The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.
The WAN (port1) interface has the IP address 10.200.1.1 /24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).
Which two statements are valid to achieve this goal? (Choose two.)
A. Enable NAT on the Allow_access firewall policy. B. Create a new firewall policy before lnternet_Access for the webserver and apply the IP pool. C. Disable NAT on the lnternet_Access firewall policy. D. Disable port forwarding on the VIP object.
A. Enable NAT on the Allow_access firewall policy. D. Disable port forwarding on the VIP object. Explanation Explanation/Reference: Enable NAT on the Allow_access firewall policy (A): Disable port forwarding on the VIP object (D): Why other options are not correct: B. Create a new firewall policy before Internet_Access for the webserver and apply the IP pool: C. Disable NAT on the Internet_Access firewall policy: Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.
Question 12:
Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.
Why is the user unable to receive a block replacement message when downloading an infected file for the first time?
A. The intrusion prevention security profile must be enabled when using flow-based inspection mode. B. The option to send files to FortiSandbox for inspection is enabled. C. The firewall policy performs a full content inspection on the file. D. Flow-based inspection is used, which resets the last packet to the user.
D. Flow-based inspection is used, which resets the last packet to the user. Explanation Explanation/Reference:In flow-based inspection mode, FortiGate sends a reset (RST) packet to the client instead of providing a replacement message, which causes the block message not to be displayed.
Question 13:
What is the primary FortiGate election process when the HA override setting is disabled?
A. Connected monitored ports > Priority > System uptime > FortiGate serial number B. Connected monitored ports > System uptime > Priority > FortiGate serial number C. Connected monitored ports > Priority > HA uptime > FortiGate serial number D. Connected monitored ports > HA uptime > Priority > FortiGate serial number
D. Connected monitored ports > HA uptime > Priority > FortiGate serial number Explanation Explanation/Reference:https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Primary-unit-selection-process-when/ta-p/249745 https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disabled-default
Question 14:
Refer to the exhibit to view the firewall policy.
Why would the firewall policy not block a well-known virus, for example eicar?
A. The action on the firewall policy is not set to deny. B. The firewall policy is not configured in proxy-based inspection mode. C. Web filter is not enabled on the firewall policy to complement the antivirus profile. D. The firewall policy does not apply deep content inspection.
D. The firewall policy does not apply deep content inspection. Explanation Explanation/Reference: While Flow-Based inspection mode is limited, it still can scan viruses if they are not overly complex. SSL certificate inspection only inspects the certificate of the encrypted traffic, ensuring it is valid and not self-signed or expired. It does not decrypt the actual content of the SSL/TLS traffic, meaning that any malicious content inside encrypted HTTPS traffic will pass through without being inspected. So here, we can assume the EICAR file was accessed via HTTPS.
Question 15:
Refer to the exhibit.
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit. What do you conclude when adding theFTP.Login.Failedsignature to the IPS sensor profile?
A. Traffic matching the signature will be allowed and logged. B. The signature setting uses a custom rating threshold. C. The signature setting includes a group of other signatures. D. Traffic matching the signature will be silently dropped and logged.
D. Traffic matching the signature will be silently dropped and logged.
Question 16:
Refer to the exhibits, which show the firewall policy and the security profile for Facebook.
Users are given access to the Facebook web application.
They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the configuration must you change to resolve the issue?
A. Make the SSL inspection a deep content inspection B. Add Facebook to the URL category in the security policy C. Disable HTTP redirect to HTTPS on the web browser D. Get the additional application signatures required to add to the security policy
A. Make the SSL inspection a deep content inspection
Question 17:
Which two statements are true about the FGCP protocol? (Choose two.)
A. FGCP is not used when FortiGate is in transparent mode B. FGCP elects the primary FortiGate device C. FGCP is used to discover FortiGate devices in different HA groups D. FGCP runs only over the heartbeat links
B. FGCP elects the primary FortiGate device D. FGCP runs only over the heartbeat links FGCP elects the primary FortiGate device FGCP is responsible for electing the primary (active) device in a FortiGate HA (High Availability) cluster, ensuring proper role assignment between the primary and secondary devices. FGCP runs only over the heartbeat links FGCP runs over the dedicated heartbeat links between FortiGate devices in the HA cluster, ensuring synchronization and communication between the devices for failover and redundancy purposes.
Question 18:
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
A. The NetSessionEnum function is used to track user logouts. B. NetAPI polling can increase bandwidth usage in large networks. C. The collector agent must search Windows application event logs. D. The collector agent uses a Windows API to query DCs for user logins.
A. The NetSessionEnum function is used to track user logouts.
Question 19:
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
A. Manual with load balancing B. Lowest Cost (SLA) with load balancing C. Best Quality with load balancing D. Lowest Quality (SLA) with load balancing E. Lowest Cost (SLA) without load balancing
A. Manual with load balancing B. Lowest Cost (SLA) with load balancing E. Lowest Cost (SLA) without load balancing Explanation Explanation/Reference:https://docs.fortinet.com/document/fortigate/7.4.4/administration- guide/342836/lowest-cost-sla-strategy
Question 20:
Refer to the exhibits, which show a diagram of a FortiGate device connected to the network. VIP object configuration, and the firewall policy configuration.
TheWAN (port1)interface has the IP address10.200.1.1/24. TheLAN (port3)interface has the IP address10.0.1.254/24.
If the host10.200.3.1sends a TCP SYN packet on port 8080 to10.200.1.10, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?
A. 10.0.1.254, 10.200.1.10, and 8080, respectively B. 10.0.1.254, 10.0.1.10, and 80, respectively C. 10.200.3.1, 10.0.1.10, and 80, respectively D. 10.200.3.1, 10.0.1.10, and 8080, respectively
C. 10.200.3.1, 10.0.1.10, and 80, respectively Explanation Explanation/Reference: The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy). The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10. The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your FCP_FGT_AD-7.4 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.