2024年08月 Fortinet NSE4_FGT-7.2実際の問題とブレーン問題集
NSE4_FGT-7.2合格させる問題集でFortinet24時間で試験合格できます
Fortinet NSE4_FGT-7.2 (Fortinet NSE 4 - FortiOS 7.2) 試験は、Fortinet のセキュリティソリューションに熟練した IT プロフェッショナルが能力を証明するための認定試験です。この試験は、FortiGate ファイアウォール、FortiAnalyzer、FortiManager、およびその他の関連製品を含む Fortinet セキュリティ製品を構成および管理するために必要な知識とスキルをテストするために設計されています。試験は、ネットワークセキュリティ、ファイアウォールポリシー、VPN、SSL 検査、ウェブフィルタリングなどのトピックをカバーしています。
Fortinet NSE4_FGT-7.2 認定試験は、ネットワークセキュリティの概念、ファイアウォールポリシー、VPN、ユーザー認証、Fortinetセキュリティソリューションなど、幅広いトピックをカバーしています。この試験は、一般的なネットワークセキュリティの脅威を特定し、セキュリティポリシーと手順を実装し、Fortinetセキュリティソリューションを構成するための知識とスキルを候補者が持っているかどうかをテストするために設計されています。この認定試験は、ネットワークセキュリティの専門家、システム管理者、サイバーセキュリティの分野でキャリアを発展させたいITプロフェッショナルに適しています。
質問 # 26
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)
- A. On HQ-FortiGate, disable Diffie-Helman group 2.
- B. On HQ-FortiGate, set IKE mode to Main (ID protection).
- C. On both FortiGate devices, set Dead Peer Detection to On Demand.
- D. On Remote-FortiGate, set port2 as Interface.
正解:B、D
解説:
"In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel."
質問 # 27
FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)
- A. www.example.com/index.html
- B. www.example.com:443
- C. www.example.com
- D. example.com
正解:C、D
解説:
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names - no URLs or wildcard characters are allowed.
OK: google.com or www.google.com
NO OK: www.google.com/index.html or google.*
FortiGate_Security_6.4 page 384
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names-- "no URLs or wildcard characters are allowed".
質問 # 28
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
- A. It uses DNS over HTTPS.
- B. It uses UDP 8888.
- C. It uses DNS overTLS.
- D. It uses UDP 53.
正解:C
解説:
FortiGate Security 7.2 Study Guide (p.15): "When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic." When using FortiGuard servers for DNS, FortiOS defaults to using DNS over TLS (DoT) to secure the DNS traffic1. DNS over TLS is a protocol that encrypts and authenticates DNS queries and responses using the Transport Layer Security (TLS) protocol2. This prevents eavesdropping, tampering, and spoofing of DNS data by third parties.
The default FortiGuard DNS servers are 96.45.45.45 and 96.45.46.46, and they use the hostname globalsdns.fortinet.net1. The FortiGate verifies the server hostname using the server-hostname setting in the system dns configuration1.
質問 # 29
Refer to the web filter raw logs.
Based on the raw logs shown in the exhibit, which statement is correct?
- A. Access to the social networking web filter category was explicitly blocked to all users.
- B. Social networking web filter category is configured with the action set to authenticate.
- C. The action on firewall policy ID 1 is set to warning.
- D. The name of the firewall policy is all_users_web.
正解:B
質問 # 30
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
- A. NetAPI polling can increase bandwidth usage in large networks.
- B. The NetSession Enum function is used to track user logouts.
- C. The collector agent uses a Windows API to query DCs for user logins.
- D. The collector agent must search security event logs.
正解:B
解説:
FortiGate_Infrastructure_7.0 page 270: "NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function in Windows." Reference:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&sliceId=1 FortiGate Infrastructure 7.2 Study Guide (p.128): "NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. It's faster than the WinSec and WMI methods; however, it can miss some login events if a DC is under heavy system load. This is because sessions can be quickly created and purged from RAM, before the agent has a chance to poll and notify FortiGate."
質問 # 31
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)
- A. FortiSIEM
- B. FortiCloud
- C. FortiCache
- D. FortiSandbox
- E. FortiAnalyzer
正解:A、B、E
解説:
Reference:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-and-reporting-overview
質問 # 32
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?
- A. On HQ-FortiGate, enable Auto-negotiate.
- B. On HQ-FortiGate, set Encryption to AES256.
- C. On HQ-FortiGate, enable Diffie-Hellman Group 2.
- D. On Remote-FortiGate, set Seconds to 43200.
正解:B
質問 # 33
Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)
- A. Destination defined as Internet Services in the firewall policy.
- B. Lowest to highest policy ID number.
- C. Source defined as Internet Services in the firewall policy.
- D. Highest to lowest priority defined in the firewall policy.
- E. Services defined in the firewall policy.
正解:A、C、E
解説:
When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects:
* Incoming Interface
* Outgoing Interface
* Source: IP address, user, internet services
* Destination: IP address or internet services
* Service: IP protocol and port number
* Schedule: Applies during configured times
質問 # 34
Refer to the exhibit.
Which contains a session list output. Based on the information shown in the exhibit, which statement is true?
- A. Overload NAT IP pool is used in the firewall policy.
- B. One-to-one NAT IP pool is used in the firewall policy.
- C. Destination NAT is disabled in the firewall policy.
- D. Port block allocation IP pool is used in the firewall policy.
正解:B
解説:
Explanation
FortiGate_Security_6.4 page 155 . In one-to-one, PAT is not required.
質問 # 35
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
- A. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
- B. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
- C. The two VLAN subinterfaces must have different VLAN IDs.
- D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
正解:A、C
解説:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VLAN/ta-p/192843?externalID=FD43883 When FortiGate is operating in NAT mode, it means that it uses network address translation (NAT) to modify the source or destination IP addresses of the traffic passing through it1. NAT mode allows FortiGate to hide the IP addresses of the internal network from the external network, and to conserve IP addresses by using a single public IP address for multiple private IP addresses1.
A virtual LAN (VLAN) subinterface is a logical interface that allows traffic from different VLANs to enter and exit the FortiGate unit2. A VLAN subinterface is created by adding a VLAN ID to a physical interface or an aggregate interface2. A VLAN ID is a numerical identifier that distinguishes one VLAN from another2.
In this scenario, there are two requirements for the VLAN ID of the VLAN subinterfaces added to the same physical interface:
The two VLAN subinterfaces must have different VLAN IDs. This is because the VLAN ID is used to tag the traffic with the appropriate VLAN information, and to separate the traffic into different VLANs2. If the two VLAN subinterfaces have the same VLAN ID, they will not be able to distinguish the traffic from each other, and they will not be able to forward the traffic to the correct destination.
The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. This is because VDOMs are virtual instances of FortiGate that can have their own interfaces, policies, and routing tables3. Each VDOM operates independently from other VDOMs, and can have its own VLAN subinterfaces with different or identical VLAN IDs3. However, this requires inter-VDOM links to allow traffic between different VDOMs3.
質問 # 36
Refer to the exhibit.
Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)
- A. port1 is a native VLAN.
- B. Traffic between port2 and port2-vlan1 is allowed by default.
- C. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
- D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
正解:A、D
解説:
Explanation
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883
質問 # 37
Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)
- A. Administrators cannot change the configuration.
- B. Administrators can access FortiGate only through the console port.
- C. FortiGate has entered conserve mode.
- D. FortiGate will start sending all files to FortiSandbox for inspection.
正解:A、C
質問 # 38
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A. The IPS engine was blocking all traffic.
- B. The IPS engine will continue to run in a normal state.
- C. The IPS engine was unable to prevent an intrusion attack .
- D. The IPS engine was inspecting high volume of traffic.
正解:D
質問 # 39
An administrator is running the following sniffer command:
Which three pieces of Information will be Included in me sniffer output? {Choose three.)
- A. Application header
- B. Ethernet header
- C. IP header
- D. Interface name
- E. Packet payload
正解:C、D、E
質問 # 40
A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?
- A. Implement web filter authentication for the specified website.
- B. Implement web filter quotas for the specified website
- C. Implement a web filter category override for the specified website
- D. Implement a DNS filter for the specified website.
正解:A
質問 # 41
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)
- A. Ban or unban compromised hosts.
- B. Log in to a downstream FortiSwitch device.
- C. Disable FortiAnalyzer logging for a downstream FortiGate device.
- D. Shut down/reboot a downstream FortiGate device.
正解:C、D
質問 # 42
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?
- A. Strict RPF checks the best route back to the source using the incoming interface.
- B. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
- C. The strict RPF check is run on the first sent and reply packet of any new session.
- D. Strict RPF allows packets back to sources with all active routes.
正解:A
解説:
Strict Reverse Path Forwarding (RPF) is a security feature that is used to detect and prevent IP spoofing attacks on a network. It works by checking the routing information for incoming packets to ensure that they are coming from the source address that is indicated in the packet's header. In strict RPF mode, the firewall will check the best route back to the source of the incoming packet using the incoming interface. If the packet's source address does not match the route back to the source, the packet is dropped. This helps to prevent attackers from spoofing their IP address and attempting to access the network.
質問 # 43
Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster?
(Choose two.)
- A. DNS
- B. NTP
- C. FortiGuard web filter cache
- D. FortiGate hostname
正解:A、B
質問 # 44
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- A. It limits the scanning of application traffic to the application category only.
- B. It limits the scanning of application traffic to the browser-based technology category only.
- C. It limits the scanning of application traffic to use parent signatures only.
- D. It limits the scanning of application traffic to the DNS protocol only.
正解:A
解説:
Explanation
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/38324/ngfw-policy-based-mode In policy-based mode on a next-generation firewall (NGFW), you can use a URL list and application control in the same firewall policy to control traffic to and from specific websites or applications. However, there is a limitation to consider when using these features together:
It limits the scanning of application traffic to the application category only: The URL list and application control both rely on the firewall to inspect traffic and make decisions about what to allow or block. However, the URL list is limited to inspecting traffic at the URL level, while the application control can inspect traffic at a deeper level, such as at the application layer. This means that the application control is more comprehensive and can provide more granular control over specific applications, while the URL list is limited to controlling traffic at the URL level.
質問 # 45
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
- A. It matched an explicitly configured firewall policy with the action DENY.
- B. It failed the RPF check .
- C. It matched the default implicit firewall policy.
- D. The next-hop IP address is unreachable.
正解:C
解説:
https://kb.fortinet.com/kb/documentLink.do?externalID=13900
https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/
質問 # 46
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
- A. NetAPI polling can increase bandwidth usage in large networks.
- B. The NetSession Enum function is used to track user logouts.
- C. The collector agent uses a Windows API to query DCs for user logins.
- D. The collector agent must search security event logs.
正解:B
解説:
Explanation
FortiGate_Infrastructure_7.0 page 270: "NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function in Windows."
質問 # 47
Refer to the exhibit.
Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?
- A. Traffic matching the signature will be allowed and logged.
- B. The signature setting includes a group of other signatures.
- C. The signature setting uses a custom rating threshold.
- D. Traffic matching the signature will be silently dropped and logged.
正解:D
解説:
Select Block to silently drop traffic matching any of the signatures included in the entry. So, while the default action would be 'Pass' for this signature the administrator is specifically overriding that to set the Block action. To use the default action the setting would have to be 'Default'.
FortiGate Security 7.2 Study Guide (p.394): "Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of the signatures." "If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature." Action is drop, signature default action is listed only in the signature, it would only match if action was set to default.
質問 # 48
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
- A. It matched an explicitly configured firewall policy with the action DENY.
- B. It failed the RPF check .
- C. It matched the default implicit firewall policy.
- D. The next-hop IP address is unreachable.
正解:C
解説:
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=13900
質問 # 49
......
最新問題をダウンロードNSE4_FGT-7.2問題集で2024年最新のNSE4_FGT-7.2試験問題集:https://jp.fast2test.com/NSE4_FGT-7.2-premium-file.html
最新問題を使おうNSE4_FGT-7.2試験問題と解答PDFで一年間無料更新:https://drive.google.com/open?id=1sykZ8Vr6kayOctfL0PRhVs75KcZIh1ZZ