Fortinet FCP_FGT_AD-7.4 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.4 Online Questions & Answers

• Question 71:

  An administrator has configured a strict RPF check on FortiGate. How does strict RPF check work?

  A. Strict RPF checks the best route back to the source using the incoming interface.
  B. Strict RPF allows packets back to sources with all active routes.
  C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
  D. Strict RPF check is run on the first sent and reply packet of any new session.
  A. Strict RPF checks the best route back to the source using the incoming interface.

  ---

  Explanation Explanation/Reference: Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.

• Question 72:

  Which two statements describe how the RPF check is used? (Choose two.)

  A. The RPF check is run on the first sent packet of any new session.
  B. The RPF check is run on the first reply packet of any new session.
  C. The RPF check is run on the first sent and reply packet of any new session.
  D. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
  A. The RPF check is run on the first sent packet of any new session.
  D. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

  ---

  Explanation Explanation/Reference:The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet. References: FortiOS 7.4.1 Administration Guide: Reverse Path Forwarding (RPF) Check

• Question 73:

  Refer to exhibit.

  

  An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to accesstwitter.com, they are redirected to a FortiGuard web filtering block page. Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

  A. On the Static URL Filter configuration set Type to Simple
  B. On the FortiGuard Category Based Filter configuration set Action to Warning for Social Networking
  C. On the Static URL Filter configuration set Action to Monitor
  D. On the Static URL Filter configuration set Action to Exempt
  D. On the Static URL Filter configuration set Action to Exempt

  ---

  Explanation Explanation/Reference: In the current configuration, although "twitter.com" is allowed in the Static URL Filter, the category "Social Networking" is set to "Block" under the FortiGuard Category Based Filter. To resolve the issue, setting the action to "Exempt" in the Static URL Filter for "twitter.com" will bypass the category-based block for this specific URL while still enforcing the block on other social networking sites.

• Question 74:

  Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

  A. Internet Service Database (ISDB) engine
  B. Intrusion prevention system engine
  C. Antivirus engine
  D. Application control engine
  B. Intrusion prevention system engine

• Question 75:

  Refer to the exhibit.

  

  Which two statements are true about the routing entries in this database table? (Choose two.)

  A. All of the entries in the routing database table are installed in the FortiGate routing table.
  B. The port2 interface is marked as inactive.
  C. Both default routes have different administrative distances.
  D. The default route on port2 is marked as the standby route.
  C. Both default routes have different administrative distances.
  D. The default route on port2 is marked as the standby route.

  ---

  The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances: The default route throughport2has an administrative distance of 20. The default route throughport1has an administrative distance of 10. Administrative distance determines the priority of the route; a lower value is preferred. Here, the route throughport1with an administrative distance of 10 is the preferred route. The route throughport2with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed throughport2. Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table thatport2is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes. References: FortiOS 7.4.1 Administration Guide: Default route configuration FortiOS 7.4.1 Administration Guide: Routing table explanation

• Question 76:

  Refer to the exhibit.

  

  Which statement about this firewall policy list is true?

  A. The Implicit group can include more than one deny firewall policy.
  B. The firewall policies are listed by ID sequence view.
  C. The firewall policies are listed by ingress and egress interfaces pairing view.
  D. LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
  D. LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.

• Question 77:

  Refer to the exhibit showing a debug flow output.

  

  What two conclusions can you make from the debug flow output? (Choose two.)

  A. The debug flow is for ICMP traffic.
  B. A firewall policy allowed the connection.
  C. A new traffic session was created.
  D. The default route is required to receive a reply.
  A. The debug flow is for ICMP traffic.
  C. A new traffic session was created.

  ---

  Explanation Explanation/Reference: The debug flow is for ICMP traffic. The output shows "proto=1," which indicates that the protocol is ICMP (Internet Control Message Protocol). A new traffic session was created. The message "allocate a new session-00003dd5" confirms that a new session was created for this traffic.

• Question 78:

  Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

  A. Pre-shared key and certificate signature as authentication methods
  B. Extended authentication (XAuth)to request the remote peer to provide a username and password
  C. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
  D. No certificate is required on the remote peer when you set the certificate signature as the authentication method
  A. Pre-shared key and certificate signature as authentication methods
  B. Extended authentication (XAuth)to request the remote peer to provide a username and password

  ---

  FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure. References: FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration

• Question 79:

  An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSUTLS connection. Which FortiGate configuration can achieve this goal?

  A. SSL VPN quick connection
  B. SSL VPN tunnel
  C. SSL VPN bookmark
  D. Zero trust network access
  B. SSL VPN tunnel

  ---

  Explanation Explanation/Reference: An SSL VPN tunnel allows remote users to securely connect to the organization's network and transmit all traffic, including external application data and FTP resources, through an encrypted SSL/TLS connection. This ensures secure access to the network while supporting various protocols such as FTP and other application-specific traffic from the user's PC.

• Question 80:

  Which three CLI commands, can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

  A. execute ping
  B. execute traceroute
  C. diagnose sys top
  D. get system arp
  E. diagnose sniffer packet any
  A. execute ping
  B. execute traceroute
  E. diagnose sniffer packet any