Fortinet NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 Online Training
Fortinet NSE4_FGT-6.4 Online Training
The questions for NSE4_FGT-6.4 were last updated at Dec 27,2024.
- Exam Code: NSE4_FGT-6.4
- Exam Name: Fortinet NSE 4 - FortiOS 6.4
- Certification Provider: Fortinet
- Latest update: Dec 27,2024
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A . The IPS engine was inspecting high volume of traffic.
- B . The IPS engine was unable to prevent an intrusion attack.
- C . The IPS engine was blocking all traffic.
- D . The IPS engine will continue to run in a normal state.
Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)
- A . hard-timeout
- B . auth-on-demand
- C . soft-timeout
- D . new-session
- E . Idle-timeout
A,D,E
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)
- A . Antivirus scanning
- B . File filter
- C . DNS filter
- D . Intrusion prevention
When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?
- A . Log ID
- B . Universally Unique Identifier
- C . Policy ID
- D . Sequence ID
B
Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
- A . The subject field in the server certificate
- B . The serial number in the server certificate
- C . The server name indication (SNI) extension in the client hello message
- D . The subject alternative name (SAN) field in the server certificate
- E . The host field in the HTTP header
ACD
Explanation:
Reference: https://checkthefirewall.com/blogs/fortinet/ssl-inspection
Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)
- A . diagnose sys top
- B . execute ping
- C . execute traceroute
- D . diagnose sniffer packet any
- E . get system arp
Consider the topology:
Application on a Windows machine <–{SSL VPN} –>FGT–> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)
- A . Set the maximum session TTL value for the TELNET service object.
- B . Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
- C . Create a new service object for TELNET and set the maximum session TTL.
- D . Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
NGFW mode allows policy-based configuration for most inspection rules.
Which security profile’s configuration does not change when you enable policy-based inspection?
- A . Web filtering
- B . Antivirus
- C . Web proxy
- D . Application control
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
- A . Log downloads from the GUI are limited to the current filter view
- B . Log backups from the CLI cannot be restored to another FortiGate.
- C . Log backups from the CLI can be configured to upload to FTP as a scheduled time
- D . Log downloads from the GUI are stored as LZ4 compressed files.
Which two statements are true about the FGCP protocol? (Choose two.)
- A . Not used when FortiGate is in Transparent mode
- B . Elects the primary FortiGate device
- C . Runs only over the heartbeat links
- D . Is used to discover FortiGate devices in different HA groups