A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.
When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the and does not block the file allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)
A. The selected SSL inspection profile has certificate inspection enabled B. The browser does not trust the FortiGate self-siqned CA certificate C. The EICAR test file exceeds the protocol options oversize limit D. The website is exempted from SSL inspection
A. The selected SSL inspection profile has certificate inspection enabled D. The website is exempted from SSL inspection Explanation Explanation/Reference: The selected SSL inspection profile has certificate inspection enabled If the SSL inspection profile is set to certificate inspection instead of full SSL inspection, FortiGate will only inspect the certificate of the HTTPS connection but will not decrypt and inspect the actual traffic content, leading to a failure in virus detection. The website is exempted from SSL inspection If the website hosting the EICAR test file is exempt from SSL inspection, FortiGate will not decrypt the traffic, meaning it cannot inspect the file content for viruses, resulting in the file being downloaded without detection.
Question 2:
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?
A. The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile B. The browser does not trust the certificate used by FortiGate for SSL inspection C. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions. D. The matching firewall policy is set to proxy inspection mode
B. The browser does not trust the certificate used by FortiGate for SSL inspection Explanation Explanation/Reference: When full SSL inspection is enabled, FortiGate intercepts HTTPS traffic, decrypts it for inspection, and re-encrypts it using its own SSL certificate before forwarding it to the browser. If the browser does not trustthe SSL certificate being used by FortiGate for re- encryption, it will display certificate warning errors. To resolve this, the certificate used by FortiGate for SSL inspection must be installed and trusted in the browser's certificate store.
Question 3:
Refer to the exhibit.
The NOC team connects to the FortiGate GUI with theNOC_Accessadmin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to answer this specific request from the NOC team?
A. Enable the parameter Never Timeout in the admin profiles B. Increase theadmintimeoutvalue underconfig system accprofile super_admin. C. Increase the admintimeout value under config system global D. Increase the offline value of the Override idle Timeout parameter in the NOC_Access admin profile
D. Increase the offline value of the Override idle Timeout parameter in the NOC_Access admin profile Explanation Explanation/Reference: "You can override the idle timeout setting per administartor profile using the Override Idle Timeout setting. You can configure an administrator profile to increase inactivity timeout and facilitate use of the GUI for central monitoring. Then Override Idel Timeout setting allows the admintimeout value, under the config system accprofile, to be overridden per access profile."
Question 4:
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
A. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load- balance-mode. B. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume- based. C. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP D. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
A. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load- balance-mode. D. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings. Explanation Explanation/Reference: When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi- Path (ECMP) is configured using theload-balance-modeparameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured underconfig system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements. References: FortiOS 7.4.1 Administration Guide: ECMP Configuration
Question 5:
Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)
A. Checksums of devices are compared against each other to ensure configurations are the same. B. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device. C. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster D. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.
A. Checksums of devices are compared against each other to ensure configurations are the same. C. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster Explanation Explanation/Reference:"After the initial synchronization is complete, whenever a change is made to the configuration of an HA cluster device (primary or secondary), incremental synchronization sends the same configuration change to all other cluster devices over the HA heartbeat link"
Question 6:
Refer to the exhibit.
Why did FortiGate drop the packet?
A. 11 matched an explicitly configured firewall policy with the action DENY B. It failed the RPF check. C. The next-hop IP address is unreachable. D. It matched the default implicit firewall policy
D. It matched the default implicit firewall policy
Question 7:
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.
Based on the exhibit, which statement is true?
A. The underlay zone contains port1 and B. The d-wan zone contains no member. C. The d-wan zone cannot be deleted. D. The virtual-wan-link zone contains no member.
B. The d-wan zone contains no member. The "d-wan" zone in FortiGate SD-WAN configuration is the default SD-WAN zone created when SD-WAN is enabled. This zone contains all the interfaces assigned to SD-WAN and is essential for the functionality of the SD-WAN feature. The "d-wan" zone cannot be deleted because it is required for SD-WAN operations. Option A is incorrect because the underlay zone does notcontain port1. Options B and D are incorrect because they incorrectly describe the configuration of zones. References: FortiOS 7.4.1 Administration Guide: SD-WAN Zone Configuration
Question 8:
Which two pieces of information are synchronized between FortiGate HA members? (Choose two.)
A. OSPF adjacencies B. IPsec security associations C. BGP peerings D. DHCP leases
B. IPsec security associations D. DHCP leases IPsec security associations IPsec security associations (SAs) are synchronized between HA members to ensure seamless failover and continuity of VPN tunnels. DHCP leases DHCP lease information is synchronized between HA members to maintain consistent IP address assignments and prevent disruptions when failover occurs.
Question 9:
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object?
A. Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default. B. Change the csf setting on both devices to sec downscream-access enable. C. Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace. D. Change the csf setting on ISFW (downstream) to sec configuration-sync local.
A. Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default. Explanation Explanation/Reference:Set object synchronization (fabric-object-unification) to default or local on a downstream device. When set to local, the device does not synchronize objects from the root, but will still participate in sending the synchronized object downstream.https://docs.fortinet.com/document/fortigate/6.4.0/new- features/520820/improvements-to-synchronizing-objects-across-the-security-fabric-6-4-4
Question 10:
Which statement is correct regarding the use of application control for inspecting web applications?
A. Application control can identify child and parent applications, and perform different actions on them B. Application control signatures are included in Fortinet Antivirus engine C. Application control does not display a replacement message for a blocked web application D. Application control does not require SSL Inspection to Identity web applications
A. Application control can identify child and parent applications, and perform different actions on them Explanation Explanation/Reference: FortiGate's application control can differentiate between parent and child applications and allows administrators to configure distinct actions for each. For example, it can identify Facebook (parent application) and specific functions within it (child applications) like Facebook video or chat, enabling more granular control over application traffic.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your FCP_FGT_AD-7.4 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.