Ask Question
Fortinet FCP_FCT_AD-7.2 Practice Test - Questions Answers
Question list
List of questions
Related questions
Question 1
An administrator must add an authentication server on FortiClient EMS in a different security zone that cannot allow a direct connection.
Which solution can provide secure access between FortiClient EMS and the Active Directory server?
Explanation:
Requirement:
The administrator needs to add an authentication server on FortiClient EMS in a different security zone that cannot allow a direct connection.
Solution Analysis:
The goal is to securely connect FortiClient EMS and the Active Directory server despite being in different security zones.
Evaluating Options:
Installing FortiClient EMS on the same VM as Active Directory (option B) is not practical due to security zone separation.
Configuring a slave FortiClient EMS on a virtual machine (option C) does not address the need for secure communication.
Configuring an Active Directory connector (option D) may not be sufficient without secure routing.
Conclusion:
Deploying a FortiGate device between FortiClient EMS and the Active Directory server ensures secure and controlled access between the two zones.
FortiClient EMS and FortiGate configuration and deployment documentation from the study guides.
Question 2
What does FortiClient do as a fabric agent? (Choose two.)
Question 3
Which component or device shares ZTNA tag information through Security Fabric integration?
Explanation:
FortiClient EMS is the component that shares ZTNA tag information through Security Fabric integration. ZTNA tags are synchronized from FortiClient EMS as inputs for the FortiGate application gateway. They can be used in ZTNA policies as security posture checks to ensure certain security criteria are met. FortiClient EMS can share ZTNA tags across multiple devices in the Fabric, such as FortiGate, FortiManager, and FortiAnalyzer. FortiClient EMS can also share ZTNA tags across multiple VDOMs on the same FortiGate device.FortiClient EMS can be configured to control the ZTNA tag sharing behavior in the Fabric Devices settings1.
FortiGate is the device that enforces ZTNA policies using ZTNA tags. FortiGate can receive ZTNA tags from FortiClient EMS via Fabric Connector. FortiGate can also publish ZTNA services through the ZTNA portal, which allows users to access applications without installing FortiClient.FortiGate can also provide ZTNA inline CASB for SaaS application access control2.
FortiGate Access Proxy is a feature that enables FortiGate to act as a proxy for ZTNA traffic. FortiGate Access Proxy can be deployed in front of the application servers to provide ZTNA protection. FortiGate Access Proxy can also be deployed behind the application servers to provide ZTNA visibility.FortiGate Access Proxy can use ZTNA tags to identify and authenticate users and devices2.
FortiClient is the endpoint software that connects to ZTNA services. FortiClient can register ZTNA tags with FortiClient EMS based on the endpoint security posture. FortiClient can also use ZTNA tags to access ZTNA services published by FortiGate.FortiClient can also use ZTNA tags to access SaaS applications with ZTNA inline CASB2.
Technical Tip: Behavior of ZTNA Tags shared across multiple vdoms or multiple FortiGate firewalls in the Security Fabric connected to the same FortiClient EMS Server
Synchronizing FortiClient ZTNA tags
Zero Trust Network Access (ZTNA) to Control Application Access
Question 4
Refer to the exhibits.
Which show the Zero Trust Tag Monitor and the FortiClient GUI status.
Remote-Client is tagged as Remote-Users on the FortiClient EMS Zero Trust Tag Monitor.
What must an administrator do to show the tag on the FortiClient GUI?
Explanation:
Based on the exhibits provided:
The 'Remote-Client' is tagged as 'Remote-Users' in the FortiClient EMS Zero Trust Tag Monitor.
To ensure that the tag 'Remote-Users' is visible in the FortiClient GUI, the system settings within FortiClient need to be updated to enable tag visibility.
The tag visibility feature is controlled by FortiClient system settings which manage how tags are displayed in the GUI.
Therefore, the administrator needs to change the FortiClient system settings to enable tag visibility.
Reference
FortiClient EMS 7.2 Study Guide, Zero Trust Tagging Section
FortiClient Documentation on Tag Management and Visibility Settings
Question 5
Refer to the exhibit, which shows the output of the ZTNA traffic log on FortiGate.
What can you conclude from the log message?
Explanation:
Observation of ZTNA Traffic Log:
The log message indicates that the remote user connection was denied due to failure to match a proxy policy.
Evaluating Log Message:
The message suggests that the connection does not match the existing ZTNA rule configuration, leading to the denial.
Conclusion:
The correct conclusion from the log message is that the remote user connection does not match the ZTNA rule configuration (B).
ZTNA traffic log analysis and configuration documentation from the study guides.
Question 6
ZTNA Network Topology
Refer to the exhibits, which show a network topology diagram of ZTNA proxy access and the ZTNA rule configuration.
An administrator runs the diagnose endpoint record list CLI command on FortiGate to check Remote-Client endpoint information, however Remote-Client is not showing up in the endpoint record list.
What is the cause of this issue?
Question 7
Refer to the exhibits.
Which shows the configuration of endpoint policies.
Based on the configuration, what will happen when someone logs in with the user account student on an endpoint in the trainingAD domain?
Explanation:
Based on the configuration shown in the exhibits:
There are three endpoint policies configured: Training, Sales, and Default.
The 'Training' policy is assigned to the 'trainingAD.training.lab' group.
The 'Sales' policy is assigned to 'All Groups' and 'trainingAD.training.lab/student.'
The 'Default' policy has no specific groups assigned.
When someone logs in with the user account 'student' on an endpoint in the 'trainingAD' domain:
The 'Training' policy is specifically assigned to the 'trainingAD.training.lab' group.
The 'Sales' policy includes 'trainingAD.training.lab/student' but not the general 'trainingAD.training.lab' group.
The system will prioritize the most specific match for the group.
Therefore, FortiClient EMS will assign the 'Training' policy to the 'student' account logging into the 'trainingAD' domain as it matches the group 'trainingAD.training.lab' directly.
Reference
FortiClient EMS 7.2 Study Guide, Endpoint Policy Configuration Section
FortiClient EMS Documentation on Group Policy Assignment and Matching
Question 8
An administrator deploys a FortiClient installation through the Microsoft AD group policy After installation is complete all the custom configuration is missing.
What could have caused this problem?
Explanation:
When deploying FortiClient via Microsoft AD Group Policy, it is essential to ensure that the deployment package is correctly assigned to the target group. The absence of custom configuration after installation can be due to several reasons, but the most likely cause is:
Deployment Package Assignment: The FortiClient package must be assigned to the appropriate group in Group Policy Management. If this step is missed, the installation may proceed, but the custom configurations will not be applied.
Thus, the administrator must ensure that the FortiClient package is correctly assigned to the group to include all custom configurations.
Reference
FortiClient EMS 7.2 Study Guide, Deployment and Installation Section
Fortinet Documentation on FortiClient Deployment using Microsoft AD Group Policy
Question 9
Refer to the exhibits.
Based on the FortiGate Security Fabric settings shown in the exhibits, what must an administrator do on the EMS server to successfully quarantine an endpoint. when it is detected as a compromised host (loC)?
Explanation:
Based on the FortiGate Security Fabric settings shown in the exhibits, to successfully quarantine an endpoint when it is detected as a compromised host (IOC), the following step is required:
Enable Remote HTTPS Access to EMS: This setting allows FortiGate to communicate securely with FortiClient EMS over HTTPS. Remote HTTPS access is essential for the quarantine functionality to operate correctly, enabling the EMS server to receive and act upon the quarantine commands from FortiGate.
Therefore, the administrator must enable remote HTTPS access to EMS to allow the quarantine process to function properly.
Reference
FortiGate Infrastructure 7.2 Study Guide, Security Fabric and Integration with EMS Sections
Fortinet Documentation on Enabling Remote HTTPS Access to FortiClient EMS
Question 10
Exhibit.
Based on the FortiClient logs shown in the exhibit, which endpoint profile policy is currently applied lo the ForliClient endpoint from the EMS server?
Explanation:
Observation of Logs:
The logs show a policy named 'Fortinet-Training' being applied to the endpoint.
Evaluating Policies:
The log entries indicate that the 'Fortinet-Training' policy was received and applied.
Conclusion:
Based on the logs, the currently applied policy on the FortiClient endpoint is 'Fortinet-Training'.
FortiClient EMS policy configuration and log analysis documentation from the study guides.
Question