30 March, 2025

What Certified NSE4_FGT-7.0 Practice Question Is

Exam Code: NSE4_FGT-7.0 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Fortinet NSE 4 - FortiOS 7.0
Certification Provider: Fortinet
Free Today! Guaranteed Training- Pass NSE4_FGT-7.0 Exam.

Page: 1 / 14

Total 172 questions Full Exam Access

Question 1

- (Exam Topic 2)
Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

DNS

ping

udp-echo

TWAMP

Question 2

- (Exam Topic 2)
Examine this PAC file configuration.
NSE4_FGT-7.0 dumps exhibit

Which of the following statements are true? (Choose two.)

Browsers can be configured to retrieve this PAC file from the FortiGate.

Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.

All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.

Any web request fortinet.com is allowed to bypass the proxy.

Question 3

- (Exam Topic 2)
Refer to the exhibit to view the firewall policy.
NSE4_FGT-7.0 dumps exhibit

Which statement is correct if well-known viruses are not being blocked?

The firewall policy does not apply deep content inspection.

The firewall policy must be configured in proxy-based inspection mode.

The action on the firewall policy must be set to deny.

Web filter should be enabled on the firewall policy to complement the antivirus profile.

Question 4

- (Exam Topic 2)
Examine this FortiGate configuration:
NSE4_FGT-7.0 dumps exhibit

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?

It always authorizes the traffic without requiring authentication.

It drops the traffic.

It authenticates the traffic using the authentication scheme SCHEME2.

It authenticates the traffic using the authentication scheme SCHEME1.

Question 5

- (Exam Topic 1)
Refer to the exhibit.
NSE4_FGT-7.0 dumps exhibit

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

10.200.1.1

10.200.3.1

10.200.1.100

10.200.1.10

Question 6

- (Exam Topic 2)
What is the primary FortiGate election process when the HA override setting is disabled?

Connected monitored ports > System uptime > Priority > FortiGate Serial number

Connected monitored ports > HA uptime > Priority > FortiGate Serial number

Connected monitored ports > Priority > HA uptime > FortiGate Serial number

Connected monitored ports > Priority > System uptime > FortiGate Serial number

Question 7

- (Exam Topic 1)
Refer to the exhibit.
NSE4_FGT-7.0 dumps exhibit

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

Question 8

- (Exam Topic 1)
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

Antivirus engine

Intrusion prevention system engine

Flow engine

Detection engine

Question 9

- (Exam Topic 2)
Refer to the exhibit.
NSE4_FGT-7.0 dumps exhibit

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)

On HQ-FortiGate, set IKE mode to Main (ID protection).

On both FortiGate devices, set Dead Peer Detection to On Demand.

On HQ-FortiGate, disable Diffie-Helman group 2.

On Remote-FortiGate, set port2 as Interface.

Question 10

- (Exam Topic 2)
Which two statements are true about the RPF check? (Choose two.)

The RPF check is run on the first sent packet of any new session.

The RPF check is run on the first reply packet of any new session.

The RPF check is run on the first sent and reply packet of any new session.

RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Question 11

- (Exam Topic 1)
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

The strict RPF check is run on the first sent and reply packet of any new session.

Strict RPF checks the best route back to the source using the incoming interface.

Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

Strict RPF allows packets back to sources with all active routes.

Question 12

- (Exam Topic 2)
Refer to the exhibit.
NSE4_FGT-7.0 dumps exhibit

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.

Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.

Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1.

Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.

Question 13

- (Exam Topic 1)
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Enable Dead Peer Detection.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Question 14

- (Exam Topic 2)
Refer to the exhibit, which contains a session diagnostic output.
NSE4_FGT-7.0 dumps exhibit

Which statement is true about the session diagnostic output?

The session is a UDP unidirectional state.

The session is in TCP ESTABLISHED state.

The session is a bidirectional UDP connection.

The session is a bidirectional TCP connection.

Question 15

- (Exam Topic 2)
Which of the following statements about central NAT are true? (Choose two.)

IP tool references must be removed from existing firewall policies before enabling central NAT.

Central NAT can be enabled or disabled from the CLI only.

Source NAT, using central NAT, requires at least one central SNAT policy.

Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

Question 16

- (Exam Topic 2)
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
NSE4_FGT-7.0 dumps exhibit

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

The IPS filter is missing the Protocol: HTTPS option.

The HTTPS signatures have not been added to the sensor.

A DoS policy should be used, instead of an IPS sensor.

The firewall policy is not using a full SSL inspection profile.

Question 17

- (Exam Topic 2)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

The firmware image must be manually uploaded to each FortiGate.

Only secondary FortiGate devices are rebooted.

Uninterruptable upgrade is enabled by default.

Traffic load balancing is temporally disabled while upgrading the firmware.

Question 18

- (Exam Topic 1)
Refer to the exhibit.
NSE4_FGT-7.0 dumps exhibit

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On HQ-FortiGate, enable Auto-negotiate.

On Remote-FortiGate, set Seconds to 43200.

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On HQ-FortiGate, set Encryption to AES256.

Question 19

- (Exam Topic 2)
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

Source IP

Spillover

Volume

Session

Question 20

- (Exam Topic 1)
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

System time

FortiGuaid update servers

Operating mode

NGFW mode

Page: 1 / 14

Total 172 questions Full Exam Access