Practice Free FCSS_NST_SE-7.4 Exam Online Questions
Exhibit 1.
Exhibit 2.
Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.
An administrator would like to lest session failover between the two service provider connections.
Which two changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)
- A . Change the priority of the port! static route to 11.
- B . Change the priority of the port2 static route to 5.
- C . Configure unset snat-route-change to return it to the default setting.
- D . Configure set snat-route-change enable.
Consider the scenario where the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate.
Which action will FortiGate take when using the default settings for SSL certificate inspection?
- A . FortiGate uses the SNI from the user’s web browser.
- B . FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
- C . FortiGate uses the first entry listed in the SAN field in the server certificate.
- D . FortiGate uses the ZN information from the Subject field in the server certificate.
Which two statements about conserve mode are true? (Choose two.)
- A . FortiGate enters conserve mode when the system memory reaches the configured extreme threshold.
- B . FortiGate starts taking the configured action for new sessions requiring content inspection when the system memory reaches the configured red threshold.
- C . FortiGate exits conserve mode when the system memory goes below the configured green threshold.
- D . FortiGate starts dropping all new sessions when the system memory reaches the configured red threshold.
In IKEv2, which exchange establishes the first CHILD_SA?
- A . IKE_SA_INIT
- B . INFORMATIONAL
- C . CREATE_CHILD_SA
- D . IKE_Auth
Refer to the exhibit, which shows the output of a policy route table entry.
Which type of policy route does the output show?
- A . An ISDB route
- B . A regular policy route
- C . A regular policy route, which is associated with an active static route in the FIB
- D . An SD-WAN rule
Which statement about IKEv2 is true?
- A . Both IKEv1 and IKEv2 share the feature of asymmetric authentication.
- B . IKEv1 and IKEv2 have enough of the header format in common that both versions can run over the same UDP port.
- C . IKEv1 and IKEv2 use same TCP port but run on different UDP ports.
- D . IKEv1 and IKEv2 share the concept of phase1 and phase2.
Refer to the exhibit, which shows a partial output of the fssod daemon real-time debug command.
What two conclusions can you draw Itom the output? (Choose two.)
- A . The workstation with IP 10.124.2.90 will be polled frequently using TCP port 445 to see if the user is still logged on.
- B . The logon event can be seen on the collector agent installed on Windows.
- C . FSSO is using DC agent mode to detect logon events.
- D . FSSO is using agentless polling mode to detect logon events.
Exhibit.
Refer to the exhibit, which shows the output of a diagnose command.
What can you conclude about the debug output in this scenario?
- A . The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers, was 121.111.236.179.
- B . There is a natural correlation between the value in the FortiGuard-requests field and the value in the Weight field.
- C . FortiGate used 64.26.151.37 as the initial server to validate its contract.
- D . Servers with a negative TZ value are less preferred for rating requests.
Which authentication option can you not configure under config user radius on FortiOS?
- A . mschap
- B . pap
- C . mschap2
- D . eap
Exhibit.
Refer to the exhibit, which contains a screenshot of some phase 1 settings.
The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands on an SSH session on FortiGate:
However, the IKE real-time debug does not show any output.
Why?
- A . The administrator must also run the command diagnose debug enable.
- B . The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match.
- C . The log-filter setting is incorrect. The VPN traffic does not match this filter.
- D . Replace diagnose debug application ike -1 with diagnose debug application ipsec -1.