Fortinet FCP_FGT_AD-7.6 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.6 Online Questions & Answers

• Question 1:

  Refer to the exhibits.

  

  The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

  Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

  A. Apple Face Time will be allowed, based on the Video/Audio category configuration.
  B. Apple Face Time will be blocked, based on the Excessive-Bandwidth filter configuration.
  C. Apple Face Time will be allowed, based on the Apple filter configuration.
  D. Apple Face Time will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
  C. Apple Face Time will be allowed, based on the Apple filter configuration.

  ---

  explanation:

  Apple FaceTime normally falls under Video/Audio and could be blocked by the Excessive-Bandwidth filter. However, in this configuration, an override is applied under the Apple vendor filter with Monitor action. Overrides take precedence over general filter actions. Therefore, FaceTime will not be blocked; instead, it will be monitored, and since only a few calls are made (not excessive bandwidth usage), it will be allowed based on the Apple filter configuration.

• Question 2:

  You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic. In which two ways can you effectively resolve the problem? (Choose two.)

  A. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
  B. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
  C. You can turn on fragmentation to fix large certificate negotiation problems.
  D. You should use the protocol IKEv2.
  A. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
  D. You should use the protocol IKEv2.

  ---

  explanation:

  Using SSL VPN tunnel mode avoids issues with blocked ESP (IP protocol 50) and UDP ports (500/4500), since SSL VPN uses HTTPS (TCP 443), which is usually allowed. Switching to IKEv2 helps with NAT traversal and firewall compatibility because it supports UDP encapsulation on port 4500 and is more robust than IKEv1.

• Question 3:

  Refer to the exhibits.

  

  An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page.

  Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?

  A. Change the type as Simple in the Static URL Filter section.
  B. Set the Social Networking action as warning in the FortiGuard Category Based Filter.
  C. Change the Feature set of Web Filter Profile as Proxy-based.
  D. Set the Action as Exempt for www.facebook.com in the Static URL Filter.
  D. Set the Action as Exempt for www.facebook.com in the Static URL Filter.

  ---

  explanation:

  The FortiGuard category filter is blocking Social Networking, which includes Facebook. Although a static URL filter entry for www.facebook.com exists, its action is set to Monitor, so it does not override the category block. To allow Facebook while blocking other social networking sites, the action for www.facebook.com in the Static URL Filter must be set to Exempt. This explicitly bypasses category filtering for that URL.

• Question 4:

  Refer to the exhibit.

  

  Which two statements about the FortiGuard connection are true? (Choose two.)

  A. FortiGate is using the default port for FortiGuard communication.
  B. FortiGate identified the FortiGuard Server using DNS lookup.
  C. The weight increases as the number of failed packets rises.
  D. You can configure unreliable protocols to communicate with FortiGuard Server.
  B. FortiGate identified the FortiGuard Server using DNS lookup.
  C. The weight increases as the number of failed packets rises.

  ---

  explanation:

  FortiGate identified the FortiGuard Server using DNS lookup The server is shown with a private IP (10.0.1.241), which indicates FortiGate resolved it via DNS or explicit override rather than using default FortiGuard anycast servers. The weight value reflects server reliability. It decreases with good performance and increases as packet loss or failures rise, meaning higher weight indicates more failures.

• Question 5:

  Refer to the exhibits.

  

  The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.

  Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.

  Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)

  A. In the IP pool configuration, set type to overload.
  B. In the system settings, set Multiple Interface Policies to enable.
  C. In the firewall policy, set match-vip to enable using CLI.
  D. In the IP pool configuration, set endip to 100.65.0.112.
  A. In the IP pool configuration, set type to overload.
  D. In the IP pool configuration, set endip to 100.65.0.112.

  ---

  explanation:

  The IP pool is configured as One-to-One with a range of only 100.65.0.110?00.65.0.111, which allows NAT for only two internal hosts (PC1 and PC2). When PC3 tries to access the internet, no external IP is available for mapping.

  To fix this:

  Change the IP pool type to Overload, allowing multiple internal IPs to share a single external IP.

  Expand the IP pool range by setting endip to 100.65.0.112 (or more) so that additional internal hosts (like PC3) can also be assigned a unique external IP.

• Question 6:

  A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal. Which SSL timer can you use to mitigate a denial of service (DoS) attack?

  A. SSL VPN http-request-header-timeout
  B. SSL VPN dtls-hello-timeout
  C. SSL VPN login-timeout
  D. SSL VPN idle-timeout
  A. SSL VPN http-request-header-timeout

  ---

  explanation:

  The SSL VPN http-request-header-timeout defines how long FortiGate waits to receive the full HTTP request header from a client. Reducing this timer helps mitigate slow HTTP DoS attacks (such as Slowloris) on the SSL VPN portal by preventing malicious clients from holding connections open for too long without completing requests.

• Question 7:

  An administrator has configured the following settings:

  

  What are the two results of this configuration? (Choose two.)

  A. Denied users are blocked for 30 minutes.
  B. A session for denied traffic is created.
  C. Session helpers are disabled for denied traffic.
  D. The number of logs generated by denied traffic is reduced.
  B. A session for denied traffic is created.
  D. The number of logs generated by denied traffic is reduced.

  ---

  explanation:

  set ses-denied-traffic enable ensures FortiGate creates a session entry even for denied traffic.

  set block-session-timer 30 sets the duration (30 seconds) that denied sessions remain in the session table.

  This prevents repeated logging for every packet in the same denied flow, thereby reducing the number of logs generated.

• Question 8:

  Which two statements about the Security Fabric rating are true? (Choose two.)

  A. A license is required to obtain an executive summary in the Security Rating section.
  B. The root FortiGate provides executive summaries of all the FortiGate devices in the Security Fabric.
  C. The Security Posture category provides PCI compliance results.
  D. Security Rating Insights are available only in the Security Rating page.
  A. A license is required to obtain an executive summary in the Security Rating section.
  B. The root FortiGate provides executive summaries of all the FortiGate devices in the Security Fabric.

  ---

  explanation:

  A license is required to obtain an executive summary in the Security Rating section Without the license, only limited Security Fabric rating details are shown.

  The root FortiGate aggregates and provides executive summaries for all FortiGate devices in the Security Fabric, giving a consolidated security posture overview.

• Question 9:

  Refer to the exhibits.

  

  A web filter profile configuration and firewall policy configuration are shown. You are trying to access www.facebook.com, but you are redirected to a FortiGuard web filtering block page. Based on the exhibits, what is the possible cause of the issue?

  A. The web filter profile feature set is configured incorrectly.
  B. The web rating override configuration is incorrect.
  C. The firewall policy inspection mode is incorrect.
  D. For www.facebook.com, the URL filter action is incorrect.
  B. The web rating override configuration is incorrect.

  ---

  explanation:

  The web filter profile shows a URL filter override for www.facebook.com with action Monitor, which should allow access. However, the block page shows FortiGuard categorizing www.facebook.com as Malicious Websites and blocking it. This indicates that the web rating override configuration is incorrect (the override is not applied properly), so FortiGuard's default category action takes precedence and blocks the site.

• Question 10:

  Refer to the exhibits.

  

  You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.

  You cannot access any of the Google applications, but you are able to access www.fortinet.com.

  What would you do to resolve this issue?

  A. Change the Inspection mode to Proxy-based.
  B. Set SSL inspection to deep-content-inspection.
  C. Move up Google in the Application and Filter Overrides section to set its priority to 1.
  D. Add *Google*.com to the URL category in the security profile.
  C. Move up Google in the Application and Filter Overrides section to set its priority to 1.

  ---

  explanation:

  In the Application and Filter Overrides, the Excessive-Bandwidth filter (set to Block) is priority 1, and Google (set to Monitor) is priority 2. Since overrides are evaluated by priority, Google traffic is being blocked by the higher-priority rule. Moving Google to the top (priority 1) ensures it is matched first, allowing access while still monitoring it.