How Many Questions Of NSE4_FGT-6.4 Braindumps

We provide real NSE4_FGT-6.4 exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Fortinet NSE4_FGT-6.4 Exam quickly & easily. The NSE4_FGT-6.4 PDF type is available for reading and printing. You can print more and practice many times. With the help of our Fortinet NSE4_FGT-6.4 dumps pdf and vce product and material, you can easily pass the NSE4_FGT-6.4 exam.

Online NSE4_FGT-6.4 free questions and answers of New Version:

Refer to the exhibits.
NSE4_FGT-6.4 dumps exhibit
NSE4_FGT-6.4 dumps exhibit
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

  • A. Administrators can access FortiGate only through the console port.
  • B. FortiGate has entered conserve mode.
  • C. FortiGate will start sending all files to FortiSandbox for inspection.
  • D. Administrators cannot change the configuration.

Answer: CD

Examine this FortiGate configuration:
NSE4_FGT-6.4 dumps exhibit
Examine the output of the following debug command:
NSE4_FGT-6.4 dumps exhibit
Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?

  • A. It is allowed, but with no inspection
  • B. It is allowed and inspected as long as the inspection is flow based
  • C. It is dropped.
  • D. It is allowed and inspected, as long as the only inspection required is antivirus.

Answer: C

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

  • A. System event logs
  • B. Forward traffic logs
  • C. Local traffic logs
  • D. Security logs

Answer: A

Examine this PAC file configuration.
NSE4_FGT-6.4 dumps exhibit
Which of the following statements are true? (Choose two.)

  • A. Browsers can be configured to retrieve this PAC file from the FortiGate.
  • B. Any web request to the subnet is allowed to bypass the proxy.
  • C. All requests not made to or the subnet, have to go through 8060.
  • D. Any web request is allowed to bypass the proxy.

Answer: AD

Examine this FortiGate configuration:
NSE4_FGT-6.4 dumps exhibit
How does the FortiGate handle web proxy traffic coming from the IP address that requires authorization?

  • A. It always authorizes the traffic without requiring authentication.
  • B. It drops the traffic.
  • C. It authenticates the traffic using the authentication scheme SCHEME2.
  • D. It authenticates the traffic using the authentication scheme SCHEME1.

Answer: D

“What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”

Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

  • A. This security fabric topology is a logical topology view.
  • B. There are 19 security recommendations for the security fabric.
  • C. There are five devices that are part of the security fabric.
  • D. Device detection is disabled on all FortiGate devices.

Answer: AD

NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

  • A. Web filtering
  • B. Antivirus
  • C. Web proxy
  • D. Application control

Answer: B

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?

  • A. Configure Source IP Pools.
  • B. Configure split tunneling in tunnel mode.
  • C. Configure different SSL VPN realms.
  • D. Configure host check.

Answer: D

How do you format the FortiGate flash disk?

  • A. Load a debug FortiOS image.
  • B. Load the hardware test (HQIP) image.
  • C. Execute the CLI command execute formatlogdisk.
  • D. Select the format boot device option from the BIOS menu.

Answer: D

Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to

  • A. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
  • B. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
  • C. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.
  • D. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Answer: D

What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

  • A. Traffic to botnetservers
  • B. Traffic to inappropriate web sites
  • C. Server information disclosure attacks
  • D. Credit card data leaks
  • E. SQL injection attacks

Answer: ACE

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

  • A. The strict RPF check is run on the first sent and reply packet of any new session.
  • B. Strict RPF checks the best route back to the sourceusingtheincoming interface.
  • C. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.
  • D. Strict RPF allows packets back to sources with all active routes.

Answer: A

Which of statement is true about SSL VPN web mode?

  • A. The tunnel is up while the client is connected.
  • B. It supports a limited number of protocols.
  • C. The external network application sends data through the VPN.
  • D. It assigns a virtual IP address to the client.

Answer: C

Refer to the exhibit.
NSE4_FGT-6.4 dumps exhibit
The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address

  • A.
  • B.
  • C.
  • D.

Answer: A

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

  • A. The IP version of the sources and destinations in a firewall policy must be different.
  • B. The Incoming Interfac
  • C. Outgoing Interfac
  • D. Schedule, and Service fields can be shared with both IPv4and IPv6.
  • E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
  • F. The IP version of the sources and destinations in a policy must match.
  • G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer: ACE

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  • A. System time
  • B. FortiGuaid update servers
  • C. Operating mode
  • D. NGFW mode

Answer: AD

Examine the following web filtering log.
NSE4_FGT-6.4 dumps exhibit
Which statement about the log message is true?

  • A. The action for the category Games is set to block.
  • B. The usage quota for the IP address has expired
  • C. The name of the applied web filter profile is default.
  • D. The web site matches a static URL filter whose action is set to Warning.

Answer: C

Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?

  • A. To allow for out-of-order packets that could arrive after the FIN/ACK packets
  • B. To finish any inspection operations
  • C. To remove the NAT operation
  • D. To generate logs

Answer: B

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

  • A. diagnose wad session list
  • B. diagnose wad session list | grep hook-pre&&hook-out
  • C. diagnose wad session list | grep hook=pre&&hook=out
  • D. diagnose wad session list | grep "hook=pre"&"hook=out"

Answer: D

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?

  • A. Subject Key Identifiervalue
  • B. SMMIE Capabilitiesvalue
  • C. Subjectvalue
  • D. Subject Alternative Namevalue

Answer: C

Which statement about the IP authentication header (AH) used by IPsec is true?

  • A. AH does not provide any data integrity or encryption.
  • B. AH does not support perfect forward secrecy.
  • C. AH provides data integrity bur no encryption.
  • D. AH provides strong data integrity but weak encryption.

Answer: C

Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

  • A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
  • B. An SA never expires.
  • C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
  • D. Phase 2 SA expiration can be time-based, volume-based, or both.
  • E. Both the phase 1 SA and phase 2 SA are bidirectional.

Answer: BCD

Refer to the exhibits.
NSE4_FGT-6.4 dumps exhibit
NSE4_FGT-6.4 dumps exhibit
The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to SSL VPN?

  • A. Change the SSL VPN port on the client.
  • B. Change the Server IP address.
  • C. Change the idle-timeout.
  • D. Change the SSL VPN portal to the tunnel.

Answer: D

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

  • A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
  • B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
  • C. Virtual IP addresses are used to distinguish between cluster members.
  • D. The primary device in the clusteris always assigned IP address

Answer: AB

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic, in addition, the remote peer does not support a dynamic DNS update service. What type of remote gateway should tie administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  • A. Static IP Address
  • B. Dialup User
  • C. Dynamic DNS
  • D. Pre-shared Key

Answer: C


100% Valid and Newest Version NSE4_FGT-6.4 Questions & Answers shared by, Get Full Dumps HERE: (New 94 Q&As)