The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
Which IP address will be used to source NAT (SNAT) the traffic if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?
A. 10.200.1.1 B. 10.200.1.99 C. 10.200.1.49 D. 10.200.1.149
B. 10.200.1.99
Question 122:
Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.
ht
Why is the user unable to receive a block replacement message when downloading an infected file for the first time?
A. Flow-based inspection is used, which resets the last packet to the user. B. The option to send files to FortiSandbox for inspection is enabled. C. The firewall policy performs a full content inspection on the file. D. The intrusion prevention security profile must be enabled when using flow-based inspection mode.
A. Flow-based inspection is used, which resets the last packet to the user.
Question 123:
An administrator applies an application control profile that blocks the Social.Media category. However, the users can still access social media sites over HTTPS.
Which configuration is required for proper enforcement?
A. Enable certificate inspection in the firewall policy B. Enable deep inspection in the firewall policy C. Enable DNS filter with domain filtering for social media D. Enable application enforcement for QUIC
B. Enable deep inspection in the firewall policy
Explanation
For HTTPS traffic, application signatures require SSL decryption to inspect encrypted packets. Deep inspection is required for blocking application categories such as Social.Media.
Question 124:
Refer to the exhibit showing a debug flow output.
Which two conclusions can you make from the debug flow output? (Choose two.)
A. The default gateway is configured on port2. B. The RPF check fails. C. The debug flow is for UDP traffic. D. The matching firewall policy denies the traffic.
A. The default gateway is configured on port2. D. The matching firewall policy denies the traffic.
Explanation
The default gateway is configured on port2.
The debug output shows find a route: flag=00000000 gw- 0.0.0.0 via port2, which indicates that the default route (0.0.0.0/0) points out port2.
The matching firewall policy denies the traffic.
The log line Denied by forward policy check (policy 2) confirms that policy 2 matched and explicitly dropped the traffic.
Question 125:
An administrator suspects that the Collector Agent is not forwarding login events to FortiGate.
What is the most effective troubleshooting step?
A. Verify if DC agent is enabled on the FortiGate. B. Restart the domain controller to refresh authentication services. C. Verify if FortiGate is set to use LDAP authentication instead of FSSO. D. Check if TCP port 8000 is open between the collector agent and FortiGate.
D. Check if TCP port 8000 is open between the collector agent and FortiGate.
Explanation
The Collector Agent communicates with FortiGate over TCP port 8000. Ensuring this port is open and reachable is essential for forwarding login events.
Question 126:
Which two statements describe how the RPF check is used? (Choose two.)
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. B. The RPF check is run on the first reply packet of any new session. C. The RPF check is run on the first sent packet of any new session. D. The RPF check is run on the first sent and reply packet of any new session.
A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. C. The RPF check is run on the first sent packet of any new session.
Question 127:
Which three statements about SD-WAN performance SLAs are true? (Choose three.)
A. They rely on session loss and jitter. B. They can be measured actively or passively. C. They are applied in a SD-WAN rule lowest cost strategy. D. They monitor the state of the FortiGate device. E. All the SLA targets can be configured.
B. They can be measured actively or passively. C. They are applied in a SD-WAN rule lowest cost strategy. E. All the SLA targets can be configured.
Question 128:
Which three statements explain a flow-based antivirus profile? (Choose three.)
A. FortiGate buffers the whole file but transmits to the client at the same time. B. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. C. If a virus is detected, the last packet is delivered to the client. D. Flow-based inspection optimizes performance compared to proxy-based inspection. E. The IPS engine handles the process as a standalone.
A. FortiGate buffers the whole file but transmits to the client at the same time. B. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. D. Flow-based inspection optimizes performance compared to proxy-based inspection.
Explanation
Flow-based antivirus buffers the entire file while simultaneously transmitting data to the client to minimize latency.
Flow-based inspection combines multiple scanning techniques from proxy-based modes for efficient detection.
Flow-based inspection provides better performance by processing traffic on the fly without full proxy overhead.
Question 129:
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)
A. On BR1-FGT, set Seconds to 43200. B. On HQ-NGFW, enable Diffie-Hellman Group 2. C. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0 D. On HQ-NGFW, set Encryption to AES256
C. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0 D. On HQ-NGFW, set Encryption to AES256
Question 130:
You have created a web filter profile named restrict_media-profile with a daily category usage quota.
When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down.
What could be the reason?
A. The firewall policy is in no-inspection mode instead of deep-inspection. B. The inspection mode in the firewall policy is not matching with web filter profile feature set. C. The web filter profile is already referenced in another firewall policy. D. The naming convention used in the web filter profile is restricting it in the firewall policy.
B. The inspection mode in the firewall policy is not matching with web filter profile feature set.
Explanation
Web filter profiles with category usage quotas require the firewall policy to be in proxy-based (deep) inspection mode; if the inspection mode does not match this requirement, the profile will not appear in the drop-down list.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your FCP_FGT_AD-7.6 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.