B. It assigns a virtual IP address to the client.
  • C. The tunnel is up while the client is connected.
  • D. It supports a limited number of protocols.

正解:D

解説:
Explanation
FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.


質問 # 59
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?

  • A. A CRL
  • B. A person
  • C. A subordinate CA
  • D. A root CA

正解:D


質問 # 60
The IPS engine is used by which three security features? (Choose three.)

  • A. Antivirus in flow-based inspection
  • B. Web filter in flow-based inspection
  • C. DNS filter
  • D. Application control
  • E. Web application firewall

正解:A、B、D

解説:
FortiGate Security 7.2 Study Guide (p.385): "The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It's also responsible for application control, flow-based antivirus protection, web filtering, and email filtering."


質問 # 61
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

  • A. FortiGate hostname
  • B. FortiGuard web filter cache
  • C. DNS
  • D. NTP

正解:C、D


質問 # 62
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

  • A. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  • B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  • C. Enable Dead Peer Detection.
  • D. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

正解:B、C

解説:
Explanation
Study Guide - IPsec VPN - IPsec configuration - Phase 1 Network.
When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.
There are three DPD modes. On demand is the default mode.
Study Guide - IPsec VPN - Redundant VPNs.
Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.
Add at least one phase 2 definition for each phase 1.
Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.
Configure FW policies for each IPsec interface.


質問 # 63
Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

  • A. Downstream devices can connect to the upstream device from any of their VDOMs.
  • B. VDOMs without ports with connected devices are not displayed in the topology.
  • C. Each VDOM in the environment can be part of a different Security Fabric.
  • D. Security rating reports can be run individually for each configured VDOM.

正解:B

解説:
FortiGate Security 7.2 Study Guide (p.436): "When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric."


質問 # 64
Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

  • A. new-session
  • B. auth-on-demand
  • C. Idle-timeout
  • D. hard-timeout
  • E. soft-timeout

正解:A、C、D

解説:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221


質問 # 65
An administrator is configuring an IPsec VPN between site A and site B.
The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick mode selector is 192. 168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

  • A. 192. 168.3.0/24
  • B. 192. 168.0.0/24
  • C. 192. 168. 1.0/24
  • D. 192. 168.2.0/24

正解:D

解説:
Explanation
For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B.
To complete the configuration, the administrator must configure the local quick mode selector for site B.
To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A.
Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.


質問 # 66
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  • A. It limits the scanning of application traffic to the browser-based technology category only.
  • B. It limits the scanning of application traffic to the application category only.
  • C. It limits the scanning of application traffic to use parent signatures only.
  • D. It limits the scanning of application traffic to the DNS protocol only.

正解:B

解説:
Explanation
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode In policy-based mode on a next-generation firewall (NGFW), you can use a URL list and application control in the same firewall policy to control traffic to and from specific websites or applications. However, there is a limitation to consider when using these features together:
It limits the scanning of application traffic to the application category only: The URL list and application control both rely on the firewall to inspect traffic and make decisions about what to allow or block. However, the URL list is limited to inspecting traffic at the URL level, while the application control can inspect traffic at a deeper level, such as at the application layer. This means that the application control is more comprehensive and can provide more granular control over specific applications, while the URL list is limited to controlling traffic at the URL level.


質問 # 67
Which statement about video filtering on FortiGate is true?

  • A. Otis available only on a proxy-based firewall policy.
  • B. Full SSL inspection is not required.
  • C. It does not require a separate FortiGuard license.
  • D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

正解:C


質問 # 68
An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 16. 1.0/24 and the remote quick mode selector is 192. 16.2.0/24. How must the administrator configure the local quick mode selector for site B?

  • A. 192. 168.3.0/24
  • B. 192. 168.0.0/8
  • C. 192. 168. 1.0/24
  • D. 192. 168.2.0/24

正解:D


質問 # 69
Which statement about the IP authentication header (AH) used by IPsec is true?

  • A. AH provides strong data integrity but weak encryption.
  • B. AH provides data integrity bur no encryption.
  • C. AH does not support perfect forward secrecy.
  • D. AH does not provide any data integrity or encryption.

正解:B


質問 # 70
Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

  • A. Traffic matching the signature will be silently dropped and logged.
  • B. Traffic matching the signature will be allowed and logged.
  • C. The signature setting uses a custom rating threshold.
  • D. The signature setting includes a group of other signatures.

正解:A

解説:
Explanation
Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.


質問 # 71
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

  • A. HTTPS
  • B. SSH
  • C. FTM
  • D. FortiTelemetry

正解:A、B


質問 # 72
Refer to the exhibit.
The exhibit shows the output of a diagnose command.

What does the output reveal about the policy route?

  • A. It is an ISDB route in policy route.
  • B. It is an SDWAN rule in policy route.
  • C. It is a regular policy route.
  • D. It is an ISDB policy route with an SDWAN rule.

正解:D


質問 # 73
Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

  • A. Traffic between port2 and port2-vlan1 is allowed by default.
  • B. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
  • C. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
  • D. port1 is a native VLAN.

正解:B、D

解説:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883


質問 # 74
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

  • A. In the firewall policy configuration, enable match-vip.
  • B. Configure a loopback interface with address 203.0.113.2/32.
  • C. In the VIP configuration, enable arp-reply.
  • D. Enable port forwarding on the server to map the external service port to the internal service port.

正解:A


質問 # 75
Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.


If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A. 10.0.1.254, 10.0.1.10, and 10443, respectively
  • B. 10.0.1.254, 10.200.1.10, and 443, respectively
  • C. 10.200.3.1, 10.0.1.10, and 443, respectively
  • D. 10.0.1.254, 10.0.1.10, and 443, respectively

正解:C

解説:
The host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, which is the external IP address of the VIP object named VIP in Exhibit B1. The VIP object maps the external IP address and port to the internal IP address and port of the server 10.0.1.10 and 443, respectively1. The VIP object also enables NAT, which means that the source address of the packet will be translated to the IP address of the outgoing interface2.
The firewall policy ID 1 in Exhibit B allows traffic from WAN (port1) to LAN (port3) with the destination address of VIP and the service of HTTPS1. The policy also enables NAT, which means that the source address of the packet will be translated to the IP address of the outgoing interface2.
Therefore, after FortiGate forwards the packet to the destination, the source address, destination address, and destination port of the packet will be 10.200.3.1, 10.0.1.10, and 443, respectively.
You can find more information about VIP objects and firewall policies in the Fortinet Documentation


質問 # 76
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two.)

  • A. Antivirus scanning
  • B. DNS filter
  • C. File filter
  • D. Intrusion prevention

正解:A、D


質問 # 77
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

  • A. Static URL filter, FortiGuard category filter, and advanced filters
  • B. DNS-based web filter and proxy-based web filter
  • C. Static domain filter, SSL inspection filter, and external connectors filters
  • D. FortiGuard category filter and rating filter

正解:A


質問 # 78
......

NSE4_FGT-7.2別格な問題集で最上級の成績にさせるNSE4_FGT-7.2問題:https://www.jpntest.com/shiken/NSE4_FGT-7.2-mondaishu

手に入れよう!最新NSE4_FGT-7.2認定の有効な試験問題集解答:https://drive.google.com/open?id=14GjHzlEkdQM-rGyBow6a8iS-K-YMqSW5

関するブログ

もっと
NSE4_FGT-7.2無料問題集

弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

オンラインサポート時間:( UTC+9 ) 9:00-24:00
月曜日から土曜日まで

サポート:現在連絡 

関連リンク

トップ試験