Fortinet NSE4_FGT-6.4 Fortinet NSE 4 - FortiOS 6.4 Exam Practice Test

FortiGate points the collector agent to use a remote LDAP server.

FortiGate uses the AD server as the collector agent.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

FortiGate queries AD by using the LDAP to retrieve user group information.

FG-traffic

Mgmt

FG-Mgmt

Root

Advanced mode uses Windows convention—NetBios: Domain\Username.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate

Advanced mode supports nested or inherited groups

Security profiles can be applied only to user groups, not individual users.

Traffic is blocked because Action is set to DENY in the firewall policy.

Traffic belongs to the root VDOM.

This is a security log.

Log severity is set to error on FortiGate.

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

There are five devices that are part of the security fabric.

Device detection is disabled on all FortiGate devices.

This security fabric topology is a logical topology view.

There are 19 security recommendations for the security fabric.

www.example.com:443

www.example.com

example.com

www.example.com/index.html

It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

ADVPN is only supported with IKEv2.

Tunnels are negotiated dynamically between spokes.

Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

A CRL

A person

A subordinate CA

A root CA

SSH

HTTPS

FTM

FortiTelemetry

The public key of the web server certificate must be installed on the browser.

The web-server certificate must be installed on the browser.

The CA certificate that signed the web-server certificate must be installed on the browser.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

The port3 default route has the highest distance.

The port3 default route has the lowest metric.

There will be eight routes active in the routing table.

The port1 and port2 default routes are active in the routing table.

Participants configured are not SD-WAN members.

There may not be a static route to route the performance SLA traffic.

The Ping protocol is not supported for the public servers that are configured.

You need to turn on the Enable probe packets switch.

10.200.1.149

10.200.1.1

10.200.1.49

10.200.1.99

The IP version of the sources and destinations in a firewall policy must be different.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a policy must match.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

This is known as many-to-one NAT.

Source IP is translated to the outgoing interface IP.

Connections are tracked using source port and source MAC address.

Port address translation is not used.

Connected monitored ports > System uptime > Priority > FortiGate Serial number

Connected monitored ports > HA uptime > Priority > FortiGate Serial number

Connected monitored ports > Priority > HA uptime > FortiGate Serial number

Connected monitored ports > Priority > System uptime > FortiGate Serial number

For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote

peer to provide a username and password

FortiGate supports pre-shared key and signature as authentication methods.

Enabling XAuth results in a faster authentication because fewer packets are exchanged.

A certificate is not required on the remote peer when you set the signature as the authentication method.

Subject Key Identifier value

SMMIE Capabilities value

Subject value

Subject Alternative Name value

Source IP

Spillover

Volume

Session

The interface has been configured for one-arm sniffer.

The interface is a member of a virtual wire pair.

The operation mode is transparent.

The interface is a member of a zone.

Captive portal is enabled in the interface.

Traffic between port2 and port2-vlan1 is allowed by default.

port1-vlan10 and port2-vlan10 are part of the same broadcast domain.

port1 is a native VLAN.

port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

Traffic matching the signature will be allowed and logged.

Traffic matching the signature will be silently dropped and logged.

By default, all interfaces are part of the same broadcast domain.

The existing network IP schema must be changed when installing a transparent mode.

Static routes are required to allow traffic to the next hop.

FortiGate forwards frames without changing the MAC address.