ExamGecko
Search Search Login
Home Home / Fortinet / FCP_FGT_AD-7.4

Fortinet FCP_FGT_AD-7.4 Practice Test - Questions Answers, Page 2

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?
Which three methods are used by the collector agent for AD polling? (Choose three.)
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
Which method allows management access to the FortiGate CLI without network connectivity?

Question 11

Report
Export
Collapse

Refer to the exhibits.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

A.
Apple FaceTime will be allowed, based on the Video/Audio category configuration.
A.
Apple FaceTime will be allowed, based on the Video/Audio category configuration.
Answers
B.
Apple FaceTime will be allowed, based on the Apple filter configuration.
B.
Apple FaceTime will be allowed, based on the Apple filter configuration.
Answers
C.
Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
C.
Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Answers
D.
Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
D.
Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
Answers
Suggested answer: D

Question 12

Report
Export
Collapse

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A.
SSL VPN idle-timeout
A.
SSL VPN idle-timeout
Answers
B.
SSL VPN login-timeout
B.
SSL VPN login-timeout
Answers
C.
SSL VPN dtls-hello-timeout
C.
SSL VPN dtls-hello-timeout
Answers
D.
SSL VPN session-ttl
D.
SSL VPN session-ttl
Answers
Suggested answer: C

Explanation:

For a high-latency internet connection, the SSL VPN setting that should be adjusted is:C . SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for aDTLS hello message from the client. For high-latency connections, increasing this timeout willprevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.The other options are not suitable:A . SSL VPN idle-timeout: This setting controls the idle time allowed before a session isterminated, which is not relevant to the initial connection establishment.B . SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in,but does not affect connection negotiation.D . SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session butdoes not directly address issues caused by high latency.ReferenceFortiOS 7.4.1 Administration Guide - SSL VPN Configuration, page 1415.

Question 13

Report
Export
Collapse

When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.

Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)

A.
Allow & Warning
A.
Allow & Warning
Answers
B.
Trust & Allow
B.
Trust & Allow
Answers
C.
Allow
C.
Allow
Answers
D.
Block & Warning
D.
Block & Warning
Answers
E.
Block
E.
Block
Answers
Suggested answer: A, D, E

Explanation:

When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there arethree valid actions it can take:Allow & Warning: This action allows the session but generates a warning.Block & Warning: This action blocks the session and generates a warning.Block: This action blocks the session without generating a warning.Actions such as 'Trust & Allow' or just 'Allow' without additional configurations are notapplicable in the context of handling invalid certificates.FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile

Question 14

Report
Export
Collapse

Refer to the exhibit, which shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A.
The sensor will gather a packet log for all matched traffic.
A.
The sensor will gather a packet log for all matched traffic.
Answers
B.
The sensor will reset all connections that match these signatures.
B.
The sensor will reset all connections that match these signatures.
Answers
C.
The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
C.
The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
Answers
D.
The sensor will block all attacks aimed at Windows servers.
D.
The sensor will block all attacks aimed at Windows servers.
Answers
Suggested answer: A, C

Explanation:

The Microsoft.Windows.iSCSI.Target.DoS signature is set to 'Monitor' with packet loggingenabled, meaning that while traffic matching this signature will be allowed, it will also belogged for further analysis.The generic Windows filter is set to 'Block,' meaning that all other attacks matching this filterwill be blocked. However, the sensor will not reset connections or log packets unless specified.Therefore, the sensor will allow attackers matching the specific DoS signature while blockingother attacks against Windows.FortiOS 7.4.1 Administration Guide: IPS Configuration

Question 15

Report
Export
Collapse

Which statement is a characteristic of automation stitches?

A.
They can be run only on devices in the Security Fabric.
A.
They can be run only on devices in the Security Fabric.
Answers
B.
They can be created only on downstream devices in the fabric.
B.
They can be created only on downstream devices in the fabric.
Answers
C.
They can have one or more triggers.
C.
They can have one or more triggers.
Answers
D.
They can run multiple actions at the same time.
D.
They can run multiple actions at the same time.
Answers
Suggested answer: C

Explanation:

Automation stitches on FortiGate can have one or more triggers, which are conditions or eventsthat activate the automation stitch. The trigger defines when the automation stitch shouldexecute the defined actions. Actions within a stitch can be executed sequentially or in parallel,depending on the configuration.FortiOS 7.4.1 Administration Guide: Automation Stitches

Question 16

Report
Export
Collapse

What is the primary FortiGate election process when the HA override setting is disabled?

A.
Connected monitored ports > Priority > System uptime > FortiGate serial number
A.
Connected monitored ports > Priority > System uptime > FortiGate serial number
Answers
B.
Connected monitored ports > System uptime > Priority > FortiGate serial number
B.
Connected monitored ports > System uptime > Priority > FortiGate serial number
Answers
C.
Connected monitored ports > Priority > HA uptime > FortiGate serial number
C.
Connected monitored ports > Priority > HA uptime > FortiGate serial number
Answers
D.
Connected monitored ports > HA uptime > Priority > FortiGate serial number
D.
Connected monitored ports > HA uptime > Priority > FortiGate serial number
Answers
Suggested answer: C

Question 17

Report
Export
Collapse

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A.
The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
A.
The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
Answers
B.
The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
B.
The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Answers
C.
The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C.
The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
Answers
D.
The client FortiGate requires a manually added route to remote subnets.
D.
The client FortiGate requires a manually added route to remote subnets.
Answers
Suggested answer: B, C

Explanation:

For SSL VPN to function correctly between two FortiGate devices, the following settings arerequired:
B . The server FortiGate requires a CA certificate to verify the client FortiGate certificate: Theserver FortiGate must have a Certificate Authority (CA) certificate installed to authenticate andverify the certificate presented by the client FortiGate device.
C . The client FortiGate requires a client certificate signed by the CA on the server FortiGate:The client FortiGate must have a client certificate that is signed by the same CA that the serverFortiGate uses for verification. This ensures a secure SSL VPN connection between the twodevices.The other options are not directly necessary for establishing SSL VPN:A . The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: This isincorrect as SSL VPN does not require a specific tunnel interface type; it typically uses an SSLVPN client profile.
D . The client FortiGate requires a manually added route to remote subnets: While routing maybe necessary, it is not specifically required for the SSL VPN functionality between twoFortiGates.ReferenceFortiOS 7.4.1 Administration Guide - Configuring SSL VPN, page 1203.FortiOS 7.4.1 Administration Guide - SSL VPN Authentication, page 1210

Question 18

Report
Export
Collapse

Refer to the exhibit.

Which statement about this firewall policy list is true?

A.
The Implicit group can include more than one deny firewall policy.
A.
The Implicit group can include more than one deny firewall policy.
Answers
B.
The firewall policies are listed by ID sequence view.
B.
The firewall policies are listed by ID sequence view.
Answers
C.
The firewall policies are listed by ingress and egress interfaces pairing view.
C.
The firewall policies are listed by ingress and egress interfaces pairing view.
Answers
D.
LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
D.
LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
Answers
Suggested answer: C

Question 19

Report
Export
Collapse

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

A.
The underlay zone contains port1 and
A.
The underlay zone contains port1 and
Answers
B.
The d-wan zone contains no member.
B.
The d-wan zone contains no member.
Answers
C.
The d-wan zone cannot be deleted.
C.
The d-wan zone cannot be deleted.
Answers
D.
The virtual-wan-link zone contains no member.
D.
The virtual-wan-link zone contains no member.
Answers
Suggested answer: B

Question 20

Report
Export
Collapse

Which two statements describe how the RPF check is used? (Choose two.)

A.
The RPF check is run on the first sent packet of any new session.
A.
The RPF check is run on the first sent packet of any new session.
Answers
B.
The RPF check is run on the first reply packet of any new session.
B.
The RPF check is run on the first reply packet of any new session.
Answers
C.
The RPF check is run on the first sent and reply packet of any new session.
C.
The RPF check is run on the first sent and reply packet of any new session.
Answers
D.
The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
D.
The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
Answers
Suggested answer: A, D
Total 86 questions
Go to page: of 9
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms