Fortinet FCP_FGT_AD-7.6 Online Practice Questions and Exam Preparation

Fortinet FCP_FGT_AD-7.6 Online Questions & Answers

• Question 61:

  Refer to the exhibit.

  

  A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

  Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

  A. On HQ-FortiGate, set IKE mode to Main (ID protection).
  B. On Remote-FortiGate, set port2 as Interface.
  C. On HQ-FortiGate, disable Diffie-Helman group 2.
  D. On both FortiGate devices, set Dead Peer Detection to On Demand.
  A. On HQ-FortiGate, set IKE mode to Main (ID protection).
  B. On Remote-FortiGate, set port2 as Interface.

• Question 62:

  Refer to the exhibit.

  

  Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.

  What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?

  A. Traffic matching the signature will be allowed and logged.
  B. The signature setting uses a custom rating threshold.
  C. The signature setting includes a group of other signatures.
  D. Traffic matching the signature will be silently dropped and logged.
  D. Traffic matching the signature will be silently dropped and logged.

• Question 63:

  Refer to the exhibit, which shows a partial configuration from the remote authentication server.

  

  Why does the FortiGate administrator need this configuration?

  A. To set up a RADIUS server Secret.
  B. To authenticate Any FortiGate user groups.
  C. To authenticate and match the Training OU on the RADIUS server.
  D. To authenticate only the Training user group.
  D. To authenticate only the Training user group.

  ---

  Explanation

  The Fortinet-Group-Name attribute is used to restrict authentication to users who belong specifically to the "Training" user group on the RADIUS server.

• Question 64:

  Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate.

  

  

  Based on the system performance output, what can be the two possible outcomes? (Choose two.)

  A. FortiGate will start sending all files to FortiSandbox for inspection.
  B. Administrators can access FortiGate only through the console port.
  C. FortiGate has entered conserve mode.
  D. Administrators cannot change the configuration.
  C. FortiGate has entered conserve mode.
  D. Administrators cannot change the configuration.

• Question 65:

  Refer to the exhibit.

  

  The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.

  What must the administrator configure to answer this specific request from the NOC team?

  A. Move NOC_Access to the top of the list to ensure all profile settings take effect.
  B. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
  C. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access
  D. Increase the admintimeout value under config system accprofile NOC_Access.
  B. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.

• Question 66:

  What is the primary FortiGate election process when the HA override setting is enabled?

  A. Connected monitored ports > Priority > HA uptime > FortiGate serial number
  B. Connected monitored ports > Priority > System uptime > FortiGate serial number
  C. Connected monitored ports > HA uptime > Priority > FortiGate serial number
  D. Connected monitored ports > System uptime > Priority > FortiGate serial number
  A. Connected monitored ports > Priority > HA uptime > FortiGate serial number

  ---

  Explanation

  When HA override is enabled, FortiGate uses the following election order: number of connected monitored ports, then device priority, followed by HA uptime, and finally FortiGate serial number as a tiebreaker.

• Question 67:

  An administrator wants to analyze and manage digital certificates to prevent browser warnings when users connect to the SSL VPN portal.

  Which two statements describe how to correctly do this? (Choose two.)

  A. The administrator can rely on the default FortiGate self-signed certificate to prevent all security warnings in the browser.
  B. The administrator must disable HTTPS administrative access entirely to avoid certificate warnings.
  C. The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.
  D. The administrator can import the FortiGate self-signed certificate into each user's browser as a trusted certificate.
  C. The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.
  D. The administrator can import the FortiGate self-signed certificate into each user's browser as a trusted certificate.

  ---

  Explanation

  Using a publicly trusted certificate from a known CA prevents browser warnings without additional user action.

  Importing the FortiGate self-signed certificate into users' browsers as trusted eliminates warnings caused by untrusted certificates.

• Question 68:

  An administrator needs to ensure that a specific SSL VPN user group is allowed to log in only from countries defined in a geographic object.

  Which configuration on FortiGate meets this requirement?

  A. Configure a firewall policy with geo-based source address under the SSL root interface
  B. Enable source-address-filter in the SSL VPN portal and assign the geographic object
  C. Add the geographic object under SSL VPN settings Authentication/Portal Mapping
  D. Configure a local-in policy to restrict SSL VPN access based on the geographic object
  D. Configure a local-in policy to restrict SSL VPN access based on the geographic object

  ---

  Explanation

  Local-in policies control traffic destined to FortiGate itself, including SSL VPN portal access.

  To restrict SSL VPN logins based on country, the administrator must configure a local-in policy using the geographic object as the source. Firewall policies do not apply to traffic hitting FortiGate services, and the portal settings do not enforce geolocation restrictions.

• Question 69:

  Refer to the exhibit.

  

  Which two statements are true about the routing entries in this database table? (Choose two.)

  A. The default route on port2 is marked as the standby route.
  B. Both default routes have different administrative distances.
  C. The port2 interface is marked as inactive.
  D. All of the entries in the routing database table are installed in the FortiGate routing table
  A. The default route on port2 is marked as the standby route.
  B. Both default routes have different administrative distances.

• Question 70:

  A network administrator wants to ensure that a specific address object created on the root FortiGate is synchronized to downstream devices in the Security Fabric.

  Which configuration is required?

  A. Enable object-sync in the downstream FortiGate device
  B. Set fabric-object-unification to default on the root FortiGate
  C. Enable auto-authorization on all downstream devices
  D. Configure the address object as type "Fabric Connector"
  B. Set fabric-object-unification to default on the root FortiGate

  ---

  Explanation

  fabric-object-unification controls whether objects on the root FortiGate are synchronized to the rest of the Security Fabric. Setting it to default enables object propagation.