NSE4 | Fortinet NSE4 Dumps Questions 2021

NEW QUESTION 1
Which of the following regular expression patterns makes the terms “confidential data” case insensitive?

• A. [confidential data]
• B. /confidential data/i
• C. i/confidential data/
• D. “confidential data”

Answer: B

NEW QUESTION 2
Which is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying a FortiGate unit?

• A. MIB-based report uploads.
• B. SNMP access limited by access lists.
• C. Packet encryption.
• D. Running SNMP service on a non-standard port is possible.

Answer: C

NEW QUESTION 3
Which of the following traffic shaping functions can be offloaded to a NP processor? (Choose two.)

• A. Que prioritization
• B. Traffic cap (bandwidth limit)
• C. Differentiated services field rewriting
• D. Guarantee bandwidth

Answer: CD

NEW QUESTION 4
A FortiGate unit is configured with three Virtual Domains (VDOMs) as illustrated in the exhibit.

Which of the following statements are true if the network administrator wants to route traffic between all the VDOMs? (Choose three.)

• A. The administrator can configure inter-VDOM links to avoid using external interfaces and routers.
• B. As with all FortiGate unit interfaces, firewall policies must be in place for traffic to be allowed to pass through any interface, including inter-VDOM links.
• C. This configuration requires a router to be positioned between the FortiGate unit and the Internet for proper routing.
• D. Inter-VDOM routing is automatically provided if all the subnets that need to be routed are locally attached.
• E. As each VDOM has an independent routing table, routing rules need to be set (for example, static routing, OSPF) in each VDOM to route traffic between VDOMs.

Answer: ABE

NEW QUESTION 5
Which of the following statements best describe what a FortiGate does when packets match a black hole route?

• A. Packets are dropped.
• B. Packets are routed based on the information in the policy-based routing table.
• C. An ICMP error message is sent back to the originator.
• D. Packet are routed back to the originator.

Answer: A

NEW QUESTION 6
Which define device identification? (Choose two.)

• A. Device identification is enabled by default on all interfaces.
• B. Enabling a source device in a firewall policy enables device identification on the source interfaces of that policy.
• C. You cannot combine source user and source device in the same firewall policy.
• D. FortiClient can be used as an agent based device identification technique.
• E. Only agentless device identification techniques are supported.

Answer: BD

NEW QUESTION 7
Examine the following log message attributes and select two correct statements from the list below. (Choose two.)
hostname=www.youtube.com profiletype="Webfilter_Profile" profile="default" status="passthrough" msg="URL belongs to a category with warnings enabled"

• A. The traffic was blocked.
• B. The user failed authentication.
• C. The category action was set to warning.
• D. The website was allowed

Answer: CD

NEW QUESTION 8
Which of the following statements are correct about the HA command diagnose sys ha reset-uptime? (Choose two.)

• A. The device this command is executed on is likely to switch from master to slave status if override is disabled.
• B. The device this command executed on is likely to switch from master to slave status if override is enabled.
• C. The command has no impact on the HA algorithm.
• D. This commands resets the uptime variable used in the HA algorithm so it may cause a new master to become elected.

Answer: AD

NEW QUESTION 9
What information is synchronized between two FortiGate units that belong to the same HA cluster? (Choose three)

• A. IP addresses assigned to DHCP enabled interface.
• B. The master devices hostname.
• C. Routing configured and state.
• D. Reserved HA management interface IP configuration.
• E. Firewall policies and objects.

Answer: ACE

NEW QUESTION 10
A user logs into a SSL VPN portal and activates the tunnel mode. The exhibit shows the firewall policy and the user's SSL VPN portal configuration:

Given that the user authenticates against the SSL VPN policy shown in the image below, which statement below identifies the route that is added to the client's routing table.

• A. A route to a destination subnet matching the Internal_Servers address object.
• B. A route to the destination subnet configured in the tunnel mode widget.
• C. A default route.
• D. A route to the destination subnet configured in the SSL VPN global settings.

Answer: A

NEW QUESTION 11
What is required in a FortiGate configuration to have more than one dialup IPsec VPN using aggressive mode?

• A. All the aggressive mode dialup VPNs MUST accept connections from the same peer ID.
• B. Each peer ID MUST match the FQDN of each remote peer.
• C. Each aggressive mode dialup MUST accept connections from different peer ID.
• D. The peer ID setting must NOT be used.

Answer: C

NEW QUESTION 12
Which of the following statements describe some of the differences between symmetric and asymmetric cryptography? (Choose two.)

• A. In symmetric cryptography, the keys are publicly availabl
• B. In asymmetric cryptography, the keys must be kept secret.
• C. Asymmetric cryptography can encrypt data faster than symmetric cryptography
• D. Symmetric cryptography uses one pre-shared ke
• E. Asymmetric cryptography uses a pair or keys
• F. Asymmetric keys can be sent to the remote peer via digital certificate
• G. Symmetric keys cannot

Answer: CD

NEW QUESTION 13
A FortiGate administrator with the super_admin profile configures a virtual domain (VDOM) for a new customer. After creating the VDOM, the administrator is unable to reassign the dmz interface to the new VDOM as the option is greyed out in the GUI in the management VDOM.
What would be a possible cause for this problem?

• A. The administrator does not have the proper permissions the dmz interface.
• B. The dmz interface is referenced in the configuration of another VDOM.
• C. Non-management VDOMs cannot reference physical interfaces
• D. The dmz interface is in PPPoE or DHCP mode.

Answer: B

NEW QUESTION 14
Which statement is correct concerning an IPsec VPN with the remote gateway setting configured as 'Dynamic DNS'?

• A. The FortiGate will accept IPsec VPN connection from any IP address.
• B. The FQDN resolution of the local FortiGate IP address where the VPN is terminated must be provided by a dynamic DNS provider.
• C. The FortiGate will Accept IPsec VPN connections only from IP addresses included on a dynamic DNS access list.
• D. The remote gateway IP address can change dynamically.

Answer: D

NEW QUESTION 15
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members.

What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two.)

• A. Port3 is configured with an IP address management access.
• B. The firewall rules are purged on the disconnected unit.
• C. The HA mode changes to standalone.
• D. The system hostname is set to the unit serial number.

Answer: AC

NEW QUESTION 16
Which statements are true regarding IPv6 anycast addresses? (Choose two.)

• A. Multiple interfaces can share the same anycast address.
• B. They are allocated from the multicast address space.
• C. Different nodes cannot share the same anycast address.
• D. An anycast packet is routed to the nearest interface.

Answer: AD