更新された2023年12月テストエンジン練習NSE4_FGT-7.2問題集と練習試験合格させます [Q100-Q119]

Share

更新された2023年12月テストエンジン練習NSE4_FGT-7.2問題集と練習試験合格させます

問題集お試しセットNSE4_FGT-7.2テストエンジンで問題集トレーニングには175問あります

質問 # 100
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

  • A. Pre-shared key and certificate signature as authentication methods
  • B. No certificate is required on the remote peer when you set the certificate signature as the authentication method
  • C. Extended authentication (XAuth) to request the remote peer to provide a username and password
  • D. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged

正解:A、C

解説:
B) Extended authentication (XAuth) to request the remote peer to provide a username and password This is true because extended authentication (XAuth) is a feature that allows FortiGate to request the remote peer to provide a username and password during the IPsec IKEv1 authentication process. XAuth is an extension of the IKEv1 protocol that adds an additional authentication step after the main mode or aggressive mode exchange. XAuth can be used with either pre-shared key or certificate signature as the primary authentication method, and it can provide stronger security and granular access control for IPsec VPNs12 D) Pre-shared key and certificate signature as authentication methods This is true because pre-shared key and certificate signature are two authentication methods that are supported by FortiGate for IPsec IKEv1 VPNs. Pre-shared key is a method where both peers share a secret key that is used to authenticate each other during the IKEv1 exchange. Certificate signature is a method where both peers have digital certificates that are used to verify each other's identity and public key during the IKEv1 exchange. Both methods can be combined with XAuth for additional authentication


質問 # 101
Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200. 1. 1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0. 1. 10?

  • A. 10.200. 1. 1
  • B. 10.200. 1. 100
  • C. 10.200. 1. 10
  • D. 10.200.3. 1

正解:B

解説:
Policy 1 is applied on outbound (LAN-WAN) and policy 2 is applied on inbound (WAN-LAN). question is asking SNAT for outbound traffic so policy 1 will take place and NAT overload is in effect.


質問 # 102
Refer to the exhibit.
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

  • A. Social networking web filter category is configured with the action set to authenticate.
  • B. Access to the social networking web filter category was explicitly blocked to all users.
  • C. The name of the firewall policy is all_users_web.
  • D. The action on firewall policy ID 1 is set to warning.

正解:A


質問 # 103
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

  • A. NetAPI polling can increase bandwidth usage in large networks.
  • B. The collector agent uses a Windows API to query DCs for user logins.
  • C. The NetSession Enum function is used to track user logouts.
  • D. The collector agent must search security event logs.

正解:C

解説:
FortiGate_Infrastructure_7.0 page 270: "NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function in Windows." Reference:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&sliceId=1


質問 # 104
Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  • A. To finish any inspection operations
  • B. To generate logs
  • C. To allow for out-of-order packets that could arrive after the FIN/ACK packets
  • D. To remove the NAT operation

正解:C

解説:
Explanation
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.


質問 # 105
Which two types of traffic are managed only by the management VDOM? (Choose two.)

  • A. Traffic shaping
  • B. PKI
  • C. FortiGuard web filter queries
  • D. DNS

正解:C、D

解説:
FortiGate Infrastructure 7.2 Study Guide (p.73): "What about traffic originating from FortiGate? Some system daemons, such as NTP and FortiGuard updates, generate traffic coming from FortiGate. Traffic coming from FortiGate to those global services originates from the management VDOM. One, and only one, of the VDOMs on a FortiGate device is assigned the role of the management VDOM. It is important to note that the management VDOM designation is solely for traffic originated by FortiGate, such as FortiGuard updates, and has no effect on traffic passing through FortiGate."


質問 # 106
Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.


If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A. 10.0.1.254, 10.0.1.10, and 443, respectively
  • B. 10.0.1.254, 10.0.1.10, and 10443, respectively
  • C. 10.200.3.1, 10.0.1.10, and 443, respectively

正解:C


質問 # 107
Which scanning technique on FortiGate can be enabled only on the CLI?

  • A. Heuristics scan
  • B. Trojan scan
  • C. Ransomware scan
  • D. Antivirus scan

正解:A


質問 # 108
In which two ways can RPF checking be disabled? (Choose two )

  • A. Enable anti-replay in firewall policy.
  • B. Disable the RPF check at the FortiGate interface level for the source check
  • C. Enable asymmetric routing.
  • D. Disable strict-arc-check under system settings.

正解:C、D


質問 # 109
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster?
(Choose two.)

  • A. NTP
  • B. DNS
  • C. FortiGuard web filter cache
  • D. FortiGate hostname

正解:A、B


質問 # 110
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

  • A. FortiGate uses the AD server as the collector agent.
  • B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  • C. FortiGate queries AD by using the LDAP to retrieve user group information.
  • D. FortiGate points the collector agent to use a remote LDAP server.

正解:B、C

解説:
Explanation
Fortigate Infrastructure 7.0 Study Guide P.272-273
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732


質問 # 111
Refer to the exhibits.
Exhibit A.

Exhibit B.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric.
After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

  • A. Change the csf setting on ISFW (downstream) to set fabric-object-unification default.
  • B. Change the csf setting on ISFW (downstream) to set configuration-sync local.
  • C. Change the csf setting on Local-FortiGate (root) to set configuration-sync local.
  • D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

正解:D


質問 # 112
Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

  • A. Traffic matching the signature will be allowed and logged.
  • B. The signature setting uses a custom rating threshold.
  • C. Traffic matching the signature will be silently dropped and logged.
  • D. The signature setting includes a group of other signatures.

正解:C

解説:
Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.
Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.


質問 # 113
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

  • A. On both FortiGate devices, set Dead Peer Detection to On Demand.
  • B. On HQ-FortiGate, set IKE mode to Main (ID protection).
  • C. On Remote-FortiGate, set port2 as Interface.
  • D. On HQ-FortiGate, disable Diffie-Helman group 2.

正解:B、C


質問 # 114
Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is true?

  • A. One-to-one NAT IP pool is used in the firewall policy.
  • B. Overload NAT IP pool is used in the firewall policy.
  • C. Port block allocation IP pool is used in the firewall policy.
  • D. Destination NAT is disabled in the firewall policy.

正解:A

解説:
Explanation
FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.


質問 # 115
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?

  • A. Static URL filter, FortiGuard category filter, and advanced filters
  • B. DNS-based web filter and proxy-based web filter
  • C. Static domain filter, SSL inspection filter, and external connectors filters
  • D. FortiGuard category filter and rating filter

正解:A

解説:
FortiGate Security 7.2 Study Guide (p.285): "Remember that the web filtering profile has several features. So, if you have enabled many of them, the inspection order flows as follows: 1. The local static URL filter 2. FortiGuard category filtering (to determine a rating) 3. Advanced filters (such as safe search or removing Active X components)"


質問 # 116
Refer to the exhibit.
Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

  • A. A local FortiManager is one of the servers FortiGate communicates with.
  • B. One server was contacted to retrieve the contract information.
  • C. FortiGate is using default FortiGuard communication settings.
  • D. There is at least one server that lost packets consecutively.

正解:B、C

解説:
FortiGate Security 7.2 Study Guide (p.287-288): "Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)" "By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with FortiGuard or FortiManager. Other ports and protocols are available by disabling the FortiGuard anycast setting on the CLI."


質問 # 117
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?

  • A. Security logs
  • B. Forward traffic logs
  • C. System event logs
  • D. Local traffic logs

正解:D

解説:
Reference:
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
FortiGate Security 7.2 Study Guide (p.176): "Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries."


質問 # 118
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection?
(Choose two.)

  • A. The keyUsage extension must be set to keyCertSign.
  • B. The issuer must be a public CA.
  • C. The CA extension must be set to TRUE.
  • D. The common name on the subject field must use a wildcard name.

正解:A、C

解説:
Explanation
"In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."


質問 # 119
......

Fortinet NSE4_FGT-7.2問題集カバー率リアル試験問題:https://jp.fast2test.com/NSE4_FGT-7.2-premium-file.html

リアルNSE4_FGT-7.2問題集でFortinet問題集PDF:https://drive.google.com/open?id=1sykZ8Vr6kayOctfL0PRhVs75KcZIh1ZZ


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어