Fortinet FCP_FGT_AD-7.4 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.4 Online Questions & Answers

• Question 61:

  Refer to the exhibits.

  

  

  The exhibits show the application sensor configuration and theExcessive- BandwidthandApplefilter details.

  Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

  A. Apple FaceTime will be allowed, based on the Video/Audio category configuration.
  B. Apple FaceTime will be allowed, based on the Apple filter configuration.
  C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
  D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
  D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

  ---

  Based on the application sensor configuration and the filter details: D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration:The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting. The other options are not correct: A. Apple FaceTime will be allowed, based on the Video/Audio category configuration:The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it. B. Apple FaceTime will be allowed, based on the Apple filter configuration:Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this. C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow:The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail. References FortiOS 7.4.1 Administration Guide -Application Control and Filtering, page 978. FortiOS 7.4.1 Administration Guide -Application Sensor Configuration, page 982.

• Question 62:

  What are three key routing principles in SD-WAN? (Choose three.)

  A. By default. SD-WAN members are skipped if they do not have a valid route to the destination
  B. By default. SD-WAN rules are skipped if only one route to the destination is available
  C. By default. SD-WAN rules are skipped if the best route to the destination is not an SD- WAN member
  D. SD-WAN rules have precedence over any other type of routes
  E. Regular policy routes have precedence over SD-WAN rules
  A. By default. SD-WAN members are skipped if they do not have a valid route to the destination
  C. By default. SD-WAN rules are skipped if the best route to the destination is not an SD- WAN member
  E. Regular policy routes have precedence over SD-WAN rules

  ---

  Explanation Explanation/Reference: SD-WAN rules are matched only if the best route to the destination points to SD-WAN SD-WAN member is selected only if it has a route to the destination https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-sd-branch-architecture-formssps/768108/sd-wan-routing-logic SDWAN rules are 'policy routes', but regular policy routes have precedence over SD-WAN rules. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-the-SD-WAN-rule- matching-process/ta-p/284325

• Question 63:

  Refer to the exhibit.

  

  Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD- WAN rules?

  A. All traffic from a source IP to a destination IP is sent to the same interface.
  B. Traffic is sent to the link with the lowest latency.
  C. Traffic is distributed based on the number of sessions through each interface.
  D. All traffic from a source IP is sent to the same interface
  A. All traffic from a source IP to a destination IP is sent to the same interface.

  ---

  For traffic that does not match any of the defined SD-WAN rules, the default implicit SD-WAN rule is applied. By default, the FortiGate uses a "source-destination IP- based" algorithm, which means all traffic from a specific source IP to a specific destination IP is sent through the same interface. This ensures that a consistent path is used for traffic between the same source and destination IP addresses. Options B, C, and D do not apply because the default algorithm does not prioritize by latency, session count, or source IP alone. References: FortiOS 7.4.1 Administration Guide: SD-WAN Load Balancing Algorithms

• Question 64:

  An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer. Which DPD mode on FortiGate meets this requirement?

  A. On Demand
  B. On Idle
  C. Disabled
  D. Enabled
  A. On Demand

  ---

  Explanation Explanation/Reference: The On Demand mode for Dead Peer Detection (DPD) on FortiGate sends DPD probes only when there is outbound traffic and no response from the peer. This mode is used to detect if the peer is still available without continuously sending DPD probes, reducing unnecessary traffic.

• Question 65:

  What are two features of collector agent advanced mode? (Choose two.)

  A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  B. Advanced mode supports nested or inherited groups.
  C. In advanced mode, security profiles can be applied only to user groups, not individual users.
  D. Advanced mode uses the Windows convention --NetBios: Domain\Username.
  A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  B. Advanced mode supports nested or inherited groups.

  ---

  Explanation Explanation/Reference: Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.

• Question 66:

  An administrator has configured the following settings:

  

  What are the two results of this configuration? (Choose two.)

  A. Denied users are blocked for 30 minutes.
  B. A session for denied traffic is created.
  C. The number of logs generated by denied traffic is reduced.
  D. Device detection on all interfaces is enforced for 30 minutes.
  B. A session for denied traffic is created.
  C. The number of logs generated by denied traffic is reduced.

  ---

  A session for denied traffic is created. The command set ses-denied-traffic enable ensures that sessions for denied traffic are logged, meaning a session will be created for traffic that is denied by security policies. The number of logs generated by denied traffic is reduced. The set block-session-timer 30 command sets a timer to prevent excessive logging of denied traffic within a short period, which helps reduce the number of logs generated by repeated denied traffic sessions. This timer blocks sessions for a specified period (30 seconds in this case) to avoid overwhelming the log system with repetitive entries.

• Question 67:

  Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

  A. Downstream devices can connect to the upstream device from any of their VDOMs
  B. Each VDOM in the environment can be part of a different Security Fabric
  C. VDOMs without ports with connected devices are not displayed in the topology
  D. Security rating reports can be run individually for each configured VDOM
  C. VDOMs without ports with connected devices are not displayed in the topology

  ---

  "When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric."

• Question 68:

  Refer to the exhibit.

  

  FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

  What is the most likely reason for this situation?

  A. The Service DNS is required in the firewall policy.
  B. The user is using an incorrect user name.
  C. The Remote-users group is not added to the Destination.
  D. No matching user account exists for this user.
  A. The Service DNS is required in the firewall policy.

  ---

  Explanation Explanation/Reference: Firewall authentication generally requires the DNS service to be enabled in the firewall policy to correctly resolve hostnames during the authentication process. If DNS is not allowed in the firewall policy, the FortiGate cannot resolve external domains, and as a result, the user may not be presented with the login prompt when attempting to access an external website. References: FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration

• Question 69:

  What are two features of FortiGate FSSO agentless polling mode? (Choose two.)

  A. FortiGate directs the collector agent to use a remote LDAP server.
  B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  C. FortiGate does not support workstation check.
  D. FortiGate uses the AD server as the collector agent.
  B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
  C. FortiGate does not support workstation check.

  ---

  Explanation Explanation/Reference: FortiGate uses the SMB protocol to read the event viewer logs from the DCs. In agentless polling mode, FortiGate directly connects to the Domain Controllers (DCs) using the SMB protocol to read event logs and detect user login events. FortiGate does not support workstation check. In agentless polling mode, FortiGate does not perform workstation checks. It relies on polling the event logs from the Domain Controllers to identify user logins.

• Question 70:

  How can you disable RPF checking?

  A. Disable src-check on the interface level settings
  B. Unset fail-alert-interfaces on the interface level settings.
  C. Disable fail-detect on the interface level settings.
  D. Disable strict-src-check under system settings.
  A. Disable src-check on the interface level settings

  ---

  To disable RPF (Reverse Path Forwarding) checking on a FortiGate interface, you need to disable the src-check option in the interface settings. This action disables the RPF check, allowing traffic to bypass the verification that it is arriving on the correct interface based on the routing table.