Fortinet FCP_FGT_AD-7.4 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.4 Online Questions & Answers

• Question 51:

  What are two features of the NGFW profile-based mode? (Choose two.)

  A. NGFW profile-based mode can only be applied globally and not on individual VDOMs.
  B. NGFW profile-based mode must require the use of central source NAT policy
  C. NGFW profile-based mode policies support both flow inspection and proxy inspection.
  D. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy.
  C. NGFW profile-based mode policies support both flow inspection and proxy inspection.
  D. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy.

  ---

  NGFW (Next Generation Firewall) profile-based mode in FortiGate allows policies to use both flow-based and proxy-based inspection modes, providing flexibility depending on security and performance requirements. Additionally, profile-based mode supports applying applications and web filtering profiles directly in a firewall policy, allowing granular control over the traffic. References: FortiOS 7.4.1 Administration Guide: NGFW Mode Configuration

• Question 52:

  Refer to the exhibit.

  

  The administrator configured SD-WAN rules and set the FortiGate traffic log page to display SD-WAN-specific columns: SD-WAN Quality and SD-WAN Rule Name.

  FortiGate allows the traffic according to policy ID 1. This is the policy that allows SD-WAN traffic.

  Despite these settings the traffic logs do not show the name of the SD-WAN rule used to steer those traffic flows.

  What can be the reason?

  A. FortiGate load balanced the traffic according to the implicit SD-WAN rule.
  B. There is no application control profile applied to the firewall policy.
  C. Destination in the SD-WAN rules are configured per application but the feature visibility is not enabled.
  D. SD-WAN rule names do not appear immediately. The administrator needs to refresh the page.
  A. FortiGate load balanced the traffic according to the implicit SD-WAN rule.

  ---

  If the SD-WAN traffic logs do not show the specific SD-WAN rule name, it likely means that FortiGate is using the default or implicit SD-WAN rule to balance traffic. The implicit rule comes into effect when no explicit SD-WAN rule is matched, and as a result, the SD-WAN rule name is not displayed in the logs. The default behavior is to load balance the traffic across available interfaces based on SD-WAN strategy.

• Question 53:

  Refer to the exhibit.

  

  Based on the routing database shown in the exhibit which two conclusions can you make about the routes? (Choose two.)

  A. There will be eight routes active in the routing table
  B. The port1 and port2 default routes are active in the routing table
  C. The port3 default route has the highest distance
  D. The port3 default route has the lowest metric
  B. The port1 and port2 default routes are active in the routing table
  C. The port3 default route has the highest distance

  ---

  Explanation Explanation/Reference: The port1 and port2 default routes are active in the routing table The routes with 0.0.0.0/0 for both port1 and port2 are marked with an asterisk * and > symbol, which indicates that these routes are active and selected in the routing table. The port3 default route has the highest distance The route via port3 has a distance of [20/0], which is higher than the distances for the routes via port1 [10/0] and port2 [30/0]. This indicates that the port3 default route has the highest distance.

• Question 54:

  Refer to the exhibit.

  

  A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)

  A. On Remote-FortiGate, set Seconds to 43200.
  B. On HQ-FortiGate, enable Diffie-Hellman Group 2.
  C. On HQ-FortiGate, set Encryption to AES256.
  D. On Remote-FortiGate, set Remote Address to 10.0.1.0/255.255.255.0.
  C. On HQ-FortiGate, set Encryption to AES256.
  D. On Remote-FortiGate, set Remote Address to 10.0.1.0/255.255.255.0.

• Question 55:

  Refer to the exhibits.

  

  The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.

  The WAN (port1) interface has the IP address10.200.1.1/24. The LAN (port3) interface has the IPaddress10.0.1.254/24.

  Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  A. 10.200.1.1
  B. 10.200.1.149
  C. 10.200.1.99
  D. 10.200.1.49
  C. 10.200.1.99

• Question 56:

  Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

  A. The issuer must be a public CA
  B. The CA extension must be set to TRUE
  C. The Authority Key Identifier must be of type SSL
  D. The keyUsage extension must be set tokeyCertSign
  B. The CA extension must be set to TRUE
  D. The keyUsage extension must be set tokeyCertSign

  ---

  Explanation Explanation/Reference: The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.

• Question 57:

  A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal. Which SSL timer can you use to mitigate a denial of service (DoS) attack?

  A. SSL VPN dcls-hello-timeout
  B. SSL VPN http-request-header-timeout
  C. SSL VPN login-timeout
  D. SSL VPN idle-timeout
  B. SSL VPN http-request-header-timeout

  ---

  Explanation Explanation/Reference: The SSL VPN http-request-header-timeout timer is used to mitigate denial of service (DoS) attacks by limiting the amount of time the FortiGate waits for the client to send an HTTP request header after a connection is established. This helps reduce the attack surface by preventing potential attacks that exploit prolonged connection times without fully completing requests.

• Question 58:

  Which three methods are used by the collector agent for AD polling? (Choose three.)

  A. WinSecLog
  B. WMI
  C. NetAPI
  D. FSSO REST API
  E. FortiGate polling
  A. WinSecLog
  B. WMI
  C. NetAPI

  ---

  The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information: WinSecLog:Monitors Windows Security Event Logs for login events. WMI:Uses Windows Management Instrumentation to poll user login sessions. NetAPI:Utilizes the Netlogon API to query domain controllers for user session data. These methods allow the FortiGate to gather user logon information and enforce user- based policies effectively. References: FortiOS 7.4.1 Administration Guide: FSSO Configuration

• Question 59:

  FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively. Which two statements are true about the requirements of connected physical interfaces on FortiGate? (Choose two.)

  A. Both interfaces must have the interface role assigned
  B. Both interfaces must have directly connected routes on the routing table
  C. Both interfaces must have DHCP enabled
  D. Both interfaces must have IP addresses assigned
  B. Both interfaces must have directly connected routes on the routing table
  D. Both interfaces must have IP addresses assigned

  ---

  Explanation Explanation/Reference: Both interfaces must have directly connected routes on the routing table In NAT mode, each interface must have a corresponding entry in the routing table, typically as a directly connected route, to route traffic between them effectively. Both interfaces must have IP addresses assigned In NAT mode, each interface must have an IP address to participate in routing and NAT operations. The IP addresses allow the FortiGate to forward traffic between different network segments.

• Question 60:

  A FortiGate firewall policy is configured with active authentication however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?

  A. ICMP
  B. DNS
  C. DHCP
  D. LDAP
  B. DNS