Fortinet FCP_FGT_AD-7.4 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.4 Online Questions & Answers

• Question 41:

  Refer to the exhibits.

  

  

  The exhibits show a diagram of a FortiGate device connected to the network, and the firewall policies configuration VIP configuration and IP pool configuration on the FortiGate device

  The WAN (port1) interface has the IP address 10.200. l. 1/24 The LAN (port3) interface has the IP address 10.0.1.254/24

  The first firewall policy has NAT enabled using the IP pool The second firewall policy is configured with a VIP as the destination address.

  Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

  A. 10.200.1.1
  B. 10.200.1.10
  C. 10.0.1.254
  D. 10.200.1.100
  D. 10.200.1.100

  ---

  Explanation Explanation/Reference: NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool. IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100. Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100. Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address NATed to 10.200.1.100.

• Question 42:

  Refer to the exhibit, which shows the IPS sensor configuration.

  

  If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

  A. The sensor will gather a packet log for all matched traffic.
  B. The sensor will reset all connections that match these signatures.
  C. The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
  D. The sensor will block all attacks aimed at Windows servers.
  C. The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
  D. The sensor will block all attacks aimed at Windows servers.

• Question 43:

  A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

  All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

  Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

  A. Enable Dead Peer Detection
  B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
  A. Enable Dead Peer Detection
  C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

  ---

  To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required: A. Enable Dead Peer Detection (DPD):Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down. C. Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel:The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly. The other options are not suitable: B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels:This option is not directly related to the requirements of failover between two IPsec VPN tunnels. D. Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel:This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration. References FortiOS 7.4.1 Administration Guide -Configuring IPsec VPN, page 1320. FortiOS 7.4.1 Administration Guide -Redundant VPN Configuration, page 1335.

• Question 44:

  Refer to the exhibits.

  

  The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.

  Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.

  Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)

  A. In the firewall policy configuration, add 10. o. l. 3 as an address object in the source field.
  B. In the IP pool configuration, set endig to 192.2.0.12.
  C. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
  D. In the IP pool configuration, set cype to overload.
  B. In the IP pool configuration, set endig to 192.2.0.12.
  D. In the IP pool configuration, set cype to overload.

  ---

  To resolve the issue of PC3 not being able to access the internet, the administrator needs to adjust the IP pool configuration or the firewall policy. The following two options will fix the connectivity issue: B. In the IP pool configuration, set the ending IP to 192.2.0.12:The current IP pool range is 192.2.0.10-192.2.0.11, which only provides two IP addresses for network address translation (NAT). To allow PC3 to access the internet, the IP pool should be expanded to include an additional IP address by changing the end of the range to 192.2.0.12. D. In the IP pool configuration, set type to overload:Instead of using a one-to-one NAT, changing the type to overload will allow multiple internal addresses (such as PC1, PC2, and PC3) to share a single external IP address. This will solve the issue without needing additional public IP addresses. The other options are not suitable: A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field:This option is unnecessary since the firewall policy already allows all addresses from the source (LAN port3). C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy on top of the list:This option is redundant and would not resolve the underlying issue with the IP pool configuration. References FortiOS 7.4.1 Administration Guide -Configuring Firewall Policies, page 512. FortiOS 7.4.1 Administration Guide -Configuring NAT with IP Pools, page 518.

• Question 45:

  Which two statements are correct when FortiGate enters conserve mode? (Choose two.)

  A. FortiGate halts complete system operation and requires a reboot to regain available resources
  B. FortiGate refuses to accept configuration changes
  C. FortiGate continues to run critical security actions, such as quarantine.
  D. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled
  B. FortiGate refuses to accept configuration changes
  D. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled

• Question 46:

  An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface. In this scenario, what prevents the administrator from enabling DHCP service?

  A. The role of the interface prevents setting a DHCP server.
  B. The DHCP server setting is available only on the CLI.
  C. Another interface is configured as the only DHCP server on FortiGate.
  D. The FortiGate model does not support the DHCP server.
  A. The role of the interface prevents setting a DHCP server.

  ---

  Explanation Explanation/Reference:FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration. References: FortiOS 7.4.1 Administration Guide: DHCP Server Configuration

• Question 47:

  Which two statements explain antivirus scanning modes? (Choose two.)

  A. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
  B. In flow-based inspection mode files bigger than the buffer size are scanned
  C. In proxy-based inspection mode files bigger than the buffer size are scanned
  D. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client
  A. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.
  D. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client

  ---

  In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client. Flow-based inspection allows real-time scanning of files as they are being transmitted, with minimal impact on performance. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client. Proxy-based inspection mode holds the file completely, scans it for threats, and only sends the file to the client if no threats are detected.

• Question 48:

  Refer to the exhibit, which shows a partial configuration from the remote authentication server.

  

  Why does the FortiGate administrator need this configuration?

  A. To authenticate only the Training user group.
  B. To set up a RADIUS server Secret
  C. To authenticate and match the Training OU on the RADIUS server.
  D. To authenticate Any FortiGate user groups.
  A. To authenticate only the Training user group.

• Question 49:

  Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next-generation firewall (NGFW)?

  A. Full content inspection
  B. Proxy-based inspection
  C. Certificate inspection
  D. Flow-based inspection
  D. Flow-based inspection

  ---

  When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority. References: FortiOS 7.4.1 Administration Guide: Inspection Modes

• Question 50:

  Refer to the exhibits.

  

  FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?

  A. FGT-1 will remain the primary because FGT-2 has lower priority.
  B. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.
  C. FGT-1 will synchronize the override disable setting with FGT-2.
  D. The HA cluster will become out of sync because the override setting must match on all HA members.
  B. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.

  ---

  Explanation Explanation/Reference: With override enabled, the primary unit with the highest device priority will always become the primary unit. Whenever an event occurs that may affect primary unit selection, the cluster negotiates. For example, when override is enabled a cluster renegotiates when you change the device priority of any cluster unit or when you add a new unit to a cluster. Override and primary unit selection Enabling override changes the order of primary unit selection. As shown below, if override is enabled, primary unit selection considers device priority before age and serial number. This means that if you set the device priority higher on one cluster unit, with override enabled this cluster unit becomes the primary unit even if its age and serial number are lower than other cluster units.https://docs.fortinet.com/document/fortigate/6.0.0/handbook/123439/primary-unit- selection-with-override-enabled