Try 100% Updated FCP_FGT_AD-7.4 Exam Questions [2024]
Pass FCP_FGT_AD-7.4 Exam - Real Questions and Answers
Fortinet FCP_FGT_AD-7.4 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
| Topic 10 |
|
NEW QUESTION # 14
Refer to the exhibit.
The exhibit contains a network diagram, firewall policies, and a firewall address object configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2.
Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)
- A. Enable match-vip in the Deny policy.
- B. Set the Destination address as Deny_IP in the Allow-access policy.
- C. Disable match-vip in the Deny policy.
- D. Set the Destination address as Web_server in the Deny policy.
Answer: A,D
Explanation:
By default does not match vip in deny policy for destination all. So 2 options we have:
1. Enable match vip in the Deny policy.
2. Add destination as webserver in deny policy. It should set match-vip enable, nor disable it...
Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming- WAN-to-LAN /ta-p/189641
NEW QUESTION # 15
Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)
- A. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.
- B. Checksums of devices are compared against each other to ensure configurations are the same.
- C. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.
- D. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster
Answer: A,B
Explanation:
In FortiGate HA (High Availability) configuration, checksums of device configurations are compared to ensure they are synchronized and identical across the cluster. Incremental synchronization can only happen from changes made on the primary device to ensure consistency and integrity across the cluster members.
Changes made on non-primary devices do not initiate synchronization.
References:
* FortiOS 7.4.1 Administration Guide: HA Configuration Synchronization
NEW QUESTION # 16
Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254?
- A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
- B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
- C. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
- D. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
Answer: A
Explanation:
The correct route to reach 10.20.30.254 would be:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and
10.30.20.0/24) and would therefore be selected as the best match.
NEW QUESTION # 17
Refer to the exhibit.
Why did FortiGate drop the packet?
- A. The next-hop IP address is unreachable.
- B. It matched the default implicit firewall policy
- C. It failed the RPF check.
- D. 11 matched an explicitly configured firewall policy with the action DENY
Answer: B
Explanation:
The debug trace output shows that the packet was "Denied by forward policy check (policy 0)." In FortiGate, policy ID 0 corresponds to the default implicit deny policy. This means that if a packet does not match any configured firewall policies, it is denied by the default implicit policy.
References:
* FortiOS 7.4.1 Administration Guide: Firewall Policies
NEW QUESTION # 18
Refer to the exhibit.
An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)
- A. Application header
- B. IP header
- C. Interface name
- D. Ethernet header
- E. Packet payload
Answer: B,C,E
Explanation:
Packet Capture Verbosity Level which is set to 5 in the exhibit, if it was level 6 it should also include ethernet headers. Application headers are never included.
This is Correct:
Packet payload
IP header
Interface name
Sniffer with verbose 5: IP header, IP payload, Port name.
NEW QUESTION # 19
Refer to the exhibits.
Exhibit A shows system performance output.
Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.
Based on the system performance output, which two results are correct? (Choose two.)
- A. Administrators cannot change the configuration.
- B. FortiGate will start sending all files to FortiSandbox for inspection.
- C. Administrators can access FortiGate only through the console port.
- D. FortiGate has entered conserve mode.
Answer: A,D
Explanation:
What actions does FortiGate take to preserve memory while in conserve mode?
* FortiGate does not accept configuration changes, because they might increase memory usage.
* FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.
* You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full.
Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the configuration.
FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization.
Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may require additional resources that are not available.
It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access FortiGate through other means besides the console port. "If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters conserve mode."
"FortiGate does not accept configuration changes, because they might increase memory usage." Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is- triggered/ta-p/198580
NEW QUESTION # 20
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
- A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
- B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
- C. The client FortiGate requires a manually added route to remote subnets.
- D. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Answer: A,D
Explanation:
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
C: The server FortiGate requires a CA certificate to verify the client FortiGate certificate:
When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA (Certificate Authority) certificate to verify the client FortiGate's certificate. This ensures that the client connecting to the VPN is authenticated and trusted.
D: The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:
For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type configured. This interface type is specifically designed for SSL VPN connections, allowing the client FortiGate to establish the VPN tunnel with the server FortiGate.
These two settings together ensure that the SSL VPN connection between the two FortiGate devices is properly authenticated and established, allowing secure communication between them.
NEW QUESTION # 21
Which three statements explain a flow-based antivirus profile? (Choose three.)
- A. FortiGate buffers the whole file but transmits to the client at the same time.
- B. Flow-based inspection optimizes performance compared to proxy-based inspection.
- C. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
- D. The IPS engine handles the process as a standalone.
- E. If a virus is detected, the last packet is delivered to the client.
Answer: A,B,C
Explanation:
A: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection.
D: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. some operations can be offloaded to SPUs to improve performance (not C).
E: If performance is your top priority, then flow inspection mode is more appropriate. Extra explanation:
A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
Flow-based inspection combines aspects of both proxy-based and flow-based inspection methods to optimize performance and scanning effectiveness.
D. FortiGate buffers the whole file but transmits to the client at the same time.
In flow-based inspection, FortiGate buffers the entire file for scanning before transmitting it to the client.
This allows for comprehensive scanning without delaying the transmission to the client.
E. Flow-based inspection optimizes performance compared to proxy-based inspection.
Flow-based inspection is generally more efficient than proxy-based inspection, especially in high-traffic environments, as it does not require the buffering of entire files before delivery.
NEW QUESTION # 22
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
- A. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
- B. FortiGate automatically negotiates different local and remote addresses with the remote peer.
- C. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
- D. FortiGate automatically negotiates a new security association after the existing security association expires.
Answer: C
Explanation:
When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto- negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation.
Enable auto-negotiate by default enabling auto-keep-alive too which brings up tunnel automatically.
Answer B is little bit tricky, auto-negotiate will negotiate new SA "before" existing SA expired not "after" existing SA expired.
NEW QUESTION # 23
What is eXtended Authentication (XAuth)?
- A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
- B. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
- C. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
- D. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
Answer: D
Explanation:
The correct answer is:
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
Explanation:
eXtended Authentication (XAuth) is an IPsec extension that adds additional authentication for remote VPN users after the initial IPsec phase 1 and phase 2 negotiations. XAuth requires users to provide their credentials (username and password) in addition to the standard IPsec authentication, enhancing the security of the VPN connection.
NEW QUESTION # 24
Refer to the exhibit:
Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)
- A. There will be eight routes active in the routing table.
- B. The port3 default route has the highest distance.
- C. The port3 default route has the lowest metric.
- D. The port1 and port2 default routes are active in the routing table.
Answer: B,D
Explanation:
*> mean active routes
first square bracked mean administrative distance
second bracket square mean priority (valid only on static routes) metric applies only in multiroutes with same administrative distance.
NEW QUESTION # 25
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)
- A. Lookup is done on every packet, regardless of direction
- B. Lookup is done on the first reply packet from the responder
- C. Lookup is done on the last packet sent from the responder
- D. Lookup is done on the first packet from the session originator
Answer: B,D
Explanation:
FortiGate performs route lookup based on the trust packet. The trust packet is the first packet of the session that is sent by the session originator.
This is the packet that initiates the communication. The route lookup is also done on the trust reply packet, which is the first reply packet received from the responder.
In summary, FortiGate looks at the initial packet from the session originator and the first reply packet from the responder when performing route lookup to determine the suitable gateway.
NEW QUESTION # 26
Refer to the exhibit.
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
With this configuration, which statement is true?
- A. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.
- B. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
- C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
- D. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Answer: D
Explanation:
A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
Incorrect:
B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.
C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs. (transparent- transparent)
D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.
Each VDOM has independent security policies and routing tables. Also, and by default, traffic from one VDOM cannot go to a different VDOM.
You cannot create an inter-VDOM link between Layer 2 transparent mode VDOMs. At least one of the VDOMs must be operating in NAT mode.
Similar to FortiGate without VDOMs enabled, the management VDOM should have outgoing internet access. Otherwise, features such as scheduled FortiGuard updates, fail.
NEW QUESTION # 27
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
- A. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
- B. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
- C. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
- D. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
Answer: A,D
NEW QUESTION # 28
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)
- A. In the firewall policy configuration, add 10. o. l. 3 as an address object in the source field.
- B. In the IP pool configuration, set endig to 192.2.0.12.
- C. In the IP pool configuration, set cype to overload.
- D. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
Answer: B,C
Explanation:
To resolve the issue of PC3 not being able to access the internet, the administrator needs to adjust the IP pool configuration or the firewall policy. The following two options will fix the connectivity issue:
* B. In the IP pool configuration, set the ending IP to 192.2.0.12: The current IP pool range is
192.2.0.10-192.2.0.11, which only provides two IP addresses for network address translation (NAT). To allow PC3 to access the internet, the IP pool should be expanded to include an additional IP address by changing the end of the range to 192.2.0.12.
* D. In the IP pool configuration, set type to overload: Instead of using a one-to-one NAT, changing the type to overload will allow multiple internal addresses (such as PC1, PC2, and PC3) to share a single external IP address. This will solve the issue without needing additional public IP addresses.
The other options are not suitable:
* A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field: This option is unnecessary since the firewall policy already allows all addresses from the source (LAN port3).
* C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy on top of the list: This option is redundant and would not resolve the underlying issue with the IP pool configuration.
References
* FortiOS 7.4.1 Administration Guide - Configuring Firewall Policies, page 512.
* FortiOS 7.4.1 Administration Guide - Configuring NAT with IP Pools, page 518.
NEW QUESTION # 29
Refer to the exhibits.
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.
Which policy will be highlighted, based on the input criteria?
- A. Policy with ID 1.
- B. Policy with ID 4.
- C. Policy with ID 5.
- D. Policies with ID 2 and 3.
Answer: C
Explanation:
Policy with ID 5.
It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http and https traffic (80, 443).
There are 3 rules related to port3
and two rules source LOCAL_CLIENT
this would leave us with Rule 1 & 5
Rule one Service is = ULL_UDP
Rule five = Internet Services
Destination port we are looking for is 443 (usually this is TCP)
So it had to be PID5
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.
NEW QUESTION # 30
Refer to the exhibit.
FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?
- A. Create an Interface Group that includes port1 and port2 to create a single firewall policy
- B. Replace port1 and port2 with the any interface in a single firewall policy.
- C. Select port1 and port2 subnets in a single firewall policy.
- D. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy
Answer: A
Explanation:
To consolidate the two separate firewall policies for Sales and Engineering departments accessing the same web server, you can create an Interface Group that includes both port1 (Sales) and port2 (Engineering). Once the Interface Group is created, you can use this group as a single incoming interface in a single firewall policy. This approach reduces the number of policies, making management more efficient.
References:
* FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration
NEW QUESTION # 31
A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.
What is the reason for the certificate warning errors?
- A. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
- B. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
- C. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
- D. The browser does not recognize the certificate in use as signed by a trusted CA.
Answer: D
Explanation:
The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.
References:
* FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration
NEW QUESTION # 32
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
- A. The host field in the HTTP header
- B. The subject alternative name (SAN) field in the server certificate
- C. The serial number in the server certificate
- D. The subject field in the server certificate
- E. The server name indication (SNI) extension in the client hello message
Answer: B,D,E
Explanation:
When SSL certificate inspection is enabled, FortiGate uses the following three pieces of information to identify the hostname of the SSL server:
A. The subject field in the server certificate
The subject field typically contains the common name (CN) that represents the hostname.
C. The server name indication (SNI) extension in the client hello message SNI is an extension to the TLS protocol that indicates the hostname to which the client is attempting to connect.
D. The subject alternative name (SAN) field in the server certificate
The SAN field can include additional hostnames (alternative names) that are valid for the certificate.
So, the correct choices are A, C, and D.
Fortigate firtsly uses SNI, if there is no SNI it uses Subject or Subject Alternatives.
During the exchange of hello messages at the beginning of an SSL handshake, FortiGate parses server name indication (SNI) from client Hello, which is an extension of the TLS protocol. The SNI tells FortiGate the hostname of the SSL server, which is validated against the DNS name before receipt of the server certificate. If there is no SNI exchanged, then FortiGate identifies the server by the value in the Subject field or SAN (subject alternative name) field in the server certificate.
NEW QUESTION # 33
What are two features of collector agent advanced mode? (Choose two.)
- A. In advanced mode, security profiles can be applied only to user groups, not individual users.
- B. Advanced mode uses the Windows convention -NetBios: Domain\Username.
- C. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
- D. Advanced mode supports nested or inherited groups.
Answer: B,C
Explanation:
Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.
NEW QUESTION # 34
......
FCP_FGT_AD-7.4 Exam Questions Get Updated [2024] with Correct Answers: https://troytec.examstorrent.com/FCP_FGT_AD-7.4-exam-dumps-torrent.html