Free Sales Ending Soon - Use Real NSE4_FGT-6.4 PDF Questions [Nov 24, 2021]
Updated Nov-2021 Exam NSE4_FGT-6.4 Dumps - Pass Your Certification Exam
NEW QUESTION 10
Refer to the exhibit.
Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?
- A. Read/Write permission for Firewall
- B. Read/Write permission for Log & Report
- C. Custom permission for Network
- D. CLI diagnostics commands permission
Answer: C
NEW QUESTION 11
Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)
- A. get system arp
- B. diagnose sys top
- C. diagnose sniffer packet any
- D. execute ping
- E. execute traceroute
Answer: B,C,D
NEW QUESTION 12
Examine the two static routes shown in the exhibit, then answer the following question.
Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?
- A. FortiGate will load balance all traffic across both routes.
- B. FortiGate will only actuate the port1 route in the routing table
- C. FortiGate will route twice as much traffic to the port2 route
- D. FortiGate will use the port1 route as the primary candidate.
Answer: D
Explanation:
"If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path."
NEW QUESTION 13
View the exhibit:
Which the FortiGate handle web proxy traffic rue? (Choose two.)
- A. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
- B. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
- C. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
- D. port-VLAN1 is the native VLAN for the port1 physical interface.
Answer: A,C
NEW QUESTION 14
Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)
- A. SSL inspection and authentication policy
- B. Firewall policy
- C. Policy rule
- D. Security policy
Answer: A,D
NEW QUESTION 15
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A. The IPS engine will continue to run in a normal state.
- B. The IPS engine was unable to prevent an intrusion attack.
- C. The IPS engine was blocking all traffic.
- D. The IPS engine was inspecting high volume of traffic.
Answer: D
NEW QUESTION 16
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
- A. A DoS policy should be used, instead of an IPS sensor.
- B. The HTTPS signatures have not been added to the sensor.
- C. A DoS policy should be used, instead of an IPS sensor.
- D. The firewall policy is not using a full SSL inspection profile.
- E. The IPS filter is missing the Protocol: HTTPS option.
Answer: D
NEW QUESTION 17
You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk.
What is the default behavior when the local disk is full?
- A. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.
- B. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.
- C. No new log is recorded until you manually clear logs from the local disk.
- D. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.
Answer: A
NEW QUESTION 18
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
- A. The next-hop IP address is unreachable.
- B. It matched the default implicit firewall policy.
- C. It matched an explicitly configured firewall policy with the action DENY.
- D. It failed the RPF check.
Answer: B
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900
NEW QUESTION 19
Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?
- A. Optimization
- B. Automated Response
- C. Security Posture
- D. Fabric Coverage
Answer: D
NEW QUESTION 20
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
- A. The browser requires a software update.
- B. FortiGate does not support full SSL inspection when web filtering is enabled.
- C. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.
- D. There are network connectivity issues.
Answer: C
Explanation:
Explanation/Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41394
NEW QUESTION 21
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- A. It limits the scope of application control to scan application traffic based on application category only.
- B. It limits the scope of application control to scan application traffic using parent signatures only
- C. It limits the scope of application control to scan application traffic on DNS protocol only.
- D. It limits the scope of application control to the browser-based technology category only.
Answer: A
NEW QUESTION 22
Refer to the exhibit.
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How
does FortiGate process the traffic sent to http://www.fortinet.com?
- A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
- B. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
- C. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
- D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
Answer: D
NEW QUESTION 23
Refer to the exhibit.
According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?
- A. A user
- B. A bridge CA
- C. A subordinate
- D. A root CA
Answer: A
NEW QUESTION 24
Refer to the exhibit, which contains a session diagnostic output.
Which statement is true about the session diagnostic output?
- A. The session is in TCP ESTABLISHED state.
- B. The session is a bidirectional UDP connection.
- C. The session is a UDP unidirectional state.
- D. The session is a bidirectional TCP connection.
Answer: B
NEW QUESTION 25
Examine the exhibit, which contains a virtual IP and firewall policy configuration.


The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
- A. 10.200.1.1
- B. 10.200.1.10
- C. 10.0.1.254
- D. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
Answer: B
Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.htm
NEW QUESTION 26
Which two statements are correct about SLA targets? (Choose two.)
- A. SLA targets are required for SD-WAN rules with a Best Quality strategy.
- B. You can configure only two SLA targets per one Performance SLA.
- C. SLA targets are used only when referenced by an SD-WAN rule.
- D. SLA targets are optional.
Answer: C,D
NEW QUESTION 27
Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)
- A. ping
- B. udp-echo
- C. TWAMP
- D. DNS
Answer: B,D
NEW QUESTION 28
View the exhibit.
Which of the following statements are correct? (Choose two.)
- A. This setup requires at least two firewall policies with the action set to IPsec.
- B. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
- C. This is a redundant IPsec setup.
- D. Dead peer detection must be disabled to support this type of IPsec setup.
Answer: B,C
NEW QUESTION 29
An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to achieve this?
- A. Add the support of NTLM authentication.
- B. Add user accounts to the Ignore User List.
- C. Add user accounts to the FortiGate group fitter.
- D. Add user accounts to Active Directory (AD).
Answer: C
NEW QUESTION 30
......
NSE4_FGT-6.4 Dumps To Pass Fortinet NSE 4 Exam in One Day : https://www.fast2test.com/NSE4_FGT-6.4-premium-file.html