NSE4_FGT-7.2リアルな試験問題NSE4_FGT-7.2練習問題集 [Q34-Q57]

Share

NSE4_FGT-7.2リアルな試験問題NSE4_FGT-7.2練習問題集

厳密検証されたNSE4_FGT-7.2試験問題集と解答で無料提供のNSE4_FGT-7.2問題と正解付き


Fortinet NSE 4 - FortiOS 7.2認定試験(NSE4_FGT-7.2とも呼ばれます)は、Fortinetセキュリティソリューションの実装と管理におけるスキルと知識を検証したいネットワークセキュリティのプロフェッショナル向けに設計されています。この試験では、候補者のFortiGateデバイスの設定とトラブルシューティング、FortiAnalyzer、FortiManager、FortiAuthenticator、FortiClientの展開、およびFortiGateポリシーの実装能力が試されます。この認定試験に合格することは、候補者がFortinetセキュリティソリューションを管理するために必要なスキルと専門知識を持っていることを示し、ビジネスがサイバー脅威からネットワークを保護するのに役立ちます。


Fortinet NSE4_FGT-7.2認定は、Fortinetセキュリティソリューションを使用して複雑なネットワークセキュリティの課題を処理できることを示すために高く評価されています。この認定はグローバルに認められ、NSE5やNSE7などの上位のFortinet認定の前提条件となります。認定試験は複数の言語で利用可能であり、オンラインまたはPearson VUEテストセンターで受験できます。試験に合格した候補者は、証明書とソーシャルメディアプラットフォームやプロフェッショナルネットワーキングサイトで共有できるデジタルバッジを受け取ります。NSE4_FGT-7.2認定を取得することで、ネットワークセキュリティ専門家はキャリアアップし、収入を増やすことができます。

 

質問 # 34
Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the diagnose firewall auth list CLI command on FortiGate?

  • A. Read/Write permission for Firewall
  • B. Read/Write permission for Log & Report
  • C. Custom permission for Network
  • D. CLI diagnostics commands permission

正解:D

解説:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50220


質問 # 35
Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.


If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A. 10.0.1.254, 10.0.1.10, and 10443, respectively
  • B. 10.0.1.254, 10.0.1.10, and 443, respectively
  • C. 10.200.3.1, 10.0.1.10, and 443, respectively

正解:C


質問 # 36
Which three statements explain a flow-based antivirus profile? (Choose three.)

  • A. If a virus is detected, the last packet is delivered to the client.
  • B. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
  • C. Flow-based inspection optimizes performance compared to proxy-based inspection.
  • D. The IPS engine handles the process as a standalone.
  • E. FortiGate buffers the whole file but transmits to the client at the same time.

正解:B、C、E


質問 # 37
Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem .
With this configuration, which statement is true?

  • A. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
  • B. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
  • C. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
  • D. A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

正解:C


質問 # 38
An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

  • A. A session for denied traffic is created.
  • B. The number of logs generated by denied traffic is reduced.
  • C. Device detection on all interfaces is enforced for 30 minutes.
  • D. Denied users are blocked for 30 minutes.

正解:A、B

解説:
Explanation
ses-denied-traffic
Enable/disable including denied session in the session table.
https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/20620/config-system-settings block-session-timer Duration in seconds for blocked sessions .
integer
Minimum value: 1 Maximum value: 300
30
https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/1620/config-system-global


質問 # 39
Which statement correctly describes the use of reliable logging on FortiGate?

  • A. Reliable logging is required to encrypt the transmission of logs.
  • B. Reliable logging prevents the loss of logs when the local disk is full.
  • C. Reliable logging is enabled by default in all configuration scenarios.
  • D. Reliable logging can be configured only using the CLI.

正解:A

解説:
FortiGate Security 7.2 Study Guide (p.192): "if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI."


質問 # 40
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

  • A. The strict RPF check is run on the first sent and reply packet of any new session.
  • B. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
  • C. Strict RPF checks the best route back to the source using the incoming interface.
  • D. Strict RPF allows packets back to sources with all active routes.

正解:B


質問 # 41
Which statement about the IP authentication header (AH) used by IPsec is true?

  • A. AH does not support perfect forward secrecy.
  • B. AH provides strong data integrity but weak encryption.
  • C. AH provides data integrity bur no encryption.
  • D. AH does not provide any data integrity or encryption.

正解:C


質問 # 42
Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

  • A. The first packet sent from Student failed the RPF check.
    This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
  • B. The first reply packet for Student failed the RPF check .
    This issue can be resolved by adding a static route to 203.0. 114.24/32 through port3.
  • C. The first reply packet for Student failed the RPF check.
    This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
  • D. The first packet sent from Student failed the RPF check.
    This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

正解:A


質問 # 43
A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.
What is the reason for the failed virus detection by FortiGate?

  • A. The website is exempted from SSL inspection.
  • B. The selected SSL inspection profile has certificate inspection enabled.
  • C. The EICAR test file exceeds the protocol options oversize limit.
  • D. The browser does not trust the FortiGate self-signed CA certificate.

正解:A、D

解説:
https traffic requires SSL decryption. Check the ssh inspection profile


質問 # 44
The IPS engine is used by which three security features? (Choose three.)

  • A. Application control
  • B. Web filter in flow-based inspection
  • C. Antivirus in flow-based inspection
  • D. Web application firewall
  • E. DNS filter

正解:A、B、C

解説:
FortiGate Security 7.2 Study Guide (p.385): "The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It's also responsible for application control, flow-based antivirus protection, web filtering, and email filtering."


質問 # 45
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192. 168. 1.0/24 and the remote quick mode selector is 192. 168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

  • A. 192. 168. 1.0/24
  • B. 192. 168.0.0/24
  • C. 192. 168.3.0/24
  • D. 192. 168.2.0/24

正解:D

解説:
For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B.
To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A.
Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.


質問 # 46
Which statement describes a characteristic of automation stitches?

  • A. They can be created on any device in the fabric.
  • B. They can run multiple actions simultaneously.
  • C. They can be run only on devices in the Security Fabric.
  • D. They can have one or more triggers.

正解:B

解説:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creating-automation-stitches


質問 # 47
Refer to the exhibit.
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

  • A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.
  • B. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
  • C. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
  • D. Set the Freeware and Software Downloads category Action to Warning.

正解:B、C

解説:
FortiGate Security 7.2 Study Guide (p.268-269): "If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category." "Static URL filtering is another web filter feature. Configured URLs in the URL filter are checked against the visited websites. If a match is found, the configured action is taken. URL filtering has the same patterns as static domain filtering: simple, regular expressions, and wildcard." B) Configure a web override rating for download.com and select Malicious Websites as the subcategory.
This is true because a web override rating is a feature that allows the administrator to change the FortiGuard category of a specific website or domain, and apply a different action to it based on the web filter profile. By configuring a web override rating for download.com and selecting Malicious Websites as the subcategory, the administrator can block access to download.com, which belongs to the Freeware and Software Downloads category by default, without affecting other websites in the same category. The Malicious Websites category has the action Block in the web filter profile shown in the exhibit.
D) Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
This is true because a static URL filter entry is a feature that allows the administrator to define custom rules for filtering specific URLs or domains, and apply an action to them based on the web filter profile. By configuring a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively, the administrator can block access to download.com and any subdomains or paths under it, without affecting other websites in the Freeware and Software Downloads category. The static URL filter entries have higher priority than the FortiGuard category based filter entries in the web filter profile.


質問 # 48
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?

  • A. Disabled
  • B. On Demand
  • C. Enabled
  • D. On Idle

正解:D


質問 # 49
What are two features of collector agent advanced mode? (Choose two.)

  • A. Advanced mode uses the Windows convention-NetBios: Domain\Username.
  • B. In advanced mode, security profiles can be applied only to user groups, not individual users.
  • C. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  • D. Advanced mode supports nested or inherited groups.

正解:C、D

解説:
A) In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
This is true because advanced mode allows FortiGate to query the LDAP server directly for user information and group membership, without relying on the collector agent. This enables FortiGate to apply security policies based on LDAP group filters, which can be configured on FortiGate1 D) Advanced mode supports nested or inherited groups.
This is true because advanced mode can handle complex group structures, such as nested groups or inherited groups, where a user belongs to a group that is a member of another group. This allows FortiGate to apply security policies based on the effective group membership of a user, not just the direct group membership1 FortiGate Infrastructure 7.2 Study Guide (p.146): "Also, advanced mode supports nested or inherited groups; that is, users can be members of subgroups that belong to monitored parent groups." "In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate. You can also configure group filters on the collector agent."


質問 # 50
Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

  • A. Change Administrator profile
  • B. Enable restrict access to trusted hosts
  • C. Change password
  • D. Enable two-factor authentication

正解:A


質問 # 51
Which two statements describe how the RPF check is used? (Choose two.)

  • A. The RPF check is run on the first sent and reply packet of any new session.
  • B. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
  • C. The RPF check is run on the first reply packet of any new session.
  • D. The RPF check is run on the first sent packet of any new session.

正解:B、D

解説:
FortiGate Infrastructure 7.2 Study Guide (p.41): "The RPF check is a mechanism that protects FortiGate and your network from IP spoofing attacks by checking for a return path to the source in the routing table." "FortiGate performs an RPF check only on the first packet of a new session. That is, after the first packet passes the RPF check and FortiGate accepts the session, FortiGate doesn't perform any additional RPF checks on that session." A) The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
This is true because the RPF check verifies that the source IP address of an incoming packet matches the reverse route for that address, meaning that the packet came from a legitimate source and not from an attacker who is trying to impersonate another host. This prevents IP spoofing attacks, where an attacker sends packets with a forged source IP address to bypass security policies or launch denial-of-service attacks1 C) The RPF check is run on the first sent packet of any new session.
This is true because the RPF check is performed only once per session, on the first packet sent by either the client or the server, depending on the direction of the session initiation. This reduces the processing overhead and improves performance2


質問 # 52
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

  • A. FortiGate automatically negotiates different local and remote addresses with the remote peer.
  • B. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
  • C. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  • D. FortiGate automatically negotiates a new security association after the existing security association expires.

正解:C

解説:
Explanation
https://kb.fortinet.com/kb/documentLink.do?externalID=12069


質問 # 53
An administrator wants to configure timeouts for users. Regardless of the userTMs behavior, the timer should start as soon as the user authenticates and expire after the configured value.
Which timeout option should be configured on FortiGate?

  • A. hard-timeout
  • B. new-session
  • C. auth-on-demand
  • D. soft-timeout
  • E. idle-timeout

正解:A


質問 # 54
Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

  • A. There will be eight routes active in the routing table.
  • B. The port1 and port2 default routes are active in the routing table.
  • C. The port3 default route has the lowest metric.
  • D. The ports default route has the highest distance.

正解:B、D

解説:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-identify-Inactive-Routes-in-the-Routing/ta-p/197595


質問 # 55
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)

  • A. The interface has been configured for one-arm sniffer.
  • B. The interface is a member of a zone.
  • C. The interface is a member of a virtual wire pair.
  • D. The operation mode is transparent.
  • E. Captive portal is enabled in the interface.

正解:A、C、D

解説:
Explanation
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_VirtualWirePair.htm


質問 # 56
Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

  • A. On the FortiGuard Category Based Filter Action to Warning for Social Networking
  • B. On the Static URL Filter configuration, set Type to Simple
  • C. On the Static URL Filter configuration, set Action to Monitor.
  • D. On the Static URL Filter configuration, set Action to Exempt.

正解:D


質問 # 57
......

無料でゲット!高評価Fortinet NSE4_FGT-7.2試験問題集を今すぐダウンロード!:https://jp.fast2test.com/NSE4_FGT-7.2-premium-file.html

あなたを合格させるNSE4_FGT-7.2無料最新問題集でFortinet練習テストしよう:https://drive.google.com/open?id=1nvEajaG2sDer4DpkT9VngkKi1EffUSQg


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어