30 March, 2025
What Certified NSE4_FGT-7.0 Practice Question Is
Exam Code: NSE4_FGT-7.0 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Fortinet NSE 4 - FortiOS 7.0
Certification Provider: Fortinet
Free Today! Guaranteed Training- Pass NSE4_FGT-7.0 Exam.
Question 1
- (Exam Topic 2)
Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)
Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)
Question 2
- (Exam Topic 2)
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)
Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)
Question 3
- (Exam Topic 2)
Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?
Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?
Question 4
- (Exam Topic 2)
Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?
Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization?
Question 5
- (Exam Topic 1)
Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?
Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24. The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?
Question 6
- (Exam Topic 2)
What is the primary FortiGate election process when the HA override setting is disabled?
What is the primary FortiGate election process when the HA override setting is disabled?
Question 7
- (Exam Topic 1)
Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)
Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)
Question 8
- (Exam Topic 1)
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
Question 9
- (Exam Topic 2)
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.)
Question 10
- (Exam Topic 2)
Which two statements are true about the RPF check? (Choose two.)
Which two statements are true about the RPF check? (Choose two.)
Question 11
- (Exam Topic 1)
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?
An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?
Question 12
- (Exam Topic 2)
Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?
Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?
Question 13
- (Exam Topic 1)
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
Question 14
- (Exam Topic 2)
Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?
Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?
Question 15
- (Exam Topic 2)
Which of the following statements about central NAT are true? (Choose two.)
Which of the following statements about central NAT are true? (Choose two.)
Question 16
- (Exam Topic 2)
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.


An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
Question 17
- (Exam Topic 2)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Question 18
- (Exam Topic 1)
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
Question 19
- (Exam Topic 2)
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)
Question 20
- (Exam Topic 1)
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)