Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
A. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based. B. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP. C. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings. D. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode
C. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings. D. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode
Explanation
When SD-WAN is disabled, FortiGate supports volume-based ECMP mode via the v4-ecmp-mode parameter.
When SD-WAN is enabled, the load balancing algorithm is controlled by the load-balance-mode parameter within the SD-WAN configuration.
Question 102:
Refer to the exhibits.
The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
A. Apple Face Time will be allowed, based on the Video/Audio category configuration. B. Apple Face Time will be blocked, based on the Excessive-Bandwidth filter configuration. C. Apple Face Time will be allowed, based on the Apple filter configuration. D. Apple Face Time will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
B. Apple Face Time will be blocked, based on the Excessive-Bandwidth filter configuration.
Question 103:
Refer to the exhibit.
The administrator configured SD-WAN rules and set the FortiGate traffic log page to display SD-WAN- specific columns: SD-WAN Quality and SD- WAN Rule Name.
FortiGate allows the traffic according to policy ID 1 placed at the top. This is the policy that allows SD-WAN traffic. Despite these settings, the traffic logs do not show the name of the SD-WAN rule used to steer those traffic flows.
What could be the reason?
A. SD-WAN rule names do not appear immediately. The administrator must refresh the page. B. There is no application control profile applied to the firewall policy. C. FortiGate load balanced the traffic according to the implicit SD-WAN rule. D. Destinations in the SD-WAN rules are configured for each application, but feature visibility is not enabled.
C. FortiGate load balanced the traffic according to the implicit SD-WAN rule.
Explanation
The SD-WAN traffic log does not display an SD-WAN rule name because the traffic is being forwarded by the implicit SD-WAN rule. If no explicit SD-WAN rule matches the traffic, FortiGate falls back to the default implicit rule, which balances traffic based on the configured strategy (such as volume or sessions). Since no explicit rule applied, the rule name field remains blank in the logs.
Question 104:
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
A. DHCP server B. RADIUS server C. LDAP server D. Windows server
C. LDAP server
Question 105:
An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set number of times during a specific time period.
How can the administrator achieve the objective?
A. Use IPS group signatures, set rate-mode 60. B. Use IPS packet logging option with periodical filter option. C. Use IPS filter, rate-mode periodical option. D. Use IPS signatures, rate-mode periodical option.
C. Use IPS filter, rate-mode periodical option.
Question 106:
A user authenticated via FSSO is unable to access the internet. The administrator verifies that the user successfully logged into the domain.
What should the administrator check first?
A. Whether the Collector Agent is reachable on TCP 8000 B. Whether the user's IP address appears in the FSSO active user list C. Whether LDAP server connectivity is working D. Whether NTLM authentication is enabled
B. Whether the user's IP address appears in the FSSO active user list
Explanation
Even if AD login is successful, FortiGate relies on the FSSO active user list to map username and IP. If the user does not appear in the list, identity-based policies will not match.
Question 107:
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (HQ-NGFW-1) in the Security Fabric.
After synchronization, this object is not available on the downstream FortiGate (HQ-ISFW). What must the administrator do to synchronize the address object?
A. Change the csf setting on HQ-ISFW (downstream) to set configuration-sync local. B. Change the csf setting on HQ-ISFW (downstream) to set saml-configuration-sync default. C. Change the csf setting on HQ-NGFW-1 (root) to set fabric-object-unification default. D. Change the csf setting on both devices to set downstream-access enable.
C. Change the csf setting on HQ-NGFW-1 (root) to set fabric-object-unification default.
Explanation
On HQ-NGFW-1 (the root FortiGate), the setting set fabric-object-unification local prevents address objects created on the root from synchronizing downstream. To propagate objects across the Security Fabric, this must be set to default. Changing the root's csf configuration to set fabric-object-unification default ensures that new address objects are synchronized to HQ-ISFW and other downstream devices.
Question 108:
Refer to the exhibit.
Which statement about this firewall policy list is true?
A. The firewall policies are listed by ID sequence view. B. The firewall policies are listed by ingress and egress interfaces pairing view. C. The Implicit group can include more than one deny firewall policy. D. LAN to WAN, WAN to LAN, and Implicit are sequence grouping view lists.
D. LAN to WAN, WAN to LAN, and Implicit are sequence grouping view lists.
Question 109:
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
A. The subject alternative name (SAN) field in the server certificate. B. The server name indication (SNI) extension in the client hello message. C. The serial number in the server certificate. D. The subject field in the server certificate. E. The host field in the HTTP header.
A. The subject alternative name (SAN) field in the server certificate. B. The server name indication (SNI) extension in the client hello message. D. The subject field in the server certificate.
Question 110:
A FortiGate administrator wants to enforce a DNS filter profile, but the DNS filter does not trigger even when domains match the block list.
What must be checked?
A. Whether DNS traffic is intercepted via explicit proxy B. Whether DNS traffic is matching the correct firewall policy C. Whether DNS filtering is enabled under system features D. Whether FortiGate is configured as a DNS forwarder
B. Whether DNS traffic is matching the correct firewall policy
Explanation
DNS filters apply only on firewall policies that process DNS traffic. If the DNS traffic does not match a policy that includes a DNS filter profile, blocking actions will not occur.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your FCP_FGT_AD-7.6 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.