NSE4 Exam - Fortinet Network Security Expert 4 Written Exam (400)

certleader.com

Q1. - (Topic 4) 

Which statement regarding the firewall policy authentication timeout is true? 

A. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP. 

B. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired. 

C. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC. 

D. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired. 

Answer:

Q2. - (Topic 12) 

A FortiGate is configured with multiple VDOMs. An administrative account on the device has been assigned a Scope value of VDOM:root. 

Which of the following settings will this administrator be able to configure? (Choose two.) 

A. Firewall addresses. 

B. DHCP servers. 

C. FortiGuard Distribution Network configuration. 

D. System hostname. 

Answer: A,B 

Q3. - (Topic 3) 

Which header field can be used in a firewall policy for traffic matching? 

A. ICMP type and code. 

B. DSCP. 

C. TCP window size. 

D. TCP sequence number. 

Answer:

Q4. - (Topic 7) 

Which antivirus inspection mode must be used to scan SMTP, FTP, POP3 and SMB protocols? 

A. Proxy-based. 

B. DNS-based. 

C. Flow-based. 

D. Man-in-the-middle. 

Answer:

Q5. - (Topic 6) 

An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration? 

A. The IPsec firewall policies must be placed at the top of the list. 

B. This VPN cannot be used as part of a hub and spoke topology. 

C. Routes are automatically created based on the quick mode selectors. 

D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed. 

Answer:

Q6. - (Topic 6) 

Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?. 

A. Policy-based only. 

B. Route-based only. 

C. Either policy-based or route-based VPN. 

D. GRE-based only. 

Answer:

Q7. - (Topic 2) 

Regarding the header and body sections in raw log messages, which statement is correct? 

A. The header and body section layouts change depending on the log type. 

B. The header section layout is always the same regardless of the log type. The body section layout changes depending on the log type. 

C. Some log types include multiple body sections. 

D. Some log types do not include a body section. 

Answer:

Q8. - (Topic 6) 

You are the administrator in charge of a FortiGate acting as an IPsec VPN gateway using route-based mode. Users from either side must be able to initiate new sessions. There is only 1 subnet at either end and the FortiGate already has a default route. 

Which two configuration steps are required to achieve these objectives? (Choose two.) 

A. Create one firewall policy. 

B. Create two firewall policies. 

C. Add a route to the remote subnet. 

D. Add two IPsec phases 2. 

Answer: B,C 

Q9. - (Topic 13) 

In transparent mode, forward-domain is an CLI setting associate with ______________. 

A. a static route. 

B. a firewall policy. 

C. an interface. 

D. a virtual domain. 

Answer:

Q10. - (Topic 11) 

When does a FortiGate load-share traffic between two static routes to the same destination subnet? 

A. When they have the same cost and distance. 

B. When they have the same distance and the same weight. 

C. When they have the same distance and different priority. 

D. When they have the same distance and same priority. 

Answer: