NSE4_FGT-7.0 Exam - Question 1

Agentless Polling Mode Similar to agent-based pollen, but FortiGate polls instead Doesn't require an external DC agent or collector agent Fortigate collects data directly Event logging must be enabled on the DCs More CPU and RAM require by FortiGate Support for pollen option WinSecLog only Fortigate uses SMB TCP 445 protocol to read the event viewer logs Fewer available features that collector agent-base polling mode Fortigate doesn't poll workstation

Pg 272 Inf study guide : Because there’s no collector agent, FortiGate uses the SMB protocol to read the event viewer logs from the DCs. In agentless polling mode, FortiGate acts as a collector. It is responsible for polling on top of its normal FSSO tasks but does not have all the extra features, such as workstation checks, that are available with the external collector agent

Option C is incorrect because FortiGate does support workstation check in agentless polling mode.

Slide 16, Chapter 3 - Fortinet Single Sign-On (FSSO), Course "NSE 4 FortiGate Infrastructure 7.2 Self-Paced" - "FortiGate uses the SMB protocol to read the event viewer logs" - "FortiGate doesn't poll workstation. Workstation verification is not available in agentless polling mode"

Correct answer is B and D

Correct answer is C & D Reference **Fortigate Infrastructure Study Guide Page 272**

BD ist correct

Page 257 student guie infrastructure 7.0 => Fortigate used SMB protocoll to read the event viewer logs from DC's. Workstation verficaction is not available in agentless polling mode. Fortigate acts as a collector. its responsible for polling on top of its normal FSSO taks buts does not have all the extra features, such as workstation checks, that are available with the external collector agent

B and D is the correct answer Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

FSSO (Fortinet Single Sign-On) agentless polling mode is a method used by Fortinet devices, such as FortiGate firewalls, to collect user authentication information from Microsoft Active Directory (AD) servers. In agentless polling mode, FortiGate reads the event viewer logs directly from the domain controllers (DCs) using the SMB protocol. The event viewer logs contain information about user logins, logouts, and other authentication events. The FSSO collector agent is not required in agentless polling mode, as FortiGate directly reads the event viewer logs from the DCs. This reduces the configuration complexity and overhead associated with deploying a collector agent on the network. FortiGate uses the collected authentication information to apply security policies and provide user-based reporting. This allows Fortinet devices to enforce granular policies based on user identity, rather than just IP addresses.

BC 100%. It asks for AgentLESS, see https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349 And check NSE5 Forticlient EMS.

B and D are correct: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

BD, nse4

It's B and C (not A and B)

B & C Fortigate doesnt poll workstation

Agentless polling mode operates in a similar way to WinSecLog, but with only two event IDs: 4768 and 4769. Because there’s no collector agent, FortiGate uses the SMB protocol to read the event viewer logs from the DCs. In agentless polling mode, FortiGate acts as a collector. It is responsible for polling on top of its normal FSSO tasks but does not have all the extra features, such as workstation checks, that are available with the external collector agent. FortiGate Infrastructure 7.2 Study Guide P.130

"FortiGate uses the SMB protocol to read the event viewer logs" "FortiGate doesn't poll workstation. Workstation verification is not available in agentless polling mode"