Pass Fortinet FCSS_NST_SE-7.4 Exam with Guarantee Updated 104 Questions
Latest FCSS_NST_SE-7.4 Pass Guaranteed Exam Dumps Certification Sample Questions
NEW QUESTION # 19
Refer to the exhibit, which shows the output of the command get router info bgp neighbors 100.64.2.254 advertised-routes.
What can you conclude from the output?
- A. The local router is advertising the 10.20.30.40/24 network to its BGP neighbor.
- B. The BGP neighbor is advertising the 10.20.30.40/24 network to the local router.
- C. The router ID of the neighbor is 100.64.2.254.
- D. The BGP state of the two BGP participants is OpenConfirm.
Answer: A
NEW QUESTION # 20
Refer to the exhibit, which shows the output of a BGP debug command.
Why has the local router at 172.16.23.58 been unable to establish adjacency with its only neighbor?
- A. There is no active route to the BGP neighbor.
- B. The local router has not received a SYN/ACKpacket from the neighbor.
- C. The local router has not received an OPENmessage from the neighbor.
- D. The local router has not received a keepalivemessage from the neighbor.
Answer: B
Explanation:
In BGP's Connect state the router has sent the initial TCP SYN but hasn't received the SYN/ACK from its peer, so the TCP handshake never completes and adjacency can't form.
NEW QUESTION # 21
Refer to the exhibits. An administrator is attempting to advertise the network configured on port3.
However, FGT-A is not receiving the prefix.
Which two actions can the administrator take to fix this problem? (Choose two.)
- A. Modify the prefix using the network command from 172.16.0.0/16 to 172.16.54.0/24.
- B. Use the set network-import-check disable command.
- C. Manually add the BGP route on FGT-A.
- D. Restart BGP using a soft reset to force both peers to exchange their complete BGP routing tables.
Answer: A,B
Explanation:
BGP's network statement only advertises prefixes that exactly match routes in the RIB by default.
Since port3 is 172.16.54.0/24, changing the prefix to 172.16.54.0/24 ensures it's in the routing table and will be advertised.
You can disable the network import check global (or per prefix) setting so FortiGate will advertise the 172.16.0.0/16 prefix even though no matching route exists in the RIB.
NEW QUESTION # 22
Refer to the exhibit, which shows partial outputs from two routing debug commands.
Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?
- A. Set preserve-session-route to enable.
- B. Set snat-route-change to enable.
- C. Set the priority of the static default route using port1 to 10.
- D. Set the priority of the static default route using port2 to 1.
Answer: C
NEW QUESTION # 23
Refer to the exhibits.
An administrator Is expecting to receive advertised route 8.8.8.8/32 from FGT-A. On FGT-B, they confirm that the route is being advertised and received, however, the route is not being injected into the routing table.
What is the most likely cause of this issue?
- A. FGT-8 is configured with a distribution list denying the 8.8.8.8/32 network to be injected into the routing table.
- B. A batter route to the 8.8.8.8/32 network exists in the routing table.
- C. FGT-B is configured with a prefix list denying the 8.8.8.8/32 network to be injected into the routing table.
- D. The administrator has misconfigured redistribution of routes on FGT-A.
Answer: C
NEW QUESTION # 24
Which two statements about Security Fabric communications are true? (Choose two.)
- A. FortiTelemetry must be manually enabled on the FortiGate interface.
- B. By default, the downstream FortiGate establishes a connection with the upstream FortiGate using TCP port 8013.
- C. FortiTelemetry and Neighbor Discovery both operate using TCP.
- D. The default port for Neighbor Discovery can be modified.
Answer: A,B
NEW QUESTION # 25
Exhibit.
Refer to theexhibit,which shows the output of getsystem ha status.
NGFW-1 and NGFW-2 have been up for a week.
Which two statements about the output are true? (Choose two.)
- A. If FGVM...649 is rebooted. FGVM...650 will become the primary and retain that role, even after FGVM...649 rejoins the cluster.
- B. If no action is taken, the primary FortiGate will leave the cluster because of the current sync status.
- C. If port 7 becomes disconnected on the secondary, both FortiGate devices will elect itself as primary.
- D. If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a synchronization reset.
Answer: A,C
NEW QUESTION # 26
Refer to the exhibit, which shows the partial output of a diagnose command.
Which two conclusions can you draw from the output shown in the exhibit? (Choose two.)
- A. The session is checked against firewall policy ID 25.
- B. This is a pinhole session to allow traffic for a TCP protocol that dynamically assigns TCP ports.
- C. Clearing the master session has no impact on the expectation session.
- D. FortiGate will drop the expected traffic if it does not arrive within 23 seconds.
Answer: B,D
NEW QUESTION # 27
Refer to the exhibit, which shows a partial output of the real-time LDAP debug.
What two actions can the administrator take to resolve this issue? (Choose two.)
- A. Ensure the user logs in using 'John Smith' not 'jsmith'.
- B. Ensure the user is a member of at least one AD group to ensure step 4 of the LDAP authentication process is successful.
- C. Ensure the account is active.
- D. Ensure the user is providing the correct user credentials.
Answer: B,C
Explanation:
When FortiGate's LDAP authentication can't find any matching DN it reports "get all dn - found no DN," which usually means the user either isn't in the group(s) you've told FortiGate to check or the account isn't currently active.
Ensure the user is a member of at least one AD group.
If you've configured FortiGate to restrict logins to specific groups, any user not in one of those groups will simply never be found by the LDAP search.
Ensure the account is active.
FortiGate's default search filter excludes disabled or locked accounts, so a disabled user object will likewise never show up in the DN search.
NEW QUESTION # 28
Refer to the exhibit, which shows one way communication of the downstream FortiGate with the upstream FortiGate within a Security Fabric.
What three actions must you take to ensure successful communication? (Choose three.)
- A. FortiGate must not be in NAT mode.
- B. Ensure the port for Neighbor Discovery has been changed.
- C. Ensure TCP port 8013 is not blocked along the way.
- D. You must authorize the downstream FortiGate on the root FortiGate.
- E. You must enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate.
Answer: C,D,E
Explanation:
Authorize the downstream FortiGate on the root FortiGate.
Only registered/authorized devices can join the Security Fabric.
Ensure TCP port 8013 is not blocked along the path.
Port 8013 carries the Fabric control/telemetry session, so it must be open end to end.
Enable Security Fabric/FortiTelemetry on the upstream FortiGate's receiving interface.
Telemetry must be activated on the interface that accepts the downstream FortiGate's connection.
NEW QUESTION # 29
Refer to the exhibit. Antivirus is unable to detect an infected file downloaded through HTTPS. Part of the configuration used for antivirus inspection is shown in the exhibit.
Which configuration changes can be performed to inspect HTTPS?
- A. Disable the emulatorsetting.
- B. Enable SSL deep inspection.
- C. Increase the maximum number of subdirectories and nested archives.
- D. Set a different antivirus database.
Answer: B
Explanation:
You must switch from mere certificate inspection to full SSL deep inspection on the HTTPS profile so that the FortiGate can decrypt the traffic and pass it through the AV engine. In practice this means editing the SSL/SSH profile and setting the HTTPS inspection mode to deep-inspection (and ensuring your CA cert is installed on the clients).
NEW QUESTION # 30
Refer to the exhibit, which shows a FortiGate configuration. An administrator is troubleshooting a web filter issue on FortiGate.
The administrator has configured a web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is passing through the policy.
What must the administrator do to fix the issue?
- A. Set sdns-server-ipto service.fortiguard.net.
- B. Change protocolto TCP and port to 53.
- C. Disable webfilter-force-off.
- D. Disable webfilter-force-offat the VDOM level.
Answer: C
Explanation:
The global "kill switch" for web filtering is turned on (set webfilter-force-off enable), which bypasses all web filters. You need to turn it off (for example with config system fortiguard set webfilter-force-off disable) so that your web filter profile will actually inspect traffic.
NEW QUESTION # 31
Refer to the exhibit, which contains the partial configuration of an IPsec VPN configuration.
After reviewing the configuration, what can you conclude about the IPsec VPN Phase 1 setup?
- A. The VPN is configured with DHCP over IPsec.
- B. The VPN is configured using IKEv2.
- C. The tunnel is configured as a route-based VPN.
- D. Dead Peer Detection is disabled.
Answer: C
Explanation:
The use of a phase1-interface indicates this is a route based IPsec tunnel (it creates a virtual interface rather than using policy based selectors).
NEW QUESTION # 32
Refer to the exhibit, which a network topology and a partial routing table.
FortiGate has already been configured with a firewall policy that allows all ICMP traffic to flow from port1 to port3.
Which changes must the administrator perform to ensure the server at 10.4.0.1/24 receives the echo reply from the laptop at 10.1.0.1/24?
- A. A firewall policy that allows all ICMP traffic from port3 to port1.
- B. Change the configuration from strict RPF check mode to feasible RPF check mode.
- C. Enable asymmetric routing under config system settings.
- D. Modify the default gateway on the laptop from 10.1.0.2 to 10.2.0.2.
Answer: C
NEW QUESTION # 33
Refer to the exhibit, which shows a partial output from the get router info routing-table database command.
The administrator wants to configure a default static route for port3 and assign a distance of 50 and a priority of 0.
What will happen to the port1 and port2 default static routes after the port3 default static route is created?
- A. Neither of the routes shown in the output will be injected into the FIB.
- B. The port2 default static route will be injected into the forwarding information base (FIB).
- C. Both default static routes shown in the output will be injected into the FIB.
- D. The port1 default static route will be injected into the FIB.
Answer: B
NEW QUESTION # 34
Exhibit.
Refer to the exhibit, which shows the output of diagnose automation test.
What can you observe from the output? (Choose two.)
- A. The automation stitch test is not being logged.
- B. The test was unsuccessful.
- C. An HA failover occurred.
- D. The automation stitch test failed but the HA failover was successful.
Answer: A,B
NEW QUESTION # 35
Refer to the exhibits. An administrator Is expecting to receive advertised route 8.8.8.8/32 from FGT-A. On FGT-B, they confirm that the route is being advertised and received, however, the route is not being injected into the routing table. What is the most likely cause of this issue?
- A. FGT-8 is configured with a distribution list denying the 8.8.8.8/32 network to be injected into the routing table.
- B. A batter route to the 8.8.8.8/32 network exists in the routing table.
- C. FGT-B is configured with a prefix list denying the 8.8.8.8/32 network to be injected into the routing table.
- D. The administrator has misconfigured redistribution of routes on FGT-A.
Answer: C
NEW QUESTION # 36
Exhibit.
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Which two statements about this debug output are correct? (Choose two.)
- A. The local gateway IP address is 10.0.0.1.
- B. The initiator provided remote as its IPsec peer ID.
- C. It shows a phase 2 negotiation.
- D. Perfect Forward Secrecy (PFS) is enabled in the configuration.
Answer: B,C
NEW QUESTION # 37
Refer to the exhibit showing a debug output.
An administrator deployed FSSO in DC Agent Mode but FSSO is failing on FortiGate. Pinging FortiGate from where the collector agent is deployed is successful.
The administrator then produces the debug output shown in the exhibit.
What could be causing this error message?
- A. The FortiGate cannot resolve the active directory server name.
- B. The FortiGate and the collector agent are using different TCP ports.
- C. The TCP port 445 is blocked between FortiGate and collector agent.
- D. The collector agent preshared password is mismatched.
Answer: B
NEW QUESTION # 38
Which statement aboutprotocol options is true?
- A. Protocol options give administrators a streamlined method to instruct FortiGate to block all sessions corresponding to disabled protocols.
- B. Protocol options allow administrators to configure the Any setting for all enabled protocols, which provides the most efficient use of system resources.
- C. Protocol options allow administrators to configure a maximum number of sessions for each configured protocol.
- D. Protocol options allow administrators to configure which Layer 4 port numbers map to upper-layer protocols, such as HTTP, SMTP, FTP, and so on.
Answer: D
NEW QUESTION # 39
Refer to the exhibit, which shows a partial output of the fssod daemon real-time debug command.
What two conclusions can you draw Itom the output? (Choose two.)
- A. FSSO is using agentless polling mode to detect logon events.
- B. FSSO is using DC agent mode to detect logon events.
- C. The workstation with IP 10.124.2.90 will be polled frequently using TCP port 445 to see if the user is still logged on.
- D. The logon event can be seen on the collector agent installed on Windows.
Answer: A,C
NEW QUESTION # 40
Refer to the exhibit, which shows partial outputs from two routing debug commands.
Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?
- A. Set preserve-session-route to enable.
- B. Set snat-route-change to enable.
- C. Set the priority of the static default route using port1 to 10.
- D. Set the priority of the static default route using port2 to 1.
Answer: C
NEW QUESTION # 41
Consider the scenario where the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate. Which action will FortiGate take when using the default settings for SSL certificate inspection?
- A. FortiGate uses the SNI from the user's web browser.
- B. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
- C. FortiGate uses the first entry listed in the SAN field in the server certificate.
- D. FortiGate uses the CNinformation from the Subjectfield in the server certificate.
Answer: D
Explanation:
#Config firewall ssl-ssh-profile
edit <profile_name>
config https
set sni-server-cert-check [enable* | strict | disable]
Enable: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG uses the CN field instead of the SNI to obtain the FQDN.
Strict: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG closes the connection.
Disable: FG does not check the SNI.
NEW QUESTION # 42
......
New FCSS_NST_SE-7.4 Test Materials & Valid FCSS_NST_SE-7.4 Test Engine: https://pass4sure.testpdf.com/FCSS_NST_SE-7.4-practice-test.html
