Fortinet FCP_FGT_AD-7.6 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.6 Online Questions & Answers

• Question 51:

  When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.

  Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)

  A. Allow
  B. Trust & Allow
  C. Allow & Warning
  D. Block
  E. Block & Warning
  A. Allow
  B. Trust & Allow
  D. Block

• Question 52:

  An administrator configured a FortiGate device to act as a collector for agentless polling mode.

  What must the administrator add to the FortiGate device to retrieve AD user group information?

  A. TACACS server
  B. LDAP server
  C. RADIUS server
  D. Keycloak server
  B. LDAP server

  ---

  Explanation

  In agentless polling mode, FortiGate directly queries Active Directory to obtain user and group information.

  To do this, the administrator must configure an LDAP server on the FortiGate, which allows it to retrieve user group membership details from AD.

• Question 53:

  What are two characteristics of HA cluster heartbeat IP addresses in a FortiGate device? (Choose two.)

  A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
  B. Heartbeat IP addresses are used to distinguish between cluster members.
  C. The heartbeat interface of the primary device in the cluster is always assigned IP address.169.254.0.1
  D. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster.
  B. Heartbeat IP addresses are used to distinguish between cluster members.
  C. The heartbeat interface of the primary device in the cluster is always assigned IP address.169.254.0.1

• Question 54:

  Refer to the exhibits.

  

  

  

  A diagram of a FortiGate device connected to the network VIP object and firewall policy configurations are shown.

  The WAN (port2) interface has the IP address 100.65.0.101/24. The LAN (port4) interface has the IP address 10.0.11.254/24.

  If the host 100.65.1.111 sends a TCP SYN packet on port 443 to 100.65.0.200, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?

  A. 10.0.11.254, 10.0.15.50, and 4443, respectively
  B. 100.65.1.111, 10.0.11.50 and 443, respectively
  C. 10.0.11.254, 100.65.0.200, and 443, respectively
  D. 100.65.1.111, 10.0.11.50, and 4443, respectively
  D. 100.65.1.111, 10.0.11.50, and 4443, respectively

  ---

  Explanation

  The VIP object maps the external IP 100.65.0.200:443 to the internal server 10.0.11.50:4443. Since NAT is disabled on the firewall policy, the source IP is preserved. So, when host 100.65.1.111 connects to 100.65.0.200:443: The source remains 100.65.1.111.

  The destination IP is translated to 10.0.11.50.

  The destination port is translated to 4443.

• Question 55:

  You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.

  What FortiGate settings should you check to resolve this issue?

  A. FortiGuard category ratings
  B. Application and Filter Overrides
  C. Network Protocol Enforcement
  D. Replacement Messages for UDP-based Applications
  C. Network Protocol Enforcement

  ---

  Explanation

  Network Protocol Enforcement settings control how FortiGate inspects and enforces protocols on traffic, including peer-to-peer applications on known ports. If not properly enabled, peer-to-peer traffic may bypass blocking despite the application control profile.

• Question 56:

  What are two features of collector agent advanced mode? (Choose two.)

  A. Advanced mode supports nested or inherited groups.
  B. In advanced mode, security profiles can be applied only to user groups, not individual users.
  C. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  D. Advanced mode uses the Windows convention - NetBios: Domain\Username.
  A. Advanced mode supports nested or inherited groups.
  C. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

• Question 57:

  Refer to the exhibits.

  

  

  

  A web filter profile configuration and firewall policy configuration are shown. You are trying to access www.facebook.com, but you are redirected to a FortiGuard web filtering block page.

  Based on the exhibits, what is the possible cause of the issue?

  A. The web filter profile feature set is configured incorrectly.
  B. The web rating override configuration is incorrect.
  C. The firewall policy inspection mode is incorrect.
  D. For www.facebook.com, the URL filter action is incorrect.
  B. The web rating override configuration is incorrect.

  ---

  Explanation

  The web filter profile shows a URL filter override for www.facebook.com with action Monitor, which should allow access. However, the block page shows FortiGuard categorizing www.facebook.com as Malicious Websites and blocking it. This indicates that the web rating override configuration is incorrect (the override is not applied properly), so FortiGuard's default category action takes precedence and blocks the site.

• Question 58:

  You want to ensure that an SSL VPN user's authenticated session does not remain active after they disconnect from the VPN.

  Which configuration will ensure this?

  A. Configure the firewall authentication session timeout to be lower than the SSL VPN session timeout.
  B. Manually clear active firewall authentication sessions after a user disconnects.
  C. Increase the SSL VPN idle timeout to reduce the chance of early disconnections.
  D. Enable settings to force the firewall authentication session to end when the SSL VPN session ends
  D. Enable settings to force the firewall authentication session to end when the SSL VPN session ends

  ---

  Explanation

  To ensure that an authenticated SSL VPN user session does not persist after disconnecting, you must enable the setting that forces the firewall authentication session to end when the SSL VPN session ends.

  This ensures that once the VPN disconnects, the associated firewall authentication state is immediately cleared, preventing unintended access.

• Question 59:

  Which two statements describe characteristics of automation stitches? (Choose two.)

  A. Actions involve only devices included in the Security Fabric.
  B. An automation stitch can have multiple triggers.
  C. Multiple actions can run in parallel.
  D. Triggers can involve external connectors.
  C. Multiple actions can run in parallel.
  D. Triggers can involve external connectors.

  ---

  Explanation

  Automation stitches can execute multiple actions concurrently (in parallel).

  Triggers for automation stitches can come from external connectors beyond just Fortinet devices.

• Question 60:

  An administrator enabled certificate inspection on a firewall policy. Users report that access to several

  SaaS applications fails, even though the policy is configured to allow the traffic.

  What is the most likely cause?

  A. The FortiGate CA certificate is not imported into client browsers
  B. The SaaS application enforces HSTS and blocks FortiGate's temporary certificate
  C. The SaaS application does not support TLS session reuse
  D. The SaaS domain is exempted from deep inspection but not from certificate inspection
  B. The SaaS application enforces HSTS and blocks FortiGate's temporary certificate

  ---

  Explanation

  Some SaaS applications enforce strict HSTS (HTTP Strict Transport Security).

  With certificate inspection, FortiGate cannot present original certificates, causing HSTS-protected sites to reject connections, even though SSL decryption is not performed.