★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW NSE4 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/NSE4-dumps.html


Q1. - (Topic 15) 

Review the IKE debug output for IPsec shown in the exhibit below. 

Which statements is correct regarding this output? 

A. The output is a phase 1 negotiation. 

B. The output is a phase 2 negotiation. 

C. The output captures the dead peer detection messages. 

D. The output captures the dead gateway detection packets. 

Answer:


Q2. - (Topic 14) 

Two FortiGate devices fail to form an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of show system ha for the STUDENT device. Exhibit B shows the command output of show system ha for the REMOTE device. 

Exhibit A: 

Exhibit B 

Which one of the following is the most likely reason that the cluster fails to form? 

A. Password 

B. HA mode 

C. Hearbeat 

D. Override 

Answer:


Q3. - (Topic 2) 

Regarding the header and body sections in raw log messages, which statement is correct? 

A. The header and body section layouts change depending on the log type. 

B. The header section layout is always the same regardless of the log type. The body section layout changes depending on the log type. 

C. Some log types include multiple body sections. 

D. Some log types do not include a body section. 

Answer:


Q4. - (Topic 17) 

With FSSO, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent. 

If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.) 

A. The login event is sent to the collector agent. 

B. The FortiGate receives the user information directly from the receiving domain controller agent of the secondary domain controller. 

C. The domain collector agent may perform a DNS lookup for the authenticated client's IP address. 

D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent. 

Answer: A,C 


Q5. - (Topic 20) 

Examine the following output from the diagnose sys session list command: 

session info: proto=6 proto_state=65 duration=3 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=5 origin-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 

13895Bps 

reply-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 

13895Bps 

state=redir local may_dirty ndr npu nlb os rs 

statistic(bytes/packets/allow_err): org=864/8/1 reply=2384/7/1 tuples=3 

orgin->sink: org pre->post, reply pre->post dev=7->6/6->7 gwy=172.17.87.3/10.1.10.1 

hook=post dir=org act=snat 192.168.1.110:57999->74.201.86.29:443(172.17.87.16:57999) 

hook=pre dir=reply act=dnat 74.201.86.29:443-

>172.17.87.16:57999(192.168.1.110:57999) 

hook=post dir=reply act=noop 74.201.86.29:443->192.168.1.110:57999(0.0.0.0:0) 

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0 

Which statements are true regarding the session above? (Choose two.) 

A. Session Time-To-Live (TTL) was configured to 9 seconds. 

B. FortiGate is doing NAT of both the source and destination IP addresses on all packets coming from the 192.168.1.110 address. 

C. The IP address 192.168.1.110 is being translated to 172.17.87.16. 

D. The FortiGate is not translating the TCP port numbers of the packets in this session. 

Answer: C,D 


Q6. - (Topic 17) 

FSSO provides a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows active directory. 

Which of the following statements are correct regarding FSSO in a Windows domain environment when agent mode is used? (Choose two.) 

A. An FSSO collector agent must be installed on every domain controller. 

B. An FSSO domain controller agent must be installed on every domain controller. 

C. The FSSO domain controller agent will regularly update user logon information on the FortiGate unit. 

D. The FSSO collector agent will receive user logon information from the domain controller agent and will send it to the FortiGate unit. 

Answer: B,D 


Q7. - (Topic 4) 

The FortiGate port1 is connected to the Internet. The FortiGate port2 is connected to the internal network. Examine the firewall configuration shown in the exhibit; then answer the question below. 

Based on the firewall configuration illustrated in the exhibit, which statement is correct? 

A. A user that has not authenticated can access the Internet using any protocol that does not trigger an authentication challenge. 

B. A user that has not authenticated can access the Internet using any protocol except HTTP, HTTPS, Telnet, and FTP. 

C. A user must authenticate using the HTTP, HTTPS, SSH, FTP, or Telnet protocol before they can access all Internet services. 

D. DNS Internet access is always allowed, even for users that has not authenticated. 

Answer:


Q8. - (Topic 15) 

Which IPsec mode includes the peer id information in the first packet? 

A. Main mode. 

B. Quick mode. 

C. Aggressive mode. 

D. IKEv2 mode. 

Answer:


Q9. - (Topic 10) 

How do you configure a FortiGate to apply traffic shaping to P2P traffic, such as BitTorrent? 

A. Apply a traffic shaper to a BitTorrent entry in an application control list, which is then applied to a firewall policy. 

B. Enable the shape option in a firewall policy with service set to BitTorrent. 

C. Define a DLP rule to match against BitTorrent traffic and include the rule in a DLP sensor with traffic shaping enabled. 

D. Apply a traffic shaper to a protocol options profile. 

Answer:


Q10. - (Topic 1) 

What methods can be used to access the FortiGate CLI? (Choose two.) 

A. Using SNMP. 

B. A direct connection to the serial console port. 

C. Using the CLI console widget in the GUI. 

D. Using RCP. 

Answer: B,C