

 Refer to the exhibit to view the application control profile. 〖参考提示以查看应用程序控制配置文件。〗

  Based on the configuration, what will happen to Apple FaceTime? 〖参考提示以查看应用程序控制配置文件。〗

  A. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. 〖苹果FaceTime将被阻止,基于Excessive-Bandwidth过滤器配置。〗

  B. Apple FaceTime will be allowed, based on the Apple filter configuration. 〖根据苹果过滤器的配置,允许使用苹果FaceTime。〗

  C. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn. 〖只有当应用程序和过滤器覆盖中的过滤器设置为学习时,苹果的FaceTime将被允许。〗

  D. Apple FaceTime will be allowed, based on the Categories configuration. 〖苹果的FaceTime将被允许,基于类别配置。〗

  【分析】教程篇(7.0) 09. FortiGate安全 & 应用控制 ❀ Fortinet 网络安全专家 NSE 4



 An administrator must disable RPF check to investigate an issue. 〖管理员必须禁用RPF检查才能调查问题。〗

  Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system? 〖哪种方法最适合禁用RPF而不影响功能,如反病毒和入侵防御系统?〗

  A. Enable asymmetric routing, so the RPF check will be bypassed. 〖启用非对称路由,使RPF检查被忽略。〗

  B. Disable the RPF check at the FortiGate interface level for the source check. 〖关闭源检查的FortiGate接口级RPF检查。〗

  C. Disable the RPF check at the FortiGate interface level for the reply check. 〖对于应答检查,禁用FortiGate接口级别的RPF检查。〗

  D. Enable asymmetric routing at the interface level. 〖在接口级启用非对称路由。〗

  【分析】教程篇(7.0) 01. FortiGate基础架构 & 路由 ❀ Fortinet 网络安全专家 NSE 4


 An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is and the remote quick mode selector is How must the administrator configure the local quick mode selector for site B? 〖管理员正在配置站点A和站点B之间的Ipsec。两个站点的对端网关均配置为静态IP地址。对于站点A,本地快速模式选择器为192.16.1.0/24,远端快速模式选择器为192.16.2.0/24。管理员如何配置站点B的本地快速模式选择器?〗







 Which of the following statements about central NAT are true? (Choose two.) 〖以下关于中央NAT的陈述哪些个是正确的?(选择两个)〗

  A. IP pool references must be removed from existing firewall policies before enabling central NAT. 〖启用中央NAT前,必须先从现有的防火墙策略中删除IP池引用。〗

  B. Central NAT can be enabled or disabled from the CLI only. 〖启用或关闭中央NAT只能通过命令行方式进行。〗

  C. Source NAT, using central NAT, requires at least one central SNAT policy. 〖源NAT为中央NAT,至少需要一个中央SNAT策略。〗

  D. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall. 〖目的NAT使用中央NAT,需要在防火墙中设置一个VIP对象作为目的地址。〗

   【分析】教程篇(7.0) 04. FortiGate安全 & NAT ❀ Fortinet 网络安全专家 NSE 4

  【答案】A B

 An organization’s employee needs to connect to the office through a high-latency internet connection. 〖企业员工需要通过高延迟的internet连接到办公室。〗

  Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure? 〖为了防止SSL VPN协商失败,管理员应该调整SSL VPN的哪些配置?〗

  A. Change the session-ttl. 〖改变session-ttl。〗

  B. Change the login timeout. 〖修改登录超时时间。〗

  C. Change the idle-timeout. 〖改变闲置超时。〗

  D. Change the udp idle timer. 〖修改udp空闲定时器。〗

    【分析】教程篇(7.0) 12. FortiGate安全 & SSL安全隧道 ❀ Fortinet 网络安全专家 NSE 4

  对于高时延的SSL VPN连接,FortiGate会导致客户端在完成DNS解析、token输入等协商过程之前超时。在config vpn ssl设置下添加了两个新的CLI命令来解决这个问题。第一个命令允许设置登录超时时间,替换之前的硬超时时间值。第二个命令用来设置SSL VPN连接的DTLS hello超时时间。


 An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.) 〖管理员观察到port1接口无法配置IP地址。原因是什么呢?(选择三个)〗

  A. The interface has been configured for one-arm sniffer. 〖配置单臂嗅探接口。〗

  B. The interface is a member of a virtual wire pair. 〖接口是虚连线对的成员。〗

  C. The operation mode is transparent. 〖操作模式为透明。〗

  D. The interface is a member of a zone. 〖接口是区域的成员。〗

  E. Captive portal is enabled in the interface. 〖在接口中启用了强制门户。〗


  【答案】A B C

 Which two statements are correct about a software switch on FortiGate? (Choose two.) 〖关于FortiGate上的软交换,哪两个说法是正确的?(选择两个)〗

  A. It can be configured only when FortiGate is operating in NAT mode 〖只有当FortiGate工作在NAT模式下时才能配置〗

  B. Can act as a Layer 2 switch as well as a Layer 3 router 〖可以作为二层交换机,也可以作为三层路由器〗

  C. All interfaces in the software switch share the same IP address 〖软件交换机的所有接口共用同一个IP地址〗

  D. It can group only physical interfaces 〖只能对物理接口进行分组〗

    【分析】教程篇(7.0) 04. FortiGate基础架构 & 二层交换 ❀ Fortinet 网络安全专家 NSE 4

  【答案】A C

 Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.) 〖关于FortiGate FSSO无代理轮询模式,哪两个陈述是正确的?(选择两个)〗

  A. FortiGate points the collector agent to use a remote LDAP server. 〖FortiGate指示收集器代理使用远程LDAP服务器。〗

  B. FortiGate uses the AD server as the collector agent. 〖FortiGate使用AD服务器作为采集器代理。〗 

  C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. 〖FortiGate使用SMB协议从数据中心读取事件查看器日志。〗

  D. FortiGate queries AD by using the LDAP to retrieve user group information. 〖FortiGate通过LDAP查询AD来检索用户组信息。〗


  【答案】C D

 What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode? 〖在NGFW的策略模式下,URL列表和应用控制在同一条防火墙策略上有什么限制?〗

  A. It limits the scope of application control to the browser-based technology category only. 〖它将应用程序控制的范围限制为仅基于浏览器的技术类别。〗

  B. It limits the scope of application control to scan application traffic based on application category only. 〖限制了应用控制的范围,只能根据应用类别对应用流量进行扫描。〗

  C. It limits the scope of application control to scan application traffic using parent signatures only. 〖它限制了应用控制的范围,只使用父签名扫描应用流量。〗

  D. It limits the scope of application control to scan application traffic on DNS protocol only. 〖限制了应用控制的范围,只能对DNS协议上的应用流量进行扫描。〗

   【分析】教程篇(7.0) 09. FortiGate安全 & 应用控制 ❀ Fortinet 网络安全专家 NSE 4


 Examine this output from a debug flow: 〖检查一个调试流的输出:〗

  Why did the FortiGate drop the packet? 〖为什么FortiGate丢弃了数据包?〗

  A. The next-hop IP address is unreachable. 〖下一跳地址不可达。〗

  B. It failed the RPF check.〖RPF检查失败。〗

  C. It matched an explicitly configured firewall policy with the action DENY. 〖匹配动作为DENY的显式防火墙策略。〗

  D. It matched the default implicit firewall policy. 〖匹配默认的隐式防火墙策略。〗

   【分析】教程篇(7.0) 03. FortiGate安全 & 防火墙策略 ❀ Fortinet 网络安全专家 NSE 4



本文标签: 考题网络安全防火墙专家NSE