Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
A. Lowest Cost (SLA) without load balancing B. Manual with load balancing C. Lowest Quality (SLA) with load balancing D. Lowest Cost (SLA) with load balancing E. Best Quality with load balancing
A. Lowest Cost (SLA) without load balancing B. Manual with load balancing D. Lowest Cost (SLA) with load balancing
Question 92:
An employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?
A. SSL VPN dtls-hello-timeout B. SSL VPN login-timeout C. SSL VPN session-ttl D. SSL VPN idle-timeout
A. SSL VPN dtls-hello-timeout
Question 93:
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A. In the phase1-interface, enable npu-offload to detect a dead tunnel. B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel. C. Enable Dead Peer Detection. D. Use the VPN wizard to create an IPsec template for a redundant IPsec VPN tunnel.
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel. C. Enable Dead Peer Detection.
Explanation
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
This ensures that the primary tunnel is always preferred, and the secondary is only used when the primary route is unavailable.
Enable Dead Peer Detection DPD allows FortiGate to quickly detect when the primary tunnel is down, enabling faster failover to the backup tunnel.
Question 94:
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully.
However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)
A. In the IP pool configuration, set type to overload. B. In the system settings, set Multiple Interface Policies to enable. C. In the firewall policy, set match-vip to enable using CLI. D. In the IP pool configuration, set endip to 100.65.0.112.
A. In the IP pool configuration, set type to overload. D. In the IP pool configuration, set endip to 100.65.0.112.
Explanation
The IP pool is configured as One-to-One with a range of only 100.65.0.110?00.65.0.111, which allows NAT for only two internal hosts (PC1 and PC2). When PC3 tries to access the internet, no external IP is available for mapping.
To fix this: Change the IP pool type to Overload, allowing multiple internal IPs to share a single external IP.
Expand the IP pool range by setting endip to 100.65.0.112 (or more) so that additional internal hosts (like PC3) can also be assigned a unique external IP.
Question 95:
Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)
A. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster. B. Checksums of devices are compared against each other to ensure configurations are the same. C. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device. D. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.
A. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster. B. Checksums of devices are compared against each other to ensure configurations are the same.
Question 96:
When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface?
A. To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails B. To make sure all sessions without source NAT enabled always use the primary WAN link C. To improve security by forcing users to authenticate again when the WAN link changes D. To ensure that existing SSL VPN connections remain on the same interface even if route changes occur
D. To ensure that existing SSL VPN connections remain on the same interface even if route changes occur
Explanation
Session preservation keeps active sessions, such as SSL VPNs, tied to the original interface to prevent disruption when WAN routes change.
Question 97:
Refer to the exhibit, which shows a firewall policy to enable active authentication.
When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
What is the most likely reason for this situation?
A. The Service DNS is required in the firewall policy. B. The Remote-users group must be set up correctly in the FSSO configuration. C. No matching user account exists for this user. D. The Remote-users group is not added to the Destination.
A. The Service DNS is required in the firewall policy.
Explanation
For active authentication (such as captive portal) to trigger, the FortiGate must intercept the user's initial web request. This requires DNS traffic to pass through the FortiGate so it can redirect the request to the login page. If the firewall policy does not include the DNS service, the user's browser resolves domains directly, and the authentication portal is never triggered.
Question 98:
Refer to the exhibit.
An administrator has created a new firewall address to use as the destination for a static route.
Why is the administrator not able to select the new address in the Destination field of the new static route?
A. In the new static route, the administrator must select Named Address. B. In the new firewall address, the FQDN address must first beresolved. C. In the new static route, the administrator must first set the interface to port2. D. In the new firewall address, Routing configuration must be enabled.
D. In the new firewall address, Routing configuration must be enabled.
Explanation
To use an FQDN-based address object as a destination in a static route, the "Routing configuration" option must be enabled in the firewall address settings. Without this, the address cannot be selected for routing.
Question 99:
What are three key routing principles in SD-WAN? (Choose three.)
A. By default, SD-WAN rules are skipped if the included SD-WAN members do not have a valid route to the destination. B. SD-WAN rules have precedence over any other type of routes. C. Regular policy routes have precedence over SD-WAN rules. D. By default. SD-WAN rules are skipped if only one route to the destination is available. E. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
A. By default, SD-WAN rules are skipped if the included SD-WAN members do not have a valid route to the destination. C. Regular policy routes have precedence over SD-WAN rules. E. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Question 100:
Refer to the exhibits.
ht
You are asked to implement an antivirus profile for files downloaded through FTP, HTTP, and HTTPS.
While testing, you are successful with HTTP and FTP protocols, but FortiGate does not block the file download over HTTPS.
What could be the cause?
A. The feature set in the antivirus profile is not set to Flow-based. B. Web filter is not enabled on the firewall policy to complement the antivirus profile. C. The action on the firewall policy is not set to deny. D. The SSL inspection mode in the firewall policy is not deep content inspection.
D. The SSL inspection mode in the firewall policy is not deep content inspection.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your FCP_FGT_AD-7.6 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.