• ホーム
  • ブログ
  • 2024年最新の検証済みNSE4_FGT-7.2問題と解答で合格保証 もしくは全額返金 [Q72-Q96]

2024年最新の検証済みNSE4_FGT-7.2問題と解答で合格保証 もしくは全額返金 [Q72-Q96]

Share

2024年最新のの検証済みNSE4_FGT-7.2問題と解答で合格保証 もしくは全額返金

[2024年03月]更新のNSE4_FGT-7.2認証と実際の解答はここにあるGoShiken

質問 # 72
Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

  • A. The default route is required to receive a reply.
  • B. A firewall policy allowed the connection.
  • C. Anew traffic session was created.
  • D. The debug flow is for ICMP traffic.

正解:C、D

解説:
The debug flow output shows the result of a diagnose command that captures the traffic flow between the source and destination IP addresses1. The debug flow output reveals the following information about the traffic flow1:
The protocol is 1, which means that the traffic uses ICMP protocol2. ICMP is a protocol that is used to send error messages and test connectivity between devices2.
The session state is 0, which means that a new traffic session was created3. A session is a data structure that stores information about a connection between two devices3.
The policy ID is 1, which means that the traffic matched the firewall policy with ID 14. A firewall policy is a rule that defines how FortiGate processes traffic based on the source, destination, service, and action parameters4.
The action is 0, which means that the traffic was allowed by the firewall policy. An action is a parameter that specifies what FortiGate does with the traffic that matches a firewall policy.
Therefore, two conclusions that can be made from the debug flow output are:
The debug flow is for ICMP traffic.
A new traffic session was created.


質問 # 73
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

  • A. The host field in the HTTP header
  • B. The subject field in the server certificate
  • C. The serial number in the server certificate
  • D. The subject alternative name (SAN) field in the server certificate
  • E. The server name indication (SNI) extension in the client hello message

正解:B、D、E

解説:
A) The server name indication (SNI) extension in the client hello message. This is correct. This is a piece of information that FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled. The SNI extension is a feature of the TLS protocol that allows a client to indicate the hostname of the server it wants to connect to during the TLS handshake. This helps the server to present the appropriate certificate for the requested hostname, especially when the server hosts multiple domains on the same IP address1. FortiGate can use the SNI extension in the client hello message to identify the hostname of the SSL server and verify it against the server certificate2.
B) The subject alternative name (SAN) field in the server certificate. This is correct. This is a piece of information that FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled. The SAN field is an extension of the X.509 certificate standard that allows a certificate to specify multiple hostnames or IP addresses that are valid for the certificate. This helps the certificate to support multiple domains or subdomains on the same server, or multiple servers with different IP addresses3. FortiGate can use the SAN field in the server certificate to identify the hostname of the SSL server and verify it against the client request2.
E) The subject field in the server certificate. This is correct. This is a piece of information that FortiGate uses to identify the hostname of the SSL server when SSL certificate inspection is enabled. The subject field is a part of the X.509 certificate standard that contains information about the identity of the entity that owns the certificate, such as common name, organization, country, and so on. The common name usually specifies the hostname or domain name of the server that owns the certificate4. FortiGate can use the subject field in the server certificate to identify the hostname of the SSL server and verify it against the client request2.


質問 # 74
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  • A. It limits the scope of application control to the browser-based technology category only.
  • B. It limits the scope of application control to scan application traffic on DNS protocol only.
  • C. It limits the scope of application control to scan application traffic based on application category only.
  • D. It limits the scope of application control to scan application traffic using parent signatures only

正解:C


質問 # 75
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?

  • A. The administrator must use a FortiAuthenticator device
  • B. The administrator can register the same FortiToken on more than one FortiGate.
  • C. The administrator must use the user self-registration server.
  • D. The administrator can use a third-party radius OTP server.

正解:A


質問 # 76
Which two statements are true when FortiGate is in transparent mode? (Choose two.)

  • A. FortiGate forwards frames without changing the MAC address.
  • B. The existing network IP schema must be changed when installing a transparent mode.
  • C. Static routes are required to allow traffic to the next hop.
  • D. By default, all interfaces are part of the same broadcast domain.

正解:A、D

解説:
Reference:
attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&documentID=FD33113


質問 # 77
Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

  • A. Flow-based inspection
  • B. Certificate inspection
  • C. Full Content inspection
  • D. Proxy-based inspection

正解:A、D


質問 # 78
Which three statements explain a flow-based antivirus profile? (Choose three.)

  • A. Optimized performance compared to proxy-based inspection.
  • B. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.
  • C. If the virus is detected, the last packet is delivered to the client.
  • D. FortiGate buffers the whole file but transmits to the client simultaneously.
  • E. IPS engine handles the process as a standalone.

正解:A、B、D


質問 # 79
Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
Which two statements are true? (Choose two.)

  • A. FortiGate devices are not in sync because one device is down.
  • B. FortiGate SN FGVM010000065036 HA uptime has been reset.
  • C. FortiGate SN FGVM010000064692 has the higher HA priority.
  • D. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

正解:B、C

解説:
1. Override is disable by default - OK
2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The
198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab


質問 # 80
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels.
The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

  • A. On Demand
  • B. Disabled
  • C. On Idle
  • D. Enabled

正解:C


質問 # 81
Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  • A. To remove the NAT operation
  • B. To finish any inspection operations
  • C. To generate logs
  • D. To allow for out-of-order packets that could arrive after the FIN/ACK packets

正解:D

解説:
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.


質問 # 82
Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.
Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

  • A. The configured participants are not SD-WAN members.
  • B. The Detection Mode setting is not set to Passive.
  • C. The Enable probe packets setting is not enabled.
  • D. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

正解:C、D


質問 # 83
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.


Which policy will be highlighted, based on the input criteria?

  • A. Policy with ID 5.
  • B. Policies with ID 2 and 3.
  • C. Policy with ID 4.
  • D. Policy with ID 4.

正解:A


質問 # 84
Which two statements describe how the RPF check is used? (Choose two.)

  • A. The RPF check is run on the first sent packet of any new session.
  • B. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
  • C. The RPF check is run on the first reply packet of any new session.
  • D. The RPF check is run on the first sent and reply packet of any new session.

正解:A、B

解説:
FortiGate Infrastructure 7.2 Study Guide (p.41): "The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table." "FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn't perform any additional RPF checks on that session." A) The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host. This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1 C) The RPF check is run on the first sent packet of any new session.
This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation. This reduces the processing overhead and improves performance2


質問 # 85
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

  • A. DNS
  • B. FortiGuard web filter cache
  • C. NTP
  • D. FortiGate hostname

正解:A、C


質問 # 86
Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

  • A. Security rating reports can be run individually for each configured VDOM.
  • B. Each VDOM in the environment can be part of a different Security Fabric.
  • C. VDOMs without ports with connected devices are not displayed in the topology.
  • D. Downstream devices can connect to the upstream device from any of their VDOMs.

正解:C

解説:
FortiGate Security 7.2 Study Guide (p.436): "When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric."


質問 # 87
What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

  • A. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
  • B. The primary device in the cluster is always assigned IP address 169.254.0.1.
  • C. Virtual IP addresses are used to distinguish between cluster members.
  • D. Heartbeat interfaces have virtual IP addresses that are manually assigned.

正解:A、C

解説:
Fortigate Infrastructure 7.2 Study Guide page 301
FortiGate Infrastructure 7.2 Study Guide (p.301):
"FGCP automatically assigns the heartbeat IP addresses based on the serial number of each device. The IP address 169.254.0.1 is assigned to the device with the highest serial number."
"A change in the heartbeat IP addresses may happen when a FortiGate device joins or leaves the cluster."
"The HA cluster uses the heartbeat IP addresses to distinguish the cluster members and synchronize data."
https://networkinterview.com/fortigate-ha-high-availability/


質問 # 88
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  • A. It limits the scanning of application traffic to the browser-based technology category only.
  • B. It limits the scanning of application traffic to use parent signatures only.
  • C. It limits the scanning of application traffic to the DNS protocol only.
  • D. It limits the scanning of application traffic to the application category only.

正解:D

解説:
Explanation
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode In policy-based mode on a next-generation firewall (NGFW), you can use a URL list and application control in the same firewall policy to control traffic to and from specific websites or applications. However, there is a limitation to consider when using these features together:
It limits the scanning of application traffic to the application category only: The URL list and application control both rely on the firewall to inspect traffic and make decisions about what to allow or block. However, the URL list is limited to inspecting traffic at the URL level, while the application control can inspect traffic at a deeper level, such as at the application layer. This means that the application control is more comprehensive and can provide more granular control over specific applications, while the URL list is limited to controlling traffic at the URL level.


質問 # 89
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

  • A. The interface is a member of a zone.
  • B. Captive portal is enabled in the interface.
  • C. The interface is a member of a virtual wire pair.
  • D. The interface has been configured for one-arm sniffer.
  • E. The operation mode is transparent.

正解:C、D、E

解説:
Explanation
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm


質問 # 90
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  • A. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  • B. FortiGate uses the AD server as the collector agent.
  • C. FortiGate queries AD by using the LDAP to retrieve user group information.
  • D. FortiGate points the collector agent to use a remote LDAP server.

正解:A、C

解説:
Explanation
Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732


質問 # 91
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

  • A. It limits the scanning of application traffic to use parent signatures only.
  • B. It limits the scanning of application traffic to the browser-based technology category only.
  • C. It limits the scanning of application traffic to the application category only.
  • D. It limits the scanning of application traffic to the DNS protocol only.

正解:B

解説:
FortiGate Security 7.2 Study Guide (p.317): "You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website."


質問 # 92
Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.


If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A. 10.200.3.1, 10.0.1.10, and 443, respectively
  • B. 10.0.1.254, 10.0.1.10, and 443, respectively
  • C. 10.0.1.254, 10.0.1.10, and 10443, respectively

正解:A


質問 # 93
An administrator wants to simplify remote access without asking users to provide user credentials.
Which access control method provides this solution?

  • A. L2TP
  • B. SSL VPN
  • C. ZTNA access proxy
  • D. ZTNA IP/MAC filtering mode

正解:C

解説:
FortiGate Infrastructure 7.2 Study Guide (p.165): "ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by eliminating the use of VPNs." This is true because ZTNA access proxy is a feature that allows remote users to access internal applications without requiring VPN or user credentials. ZTNA access proxy uses a secure tunnel between the user's device and the FortiGate, and authenticates the user based on device identity and context. The user only needs to install a lightweight agent on their device, and the FortiGate will automatically assign them to the appropriate application group based on their device profile. This simplifies remote access and enhances security by reducing the attack surface12


質問 # 94
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

  • A. To encapsulation ESP packets in UDP packets using port 4500.
  • B. To detect intermediary NAT devices in the tunnel path.
  • C. To dynamically change phase 1 negotiation mode aggressive mode.
  • D. To force a new DH exchange with each phase 2 rekey.

正解:A、B


質問 # 95
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

  • A. On Demand
  • B. Disabled
  • C. On Idle
  • D. Enabled

正解:C


質問 # 96
......

NSE4_FGT-7.2リアル有効で正確な問題集183問題と解答が待ってます:https://www.goshiken.com/Fortinet/NSE4_FGT-7.2-mondaishu.html

最新のNSE4_FGT-7.2問題集でPDF:https://drive.google.com/open?id=1g8T0EHOQoyEmJik6GvgzAGHsM2AOibt7

関するブログ

もっと
NSE4_FGT-7.2無料問題集