NSE4-5.4 Online Practice Questions and Answers

Which is NOT true about the settings for an IP pool type port block allocation?

A. A Block Size defines the number of connections.

B. Blocks Per User defines the number of connection blocks for each user.

C. An Internal IP Range defines the IP addresses permitted to use the pool.

D. An External IP Range defines the IP addresses in the pool.

A FortiGate devices has two VDOMs in NAT/route mode. Which of the following solutions can be implemented by a network administrator to route traffic between the two VDOMs. (Choose two.)

A. Use the inter-VDOMs links automatically created between all VDOMS.

B. Manually create and configured an inter-VDOM link between yours.

C. Interconnect and configure an external physical interface in one VDOM to another physical interface in the second VDOM.

D. Configure both VDOMs to share the same table.

The transfer of encrypted files or the use of encrypted protocols between users and servers on the internet can frustrate the efforts of administrators attempting to monitor traffic passing through the FortiGate unit and ensuring user compliance

to corporate rules.

Which of the following items will allow the administrator to control the transfer of encrypted data through the FortiGate unit? (Select all that apply.)

A. Encrypted protocols can be scanned through the use of the SSL proxy.

B. DLP rules can be used to block the transmission of encrypted files.

C. Firewall authentication can be enabled in the firewall policy, preventing the use of encrypted communications channels.

D. Application control can be used to monitor the use of encrypted protocols; alerts can be sent to the administrator through email when the use of encrypted protocols is attempted.

Which of the following statements are true about PKI users created in a FortiGate device? (Choose two.)

A. Can be used for token-based authentication

B. Can be used for two-factor authentication

C. Are used for certificate-based authentication

D. Cannot be members of user groups

Which statement is correct concerning an IPsec VPN with the remote gateway setting configured as 'Dynamic DNS'?

A. The FortiGate will accept IPsec VPN connection from any IP address.

B. The FQDN resolution of the local FortiGate IP address where the VPN is terminated must be provided by a dynamic DNS provider.

C. The FortiGate will Accept IPsec VPN connections only from IP addresses included on a dynamic DNS access list.

D. The remote gateway IP address can change dynamically.

An end user logs into the full-access SSL VPN portal and selects the Tunnel Mode option by clicking on the "Connect" button. The administrator has enabled split tunneling.

Given that the user authenticates against the SSL VPN policy shown in the image below, which statement below identifies the route that is added to the client's routing table.

A. A route to destination matching the `WIN2K3' address object.

B. A route to the destination matching the `all' address object.

C. A default route.

D. No route is added.

Which of the following options can you use to update the virus definitions on a FortiGate unit? (Select all that apply.)

A. Push update.

B. Scheduled update

C. Manual update

D. FTP update

Which of the following statements regarding the firewall policy authentication timeout is true?

A. The authentication timeout is an idle timeout. This means that the FortiGate unit will consider a user to be "idle" if it does not see any packets coming from the user's source IP.

B. The authentication timeout is a hard timeout. This means that the FortiGate unit will remove the temporary policy for this user's source IP after this timer has expired.

C. The authentication timeout is an idle timeout. This means that the FortiGate unit will consider a user to be "idle" if it does not see any packets coming from the user's source MAC.

D. The authentication timeout is a hard timeout. This means that the FortiGate unit will remove the temporary policy for this user's source MAC after this timer has expired.

Which are two requirements for DC-agent mode FSSO to work properly in a Windows AD environment? (Choose two.)

A. DNS server must properly resolve all workstation names.

B. The remote registry service must be running in all workstations.

C. The collector agent must be installed in one of the Windows domain controllers.

D. A same user cannot be logged in into two different workstations at the same time.

When the SSL proxy is NOT doing man-in-the-middle interception of SSL traffic, which certificate field can be used to determine the rating of a website?

A. Organizational Unit.

B. Common Name.

C. Serial Number.

D. Validity.