Login
Login

NSE4_FGT-7.2 Exam Questions

Total 168 Questions

Last Updated Exam : 15-Apr-2025

What are two functions of the ZTNA rule? (Choose two.)


A. It redirects the client request to the access proxy.


B. It applies security profiles to protect traffic.


C. It defines the access proxy. 


D. It enforces access control.





B.   It applies security profiles to protect traffic.

D.   It enforces access control.

A ZTNA rule is a policy that enforces access control and applies security profiles to protect traffic between the client and the access proxy1. A ZTNA rule defines the following parameters1:
Incoming interface: The interface that receives the client request.
Source: The address and user group of the client.
ZTNA tag: The tag that identifies the domain that the client belongs to.

ZTNA server: The server that hosts the access proxy.
Destination: The address of the application that the client wants to access.
Action: The action to take for the traffic that matches the rule. It can be accept, deny, or redirect.
Security profiles: The security features to apply to the traffic, such as antivirus, web filter, application control, and so on.
A ZTNA rule does not redirect the client request to the access proxy. That is the function of a policy route that matches the ZTNA tag and sends the traffic to the ZTNA server2. A ZTNA rule does not define the access proxy. That is done by creating a ZTNA server object that specifies the IP address, port, and certificate of the access proxy3. FortiGate Infrastructure 7.2 Study Guide (p.177): "A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust rolebased access. To create a rule, type a rule name, and add IP addresses and ZTNA tags or tag groups that are allowed or blocked access. You also select the ZTNA server as the destination. You can also apply security profiles to protect this traffic." 

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?


A. Static IP Address


B. Dialup User


C. Dynamic DNS


D. Pre-shared Key





B.   Dialup User

Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS 

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.) 


A. The firmware image must be manually uploaded to each FortiGate.


B. Only secondary FortiGate devices are rebooted.


C. Uninterruptable upgrade is enabled by default.


D. Traffic load balancing is temporally disabled while upgrading the firmware.





C.   Uninterruptable upgrade is enabled by default.

D.   Traffic load balancing is temporally disabled while upgrading the firmware.

Which of statement is true about SSL VPN web mode?


A. The tunnel is up while the client is connected. 


B. It supports a limited number of protocols. 


C. The external network application sends data through the VPN.


D. It assigns a virtual IP address to the client.





B.   It supports a limited number of protocols. 

FortiGate_Security_6.4 page 575 - Web mode requires only a web browser, but supports a limited number of protocols.

An administrator wants to simplify remote access without asking users to provide user credentials. Which access control method provides this solution?


A. ZTNA IP/MAC filtering mode 


B. ZTNA access proxy


C.  SSL VPN


D. L2TP





B.   ZTNA access proxy

FortiGate Infrastructure 7.2 Study Guide (p.165): "ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by eliminating the use of VPNs."

This is true because ZTNA access proxy is a feature that allows remote users to access internal applications without requiring VPN or user credentials. ZTNA access proxy uses a secure tunnel between the user’s device and the FortiGate, and authenticates the user based on device identity and context. The user only needs to install a lightweight agent on their device, and the FortiGate will automatically assign them to the appropriate application group based on their device profile. This simplifies remote access and enhances security by reducing the attack surface12

If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used? 


A. The Services field prevents SNAT and DNAT from being combined in the same policy. 


B. The Services field is used when you need to bundle several VIPs into VIP groups. 


C. The Services field removes the requirement to create multiple VIPs for different services.


D. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer. 





C.   The Services field removes the requirement to create multiple VIPs for different services.

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection. 


Which FortiGate configuration can achieve this goal? 


A. SSL VPN bookmark 


B.  SSL VPN tunnel


C. Zero trust network access


D. SSL VPN quick connection





B.    SSL VPN tunnel

FortiGate Infrastructure 7.2 Study Guide (p.198): "Tunnel mode requires FortiClient to connect to FortiGate. FortiClient adds a virtual network adapter identified as fortissl to the user’s PC. This virtual adapter dynamically receives an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is SSL/TLS encapsulated. The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send traffic through the tunnel."

An SSL VPN tunnel allows remote users to establish a secure and encrypted Virtual Private Network (VPN) connection to the private network using the SSL/TLS protocol1. An SSL VPN tunnel can provide access to network resources such as FTP servers, as well as external applications running on the user’s PC1. 

An SSL VPN bookmark is a web link that provides access to network resources through the SSL VPN web portal1. It does not support external applications running on the user’s PC. Zero trust network access (ZTNA) is a security model that provides role-based application access to remote users without exposing the private network to the internet2. It does not use SSL/TLS protocol, but rather a proprietary ZTNA protocol.

SSL VPN quick connection is a feature that allows users to connect to an SSL VPN tunnel without installing FortiClient or any other software on their PC3. It requires a web browser that supports Java or ActiveX. It does not support external applications running on the user’s PC. 

Which statement correctly describes the use of reliable logging on FortiGate?


A. Reliable logging is enabled by default in all configuration scenarios.


B. Reliable logging is required to encrypt the transmission of logs.


C. Reliable logging can be configured only using the CLI. 


D. Reliable logging prevents the loss of logs when the local disk is full.





B.   Reliable logging is required to encrypt the transmission of logs.

FortiGate Security 7.2 Study Guide (p.192): "if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecure network. You can choose the level of SSL protection used by configuring the enc-algorithm setting on the CLI."

Which two statements are true when FortiGate is in transparent mode? (Choose two.)


A. By default, all interfaces are part of the same broadcast domain.


B. The existing network IP schema must be changed when installing a transparent mode.


C. Static routes are required to allow traffic to the next hop. 


D. FortiGate forwards frames without changing the MAC address.





A.   By default, all interfaces are part of the same broadcast domain.

D.   FortiGate forwards frames without changing the MAC address.

Reference: https://kb.fortinet.com/kb/viewAttachment.doattachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&do cumentID=FD33113

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, which statement about VLAN IDs is true?


A. The two VLAN subinterfaces can have the same VLAN ID only if they belong to different VDOMs. 


B. The two VLAN subinterfaces must have different VLAN IDs.


C. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet. 


D. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.





C.   The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet. 

D.   The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Reference: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans


Page 5 out of 17 Pages
Previous

Copyright © - All Rights Reserved