NSE4-5.4 Exam - Fortinet Network Security Expert - FortiOS 5.4

Q1. Which component of FortiOS performs application control inspection?

A. Kernel

B. Antivirus engine

C. IPS engine

D. Application control engine

View Answer

Q2. Which of the following statements about central NAT are true? (Choose two.)

A. IP tool references must be removed from existing firewall policies before enabling central NAT.

B. Central NAT can be enabled or disabled from the CLI only.

C. Source NAT, using central NAT, requires at least one central SNAT policy.

D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall policy.

View Answer

Q3. An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

A. The interface has been configured for one-arm sniffer.

B. The interface is a member of a virtual wire pair.

C. The operation mode is transparent.

D. The interface is a member of a zone.

E. Captive portal is enabled in the interface.

View Answer

Q4. An administrator is using the FortiGate built-in sniffer to capture HTTP traffic between a client and a server, however, the sniffer output shows only the packets related with TCP session setups and disconnections. Why?

A. The administrator is running the sniffer on the internal interface only.

B. The filter used in the sniffer matches the traffic only in one direction.

C. The FortiGate is doing content inspection.

D. TCP traffic is being offloaded to an NP6.

View Answer

Q5. Examine this output from the diagnose sys top command:

Which statements about the output are true? (Choose two.)

A. sshd is the process consuming most memory

B. sshd is the process consuming most CPU

C. All the processes listed are in sleeping state

D. The sshd process is using 123 pages of memory

View Answer

Q6. What are the purposes of NAT traversal in IPsec? (Choose two.)

A. To detect intermediary NAT devices in the tunnel path.

B. To encapsulate ESP packets in UDP packets using port 4500.

C. To force a new DH exchange with each phase 2 re-key

D. To dynamically change phase 1 negotiation mode to Aggressive.

View Answer

Q7. How to configure Collector agent settings?

A. The dead entry timeout interval is used to age out entries with an unverified status.

B. The workstation verify interval is used to periodically check if a workstation is still a domain member.

C. The user group cache expiry is used to age out the monitored groups.

D. The IP address change verify interval monitors the server IP address where the collector agent is installed, and updates the collector agent configuration if it changes.

View Answer

Q8. View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting.Games). Based on this configuration, which statement is true?

A. Addicting.Games is allowed based on the Application Overrides configuration.

B. Addicting.Games is blocked based on the Filter Overrides configuration.

C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.

D. Addicting.Games is allowed based on the Categories configuration.

View Answer

Q9. Which statement is true regarding the policy ID numbers of firewall policies?

A. Change when firewall policies are re-ordered.

B. Defines the order in which rules are processed.

C. Are required to modify a firewall policy from the CLI.

D. Represent the number of objects used in the firewall policy.

View Answer

Q10. You are tasked to architect a new IPsec deployment with the following criteria:

- There are two HQ sites that all satellite offices must connect to.

- The satellite offices do not need to communicate directly with other satellite offices.

- No dynamic routing will be used.

- The design should minimize the number of tunnels being configured. Which topology should be used to satisfy all of the requirements?

A. Redundant

B. Hub-and-spoke

C. Partial mesh

D. Fully meshed

View Answer