Fortinet FCP_FGT_AD-7.4 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.4 Online Questions & Answers

• Question 21:

  Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

  A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
  B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
  C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
  D. The client FortiGate requires a manually added route to remote subnets.
  A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
  B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

  ---

  Explanation Explanation/Reference: If fortigate is used as an SSL VPN client, it needs a ssl virtual tunnel interface to connect to the SSL VPN server. This is the client virtual interface that the vpn server will assign the temporary IP address toduring the lifetime of an ssl connection. The SSL VPN server also needs a correct CA certificate to authenticate/trust client's certificate.

• Question 22:

  An employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

  A. SSL VPN idle-timeout
  B. SSL VPN login-timeout
  C. SSL VPN dtls-hello-timeout
  D. SSL VPN session-ttl
  C. SSL VPN dtls-hello-timeout

  ---

  For a high-latency internet connection, the SSL VPN setting that should be adjusted is: C. SSL VPN dtls-hello-timeout:This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message. The other options are not suitable: A. SSL VPN idle-timeout:This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment. B. SSL VPN login-timeout:This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation. D. SSL VPN session-ttl:This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency. References FortiOS 7.4.1 Administration Guide -SSL VPN Configuration, page 1415.

• Question 23:

  Refer to the exhibit.

  

  FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?

  A. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy
  B. Create an Interface Group that includes port1 and port2 to create a single firewall policy
  C. Select port1 and port2 subnets in a single firewall policy.
  D. Replace port1 and port2 with the any interface in a single firewall policy.
  A. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy

  ---

  Explanation Explanation/Reference: To consolidate the two separate firewall policies for Sales and Engineering departments accessing the same web server, you can create an Interface Group that includes bothport1(Sales) andport2(Engineering). Once the Interface Group is created, you can use this group as a single incoming interface in a single firewall policy. This approach reduces the number of policies, making management more efficient. References: FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration

• Question 24:

  Refer to the exhibit showing a FortiGuard connection debug output.

  

  Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)

  A. One server was contacted to retrieve the contract information.
  B. There is at least one server that lost packets consecutively.
  C. A local FortiManaqer is one of the servers FortiGate communicates with.
  D. FortiGate is using default FortiGuard communication settings.
  A. One server was contacted to retrieve the contract information.
  D. FortiGate is using default FortiGuard communication settings.

  ---

  The debug output indicates that FortiGate connected to one server (173.243.141.16) to retrieve contract information as it shows four FortiGuard requests without any packet loss, which confirms the connection to the server. Additionally, the default FortiGuard communication settings are being used, as indicated by the use of the HTTPS protocol on port 443, which is the default setting for FortiGuard connections. References: FortiOS 7.4.1 Administration Guide: FortiGuard Connection Settings

• Question 25:

  An administrator configured a FortiGate to act as a collector for agentless polling mode.

  What must the administrator add to the FortiGate device to retrieve AD user group information?

  A. LDAP server
  B. RADIUS server
  C. DHCP server
  D. Windows server
  A. LDAP server

  ---

  Explanation Explanation/Reference: To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device.

• Question 26:

  Refer to the exhibits.

  

  

  The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

  An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

  The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

  Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

  A. Enable match-vip in the Deny policy.
  B. Set the Destination address as Webserver in the Deny policy.
  C. Disable match-vip in the Deny policy.
  D. Set the Destination address as Deny_IP in the Allow_access policy.
  A. Enable match-vip in the Deny policy.
  B. Set the Destination address as Webserver in the Deny policy.

  ---

  To deny access to the web server for Remote-User2 while allowing Remote- User1 to access the same web server, two configuration changes can be made: Enable match-vip in the Deny policy:By enabling thematch-vipoption in the Deny policy, the FortiGate will check for virtual IP (VIP) objects during policy matching. This setting allows the firewall policy to correctly identify and block traffic directed to a specific mapped IP address, such as the web server, when using a VIP configuration. Set the Destination address as Webserver in the Deny policy:Setting the Destination address to "Webserver" in the Deny policy ensures that the policy specifically targets traffic attempting to reach the web server. This configuration helps to precisely control which traffic should be blocked, focusing the Deny policy on the intended destination. References: FortiOS 7.4.1 Administration Guide: Deny matching with a policy with a virtual IP applied FortiOS 7.4.1 Administration Guide: Configuring Policies with VIPs

• Question 27:

  Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate.

  

  Based on the system performance output, what can be the two possible outcomes? (Choose two.)

  A. FortiGate will start sending all files to FortiSandbox for inspection.
  B. FortiGate has entered conserve mode.
  C. Administrators cannot change the configuration.
  D. Administrators can access FortiGate onlythrough the console port.
  B. FortiGate has entered conserve mode.
  D. Administrators can access FortiGate onlythrough the console port.

  ---

  Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode: B. FortiGate has entered conserve mode:When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash. D. Administrators can access FortiGate only through the console port:During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions. The other options are not correct: A. FortiGate will start sending all files to FortiSandbox for inspection:This is unrelated to memory usage and conserve mode. C. Administrators cannot change the configuration:While access may be limited, configuration changes can still be made via the console port. References FortiOS 7.4.1 Administration Guide -Monitoring System Resources and Performance, page 325. FortiOS 7.4.1 Administration Guide -Conserve Mode, page 330.

• Question 28:

  The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. Which order must FortiGate use when the web filter profile has features such as safe search enabled?

  A. FortiGuard category filter and rating filter
  B. Static domain filter, SSL inspection filter, and external connectors filters
  C. DNS-based web filter and proxy-based web filter
  D. Static URL filter, FortiGuard category filter, and advanced filters
  D. Static URL filter, FortiGuard category filter, and advanced filters

  ---

  Explanation Explanation/Reference:When multiple web filtering features are enabled in FortiGate, the HTTP inspection process follows a specific sequence: Static URL Filter: This filter checks URLs against a predefined list of allowed or blocked URLs. FortiGuard Category Filter: This checks the category of the website using the FortiGuard database. Advanced Filters: These include features like -> "Safe Search"

• Question 29:

  A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.

  What is the reason for the certificate warning errors?

  A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
  B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
  C. The browser does not recognize the certificate in use as signed by a trusted CA.
  D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
  C. The browser does not recognize the certificate in use as signed by a trusted CA.

  ---

  The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites. References: FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

• Question 30:

  An administrator manages a FortiGate model that supports NTurbo. How does NTurbo enhance performance for flow-based inspection?

  A. NTurbo offloads traffic to the content processor.
  B. NTurbo creates two inspection sessions on the FortiGate device.
  C. NTurbo buffers the whole file and then sends it to the antivirus engine.
  D. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
  D. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.

  ---

  Explanation Explanation/Reference:NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput. Hardware Accelerationhttps://docs.fortinet.com/document/fortigate/7.0.1/hardware- acceleration/896174/nturbo-offloads-flow-basedprocessing