2024年最新のに更新された検証済みの合格させるNSE4_FGT-7.2リアル試験問題と解答
問題集返金保証付きのNSE4_FGT-7.2問題集公式問題集
質問 # 57
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
- A. The next-hop IP address is unreachable.
- B. It matched an explicitly configured firewall policy with the action DENY.
- C. It failed the RPF check .
- D. It matched the default implicit firewall policy.
正解:D
解説:
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=13900
質問 # 58
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- A. It limits the scanning of application traffic to the application category only.
- B. It limits the scanning of application traffic to the DNS protocol only.
- C. It limits the scanning of application traffic to use parent signatures only.
- D. It limits the scanning of application traffic to the browser-based technology category only.
正解:D
解説:
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode
質問 # 59
Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200. 1. 1/24. The LAN (port2) interface has the IP address 10.0. 1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0. 1. 10/24?
- A. Any available IP address in the WAN (port1) subnet 10.200. 1.0/24
66 of 108 - B. 10.0. 1.254
- C. 10.200. 1. 10
- D. 10.200. 1. 1
正解:C
解説:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.
質問 # 60
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?
- A. On HQ-FortiGate, enable Auto-negotiate.
- B. On HQ-FortiGate, set Encryption to AES256.
- C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
- D. On Remote-FortiGate, set Seconds to 43200.
正解:B
質問 # 61
Refer to the exhibit.
Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)
- A. Traffic between port2 and port2-vlan1 is allowed by default.
- B. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
- C. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
- D. port1 is a native VLAN.
正解:B、D
解説:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883
質問 # 62
Refer to the exhibit to view the application control profile.
Based on the configuration, what will happen to Apple FaceTime?
- A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration
- B. Apple FaceTime will be allowed, based on the Categories configuration.
- C. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn
- D. Apple FaceTime will be allowed, based on the Apple filter configuration.
正解:A
質問 # 63
Which two statements are true when FortiGate is in transparent mode? (Choose two.)
- A. FortiGate forwards frames without changing the MAC address.
- B. Static routes are required to allow traffic to the next hop.
- C. By default, all interfaces are part of the same broadcast domain.
- D. The existing network IP schema must be changed when installing a transparent mode.
正解:A、C
解説:
Reference:
attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&documentID=FD33113
質問 # 64
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
- A. IP address
- B. Once Internet Service is selected, no other object can be added
- C. FQDN address
- D. User or User Group
正解:B
質問 # 65
In an explicit proxy setup, where is the authentication method and database configured?
- A. Proxy Policy
- B. Authentication scheme
- C. Firewall Policy
- D. Authentication Rule
正解:B
質問 # 66
Refer to the exhibit.
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .
With this configuration, which statement is true?
- A. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.
- B. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
- C. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
- D. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
正解:C
質問 # 67
Refer to the exhibit.



The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200. 1. 1/24.
The LAN (port3) interface has the IP address 10.0. 1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0. 1. 10) pings the IP address of Remote-FortiGate (10.200.3. 1)?
- A. 10.200. 1. 149
- B. 10.200. 1.49
- C. 10.200. 1.99
- D. 10.200. 1. 1
正解:C
質問 # 68
Examine this FortiGate configuration:
How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?
- A. It always authorizes the traffic without requiring authentication.
- B. It authenticates the traffic using the authentication scheme SCHEME2.
- C. It authenticates the traffic using the authentication scheme SCHEME1.
- D. It drops the traffic.
正解:C
解説:
Explanation
"What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting"
質問 # 69
Which statement about video filtering on FortiGate is true?
- A. Video filtering FortiGuard categories are based on web filter FortiGuard categories.
- B. its available only on a proxy-based firewall policy.
- C. It does not require a separate FortiGuard license.
- D. Full SSL inspection is not required.
正解:B
解説:
FortiGate Security 7.2 Study Guide (p.279): "To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must enable full SSL inspection on the firewall policy."
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/860867/filtering-based-on-fortiguard-categories
質問 # 70
Refer to the exhibit.
An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.
Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)
- A. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.
- B. The configured participants are not SD-WAN members.
- C. The Detection Mode setting is not set to Passive.
- D. The Enable probe packets setting is not enabled.
正解:A、D
質問 # 71
Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)
- A. SSL inspection and authentication policy
- B. Security policy
正解:A、B
質問 # 72
How does FortiGate act when using SSL VPN in web mode?
- A. FortiGate acts as router.
- B. FortiGate acts as an HTTP reverse proxy.
- C. FortiGate acts as DNS server.
- D. FortiGate acts as an FDS server.
正解:B
解説:
Reference:
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/Fortigate_v4.0MR3/fortigate-sslvpn-40-mr3.pdf
質問 # 73
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
- A. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
- B. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
- C. FortiGate automatically negotiates a new security association after the existing security association expires.
- D. FortiGate automatically negotiates different local and remote addresses with the remote peer.
正解:A
解説:
https://kb.fortinet.com/kb/documentLink.do?externalID=12069
質問 # 74
Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
- A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
- B. The traffic sourced from the client and destined to the server is sent to FGT-1.
- C. The cluster can load balance ICMP connections to the secondary.
- D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.
正解:A、B
質問 # 75
An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?
- A. VLAN interface
- B. Aggregate interface
- C. Redundant interface
- D. Software Switch interface
正解:B
解説:
An aggregate interface is a logical interface that combines two or more physical interfaces into one virtual interface1. An aggregate interface can increase network bandwidth and provide redundancy by distributing traffic across multiple physical interfaces using a load balancing algorithm1. An aggregate interface can also support link aggregation control protocol (LACP) to negotiate the link aggregation settings with the connected device1.
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/567758/aggregation-and-redundancy
質問 # 76
View the exhibit.
Which of the following statements are correct? (Choose two.)
- A. This is a redundant IPsec setup.
- B. This setup requires at least two firewall policies with the action set to IPsec.
- C. Dead peer detection must be disabled to support this type of IPsec setup.
- D. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
正解:A、D
解説:
https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/632796/ospf-with-ipsec-vpn-for-network-redundancy
質問 # 77
Which two statements describe how the RPF check is used? (Choose two.)
- A. The RPF check is run on the first sent packet of any new session.
- B. The RPF check is run on the first reply packet of any new session.
- C. The RPF check is run on the first sent and reply packet of any new session.
- D. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
正解:A、D
解説:
FortiGate Infrastructure 7.2 Study Guide (p.41): "The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table." "FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn't perform any additional RPF checks on that session." A) The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host. This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1 C) The RPF check is run on the first sent packet of any new session.
This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation. This reduces the processing overhead and improves performance2
質問 # 78
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)
- A. FortiGate hostname
- B. NTP
- C. DNS
- D. FortiGuard web filter cache
正解:B、C
質問 # 79
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?
- A. By default, split tunneling is enabled.
- B. By default, the SSL VPN portal requires the installation of a client's certificate.
- C. By default, FortiGate uses WINS servers to resolve names.
- D. By default, the admin GUI and SSL VPN portal use the same HTTPS port.
正解:D
質問 # 80
When configuring a firewall virtual wire pair policy, which following statement is true?
- A. Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.
- B. Exactly two virtual wire pairs need to be included in each policy.
- C. Only a single virtual wire pair can be included in each policy.
- D. Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
正解:A
質問 # 81
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A. The IPS engine will continue to run in a normal state.
- B. The IPS engine was unable to prevent an intrusion attack .
- C. The IPS engine was blocking all traffic.
- D. The IPS engine was inspecting high volume of traffic.
正解:D
質問 # 82
......
更新されたPDF(2024年最新)実際にあるFortinet NSE4_FGT-7.2試験問題:https://jp.fast2test.com/NSE4_FGT-7.2-premium-file.html
検証済みのNSE4_FGT-7.2試験問題集PDF[2024年最新] 成功の秘訣はFast2test:https://drive.google.com/open?id=1sykZ8Vr6kayOctfL0PRhVs75KcZIh1ZZ