NSE4_FGT-7.0 Free Practice Test

- (Exam Topic 2)
Examine the exhibit, which contains a virtual IP and firewall policy configuration.



The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

1. A. 10.200.1.10
2. B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
3. C. 10.200.1.1
4. D. 10.0.1.254

Correct Answer: A
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall Objects/Virtual IPs.

- (Exam Topic 1)
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

1. A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
2. B. The client FortiGate requires a manually added route to remote subnets.
3. C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
4. D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Correct Answer: CD
Reference:
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificate-authentication

- (Exam Topic 2)
Examine this FortiGate configuration:

Examine the output of the following debug command:

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

1. A. It is allowed, but with no inspection
2. B. It is allowed and inspected as long as the inspection is flow based
3. C. It is dropped.
4. D. It is allowed and inspected, as long as the only inspection required is antivirus.

Correct Answer: C

- (Exam Topic 2)
Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

1. A. To detect intermediary NAT devices in the tunnel path.
2. B. To dynamically change phase 1 negotiation mode aggressive mode.
3. C. To encapsulation ESP packets in UDP packets using port 4500.
4. D. To force a new DH exchange with each phase 2 rekey.

Correct Answer: AC

- (Exam Topic 1)
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

1. A. Static IP Address
2. B. Dialup User
3. C. Dynamic DNS
4. D. Pre-shared Key

Correct Answer: B
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS