What can you conclude from the log shown in the exhibit?
A. The IPS scan is paused by the IPS diagnostic command with bypass mode option 5. B. The IPS socket buffer is full and IPS engine needs more memory to create new sessions. C. The IPS session scan is paused and reevaluating the packet because of a dirty flag. D. The IPS socket buffer is full and IPS engine cannot decode a packet.
B. The IPS socket buffer is full and IPS engine needs more memory to create new sessions.
Explanation
The log message IPS session scan paused, enter fail open mode indicates that the IPS socket buffer is full, meaning the IPS engine does not have enough memory to process new sessions. As a result, FortiGate switches to fail-open mode, allowing traffic to pass (or temporarily dropping it) without full IPS scanning.
Question 112:
An administrator must enable a DHCP server on one of the directly connected networks on FortiGate.
However, the administrator is unable to complete the process on the GUI to enable the service on the interface.
In this scenario, what prevents the administrator from enabling DHCP service?
A. The DHCP server setting is available only on the CLI. B. Another interface is configured as the only DHCP server on FortiGate. C. The FortiGate model does not support the DHCP server. D. The role of the interface prevents setting a DHCP server.
D. The role of the interface prevents setting a DHCP server.
Question 113:
Refer to the exhibit to view the firewall policy.
Why would the firewall policy not block a well-known virus, for example eicar?
A. The firewall policy does not apply deep content inspection. B. Web filter is not enabled on the firewall policy to complement the antivirus profile. C. The firewall policy is not configured in proxy-based inspection mode. D. The action on the firewall policy is not set to deny.
A. The firewall policy does not apply deep content inspection.
Question 114:
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy, and the sniffer CLI output on the FortiGate device.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The webserver host (10.0.1.10) must use its VIP external IP address as the source NAT (SNAT) when it pings remote server (10.200.3.1).
Which two statements are valid to achieve this goal? (Choose two.)
A. Enable NAT on the Allow_access firewall policy. B. Disable NAT on the Internet_Access firewall policy. C. Disable port forwarding on the VIP object. D. Create a new firewall policy before Internet_Access for the webserver and apply the IP pool.
C. Disable port forwarding on the VIP object. D. Create a new firewall policy before Internet_Access for the webserver and apply the IP pool.
Question 115:
Refer to the exhibit.
Why did FortiGate drop the packet?
A. It matched the default implicit firewall policy. B. It failed the RPF check. C. The next-hop IP address is unreachable. D. It matched an explicitly configured firewall policy with the action DENY.
A. It matched the default implicit firewall policy.
Question 116:
An administrator needs to analyze and resolve port conflicts between SSL VPN and HTTPS administrative access on the same interface.
In which two ways can this be done? (Choose two.)
A. Disable SSL VPN if HTTPS administrative access is using port 443 on any interface. B. Keep port 443 for both SSL VPN and HTTPS administrative access on the same interface without any problems. C. Run SSL VPN on one interface using port 443 and enable HTTPS administrative access on a different interface, also using port 443. D. Change the port number for either the SSL VPN service or the HTTPS administrative service if both are on the same interface.
C. Run SSL VPN on one interface using port 443 and enable HTTPS administrative access on a different interface, also using port 443. D. Change the port number for either the SSL VPN service or the HTTPS administrative service if both are on the same interface.
Explanation
You can keep port 443 for SSL VPN on one interface and also use port 443 for HTTPS admin access on a different interface. Since the services are bound to different interfaces, no conflict occurs.
If both SSL VPN and HTTPS admin access are required on the same interface, you must change the port number for one of the services to avoid a port conflict.
Question 117:
A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website.
Which protocol must FortiGate allow even though the user cannot authenticate?
A. LDAP B. TACASC+ C. Kerberos D. DNS
D. DNS
Explanation
DNS traffic must be allowed so the user can resolve domain names and reach the authentication server or web resources, even if authentication initially fails.
Question 118:
Refer to the exhibits.
An administrator configured both members of an HA cluster at the same time. After one week of monitoring, the administrator wants to verify the HA failover performance.
How can the administrator force a failover?
A. The administrator must reset the HA uptime on HQ-NGFW-1. B. The administrator must set the parameter override to enable on HQ-NGFW-2. C. The administrator must increase the HA priority on HQ-NGFW-2. D. The administrator must set the monitored port to down on HQ-NGFW-1.
A. The administrator must reset the HA uptime on HQ-NGFW-1.
Question 119:
An administrator notices that SSL VPN users can connect, but no traffic is passing through the tunnel.
Which configuration issue is the most likely cause?
A. Split tunneling is disabled B. The SSL VPN portal does not define bookmark URLs C. The SSL VPN user group is not added to a firewall policy D. The SSL VPN interface has no IP assigned
C. The SSL VPN user group is not added to a firewall policy
Explanation
After authentication, SSL VPN traffic must match a firewall policy that allows traffic from the SSL VPN tunnel interface. If the user group is not added to the policy, no traffic is permitted.
Question 120:
You have configured the below commands on a FortiGate.
What would be the impact of this configuration on FortiGate?
A. FortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing. B. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks. C. Port1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF D. The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.
B. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.
Explanation
The global setting enables strict source checking (RPF) on all interfaces by default. The per-interface setting disables the source check on port1, exempting it from strict RPF enforcement.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your FCP_FGT_AD-7.6 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.