Question 6 of 104
Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Exam NSE4_FGT-7.2: Question 6 - Image 1
Exam NSE4_FGT-7.2: Question 6 - Image 2
Which part of the policy configuration must you change to resolve the issue?
Answer

Suggested Answer

The suggested answer is B.

The issue arises because the SSL inspection is set to certificate-inspection. To effectively inspect and manage the reactions and other interactive elements on Facebook, a deep content inspection is required. This ensures that the FortiGate can examine the encrypted traffic in detail, which is necessary for controlling actions such as leaving reactions on posts. Therefore, making the SSL inspection a deep content inspection would resolve the issue.

Community Votes19 votes
BSuggested
100%
Question 7 of 104
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
Exam NSE4_FGT-7.2: Question 7 - Image 1
Exam NSE4_FGT-7.2: Question 7 - Image 2
What must the administrator do to synchronize the address object?
Answer

Suggested Answer

The suggested answer is C.

To synchronize the address object between the root FortiGate (Local-FortiGate) and the downstream FortiGate (ISFW), the configuration must ensure that the downstream device can receive synchronized objects. The correct setting is to enable 'downstream-access' on both devices. Without this enabled, the necessary synchronization does not occur, which is why option C, which changes the csf setting on both devices to set downstream-access enable, is the right choice.

Community Votes79 votes
CSuggested
61%
D
39%
Question 8 of 104
Refer to the exhibits.
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.
Exam NSE4_FGT-7.2: Question 8 - Image 1
Exam NSE4_FGT-7.2: Question 8 - Image 2
Based on the system performance output, which two results are correct? (Choose two.)
Answer

Suggested Answer

The suggested answer is B, C.

First, it is clear from the exhibits that memory usage is at 90%, which is above the red threshold of 88%. This means the FortiGate has entered conserve mode, reducing its operational capacity to conserve resources. This makes 'FortiGate has entered conserve mode' correct. Second, when the FortiGate is in conserve mode, it does not accept configuration changes, as these actions might increase memory usage further. This makes 'Administrators cannot change the configuration' correct. Therefore, the correct answers are that the FortiGate has entered conserve mode and administrators cannot change the configuration.

Community Votes30 votes
BCSuggested
97%
BD
3%
Question 9 of 104
Refer to the exhibit showing a debug flow output.
Exam NSE4_FGT-7.2: Question 9 - Image 1
What two conclusions can you make from the debug flow output? (Choose two.)
Answer

Suggested Answer

The suggested answer is A, C.

The debug flow output indicates that the protocol number is 1, which corresponds to ICMP traffic, hence confirming that the debug flow is for ICMP traffic. Additionally, the log message 'allocate a new session' shows that a new traffic session was created. Therefore, the two conclusions that can be made from the debug flow output are that the debug flow is for ICMP traffic and that a new traffic session was created.

Community Votes25 votes
ACSuggested
96%
BC
4%
Question 10 of 104
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
Answer

Suggested Answer

The suggested answer is A.

In an IPsec VPN configuration, the local quick mode selector of one site typically matches the remote quick mode selector of the other site. Since site A has been configured with a local quick mode selector of 192.168.1.0/24 and a remote quick mode selector of 192.168.2.0/24, to correctly establish the VPN, site B's local quick mode selector must be 192.168.2.0/24.

Community Votes30 votes
ASuggested
100%