Fortinet FCP_FGT_AD-7.4 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.4 Online Questions & Answers

• Question 81:

  Which three statements about SD-WAN zones are true? (Choose three.)

  A. An SD-WAN zone can contain physical and logical interfaces
  B. You can use an SD-WAN zone in static route definitions
  C. You can define up to three SD-WAN zones per FortiGate device
  D. An SD-WAN zone must contains at least two members
  E. An SD-WAN zone is a logical grouping of members
  A. An SD-WAN zone can contain physical and logical interfaces
  B. You can use an SD-WAN zone in static route definitions
  E. An SD-WAN zone is a logical grouping of members

  ---

  An SD-WAN zone can contain physical and logical interfaces SD-WAN zones can include both physical and logical interfaces, allowing flexible configuration for different network types. You can use an SD-WAN zone in static route definitions SD-WAN zones can be referenced in static routes, enabling dynamic path selection based on SD-WAN rules. An SD-WAN zone is a logical grouping of members An SD-WAN zone is a logical grouping of interfaces (members), used to simplify the management and application of SD-WAN rules.

• Question 82:

  Refer to the exhibit which contains a RADIUS server configuration.

  

  An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected theInclude in every user groupoption. What is the impact of using theInclude in every user groupoption in a RADIUS configuration?

  A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group
  B. This option places all users into even/ RADIUS user group, including groups that are used for the LDAP server on FortiGate
  C. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case is FortiAuthenticator
  D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group
  A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group

  ---

  Explanation Explanation/Reference: By selecting the "Include in every user group" option in the RADIUS configuration, FortiGate automatically includes this RADIUS server as an authentication source for all user groups. This means any user group configured on the FortiGate will authenticate using this RADIUS server, allowing users to authenticate against the server for any group they belong to.

• Question 83:

  An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?

  A. It uses UDP 8888.
  B. It uses DNS over HTTPS.
  C. It uses DNS over TLS.
  D. It uses UDP 53.
  C. It uses DNS over TLS.

  ---

  Explanation Explanation/Reference: By default, DNS queries to FortiGuard servers use UDP port 53. When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.

• Question 84:

  Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

  A. The host field in the HTTP header.
  B. The server name indication (SNI) extension in the client hello message.
  C. The subject alternative name (SAN) field in the server certificate.
  D. The subject field in the server certificate.
  E. The serial number in the server certificate.
  B. The server name indication (SNI) extension in the client hello message.
  C. The subject alternative name (SAN) field in the server certificate.
  D. The subject field in the server certificate.

  ---

  When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server: Server Name Indication (SNI) extension in the client hello message (B):The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server's hostname during the SSL handshake. Subject Alternative Name (SAN) field in the server certificate (C):The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server. Subject field in the server certificate (D):The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server's identity during SSL certificate inspection. The other options are not used in SSL certificate inspection for hostname identification: Host field in the HTTP header (A):This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection. Serial number in the server certificate (E):The serial number is used for certificate management and revocation, not for hostname identification. References FortiOS 7.4.1 Administration Guide -SSL/SSH Inspection, page 1802. FortiOS 7.4.1 Administration Guide -Configuring SSL/SSH Inspection Profile, page 1799.

• Question 85:

  Refer to the exhibits.

  

  The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to the SSL VPN?

  A. Change the SSL VPN portal to the tunnel.
  B. Change the idle timeout.
  C. Change the server IP address.
  D. Change the SSL VPN port on the client.
  D. Change the SSL VPN port on the client.

  ---

  Explanation Explanation/Reference: The SSL VPN is configured to listen on port11443on the FortiGate device, as shown in the SSL VPN settings in the exhibit. However, the user is attempting to connect to the server using port1443, as displayed in the VPN connection status. The mismatch between the ports is causing the connection failure. To resolve this, the user should change the client configuration to use port11443to match the FortiGate SSL VPN configuration.

• Question 86:

  Refer to the exhibit.

  

  The exhibit shows theFortiGuard Category Based Filtersection of a corporate web filter profile.

  An administrator must block access todownload.com, which belongs to theFreeware and Software Downloadscategory. The administrator must also allow other websites in the same category.

  What are two solutions for satisfying the requirement? (Choose two.)

  A. Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.
  B. Set the Freeware and Software Downloads category Action to Warning
  C. Configure a web override rating for download, com and select Malicious Websites as the subcategory.
  D. Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.
  C. Configure a web override rating for download, com and select Malicious Websites as the subcategory.
  D. Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.

• Question 87:

  There are multiple dial-up IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels. Which phase 1 setting you can configure to match the user to the tunnel?

  A. Peer ID
  B. Local Gateway
  C. Dead Peer Detection
  D. IKE Mode Config
  A. Peer ID

  ---

  Explanation Explanation/Reference: When using multiple dial-up IPsec VPNs in aggressive mode, the Peer ID setting in Phase 1 can be used to distinguish between different VPN tunnels. Each dial-up user or department can be assigned a unique Peer ID, allowing the FortiGate to match the incoming VPN request to the correct tunnel based on the Peer ID value.

• Question 88:

  Refer to the exhibit.

  

  In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit. What should the administrator do next, to troubleshoot the problem?

  A. Execute a debug flow.
  B. Capture the traffic using an external sniffer connected to part1.
  C. Execute another sniffer on FortiGate, this time with the filter "hose 10.o.1.10".
  D. Run a sniffer on the web server.
  A. Execute a debug flow.

  ---

  Explanation Explanation/Reference:The sniffer output shows that packets from the web client are reaching the FortiGate and being forwarded to the web server, but there is no indication that the web server is responding. To troubleshoot this issue, executing a debug flow will help analyze the traffic path and pinpoint where the problem might be occurring, such as a possible issue in firewall policy or route settings that is causing the server not to respond correctly. References: FortiOS 7.4.1 Administration Guide: Troubleshooting network connectivity

• Question 89:

  Which statement is a characteristic of automation stitches?

  A. They can be run only on devices in the Security Fabric.
  B. They can be created only on downstream devices in the fabric.
  C. They can have one or more triggers.
  D. They can run multiple actions at the same time.
  D. They can run multiple actions at the same time.

  ---

  Explanation Explanation/Reference: "To create an automation stitch, A TRIGGER EVENT (singular) and a response action or ACTIONS (plural) are selected." See the documentation:https://docs.fortinet.com/document/fortigate/7.4.0/administration- guide/351998