NSE4-5.4 Exam - Fortinet Network Security Expert - FortiOS 5.4

New Questions 7

Why must you use aggressive mode when a local FortiGate IPsec gateway hosts multiple dialup tunnels?

A. The FortiGate is able to handle NATed connections only with aggressive mode.

B. FortiClient supports aggressive mode.

C. The remote peers are able to provide their peer IDs in the first message with aggressive mode.

D. Main mode does not support XAuth for user authentication.

View Answer

New Questions 8

An administrator has created a custom IPS signature. Where does the custom IPS signature have to be applied?

A. In an IPS sensor

B. In an interface.

C. In a DoS policy.

D. In an application control profile.

View Answer

New Questions 9

Which statements about DNS filter profiles are true? (Choose two.)

A. They can inspect HTTP traffic.

B. They must be applied in firewall policies with SSL inspection enabled.

C. They can block DNS request to known botnet command and control servers.

D. They can redirect blocked requests to a specific portal.

View Answer

New Questions 10

In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?

A. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.

B. Client > secondary FortiGate> web server.

C. Client >secondary FortiGate> primary FortiGate> web server.

D. Client> primary FortiGate> secondary FortiGate> web server.

View Answer

New Questions 11

Which statements about the output are correct? (Choose two.)

A. FortiGate received a TCP SYN/ACK packet.

B. The source IP address of the packet was translated to 10.0.1.10.

C. FortiGate routed the packet through port 3.

D. The packet was allowed by the firewall policy with the ID 00007fc0.

View Answer

New Questions 12

Under what circumstance would you enable LEARN as the Action on a firewall policy?

A. You want FortiGate to compile security feature activity from various security-related logs, such as virus and attack logs.

B. You want FortiGate to monitor a specific security profile in a firewall policy, and provide recommendations for that profile.

C. You want to capture data across all traffic and security vectors, and receive learning logs and a report with recommendations.

D. You want FortiGate to automatically modify your firewall policies as it learns your networking behavior.

View Answer

New Questions 13

An administrator has enabled proxy-based antivirus scanning and configured the following settings:

Which statement about the above configuration is true?

A. Files bigger than 10 MB are not scanned for viruses and will be blocked.

B. FortiGate scans only the first 10 MB of any file.

C. Files bigger than 10 MB are sent to the heuristics engine for scanning.

D. FortiGate scans the files in chunks of 10 MB.

View Answer

New Questions 14

What FortiGate feature can be used to allow IPv6 clients to connect to IPv4 servers?

A. IPv6-over-IPv4 IPsec

B. NAT64

C. IPv4-over-IPv6 IPsec

D. NAT66

View Answer

New Questions 15

How do you configure inline SSL inspection on a firewall policy? (Choose two.)

A. Enable one or more flow-based security profiles on the firewall policy.

B. Enable the SSL/SSH Inspection profile on the firewall policy.

C. Execute the inline ssl inspection CLI command.

D. Enable one or more proxy-based security profiles on the firewall policy.

View Answer

New Questions 16

Which statement is correct based on this configuration?

A. The MAC address 00:0c:29:29:38:da belongs to the port1 interface.

B. Access to the network is blocked for the devices with the MAC address 00:0c:29:29:38:da and the IP address 10.0.1.254.

C. 00:0c:29:29:38:da is the virtual MAC address assigned to the secondary IP address (10.0.1.254) of the port1 interface.

D. The IP address 10.0.1.254 is reserves for the device with the MAC address 00:0c:29:29:38:da.

View Answer