ExamGecko
Login
Home / Fortinet / FCP_FGT_AD-7.4 / List of questions
Ask Question

Fortinet FCP_FGT_AD-7.4 Practice Test - Questions Answers, Page 2

List of questions

Question 11

Report Export Collapse

Refer to the exhibits.

Fortinet FCP_FGT_AD-7.4 image Question 11 25938 09182024185827000000

Fortinet FCP_FGT_AD-7.4 image Question 11 25938 09182024185827000000

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

Apple FaceTime will be allowed, based on the Video/Audio category configuration.
Apple FaceTime will be allowed, based on the Video/Audio category configuration.
Apple FaceTime will be allowed, based on the Apple filter configuration.
Apple FaceTime will be allowed, based on the Apple filter configuration.
Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
Suggested answer: D
asked 18/09/2024
TRONG KY
54 questions

Question 12

Report Export Collapse

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

SSL VPN idle-timeout
SSL VPN idle-timeout
SSL VPN login-timeout
SSL VPN login-timeout
SSL VPN dtls-hello-timeout
SSL VPN dtls-hello-timeout
SSL VPN session-ttl
SSL VPN session-ttl
Suggested answer: C
Explanation:

For a high-latency internet connection, the SSL VPN setting that should be adjusted is:C . SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for aDTLS hello message from the client. For high-latency connections, increasing this timeout willprevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.The other options are not suitable:A . SSL VPN idle-timeout: This setting controls the idle time allowed before a session isterminated, which is not relevant to the initial connection establishment.B . SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in,but does not affect connection negotiation.D . SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session butdoes not directly address issues caused by high latency.ReferenceFortiOS 7.4.1 Administration Guide - SSL VPN Configuration, page 1415.

asked 18/09/2024
Jay Chua
47 questions

Question 13

Report Export Collapse

When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.

Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)

Allow & Warning
Allow & Warning
Trust & Allow
Trust & Allow
Allow
Allow
Block & Warning
Block & Warning
Block
Block
Suggested answer: A, D, E
Explanation:

When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there arethree valid actions it can take:Allow & Warning: This action allows the session but generates a warning.Block & Warning: This action blocks the session and generates a warning.Block: This action blocks the session without generating a warning.Actions such as 'Trust & Allow' or just 'Allow' without additional configurations are notapplicable in the context of handling invalid certificates.FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile

asked 18/09/2024
Werner Deysel
39 questions

Question 14

Report Export Collapse

Refer to the exhibit, which shows the IPS sensor configuration.

Fortinet FCP_FGT_AD-7.4 image Question 14 25941 09182024185827000000

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will gather a packet log for all matched traffic.
The sensor will gather a packet log for all matched traffic.
The sensor will reset all connections that match these signatures.
The sensor will reset all connections that match these signatures.
The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
The sensor will block all attacks aimed at Windows servers.
The sensor will block all attacks aimed at Windows servers.
Suggested answer: A, C
Explanation:

The Microsoft.Windows.iSCSI.Target.DoS signature is set to 'Monitor' with packet loggingenabled, meaning that while traffic matching this signature will be allowed, it will also belogged for further analysis.The generic Windows filter is set to 'Block,' meaning that all other attacks matching this filterwill be blocked. However, the sensor will not reset connections or log packets unless specified.Therefore, the sensor will allow attackers matching the specific DoS signature while blockingother attacks against Windows.FortiOS 7.4.1 Administration Guide: IPS Configuration

asked 18/09/2024
Scott Taylor
36 questions

Question 15

Report Export Collapse

Which statement is a characteristic of automation stitches?

They can be run only on devices in the Security Fabric.
They can be run only on devices in the Security Fabric.
They can be created only on downstream devices in the fabric.
They can be created only on downstream devices in the fabric.
They can have one or more triggers.
They can have one or more triggers.
They can run multiple actions at the same time.
They can run multiple actions at the same time.
Suggested answer: C
Explanation:

Automation stitches on FortiGate can have one or more triggers, which are conditions or eventsthat activate the automation stitch. The trigger defines when the automation stitch shouldexecute the defined actions. Actions within a stitch can be executed sequentially or in parallel,depending on the configuration.FortiOS 7.4.1 Administration Guide: Automation Stitches

asked 18/09/2024
HAO KANG SUNG
41 questions

Question 16

Report Export Collapse

What is the primary FortiGate election process when the HA override setting is disabled?

Connected monitored ports > Priority > System uptime > FortiGate serial number
Connected monitored ports > Priority > System uptime > FortiGate serial number
Connected monitored ports > System uptime > Priority > FortiGate serial number
Connected monitored ports > System uptime > Priority > FortiGate serial number
Connected monitored ports > Priority > HA uptime > FortiGate serial number
Connected monitored ports > Priority > HA uptime > FortiGate serial number
Connected monitored ports > HA uptime > Priority > FortiGate serial number
Connected monitored ports > HA uptime > Priority > FortiGate serial number
Suggested answer: C
asked 18/09/2024
Jonathan Steeman
39 questions

Question 17

Report Export Collapse

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
The client FortiGate requires a manually added route to remote subnets.
The client FortiGate requires a manually added route to remote subnets.
Suggested answer: B, C
Explanation:

For SSL VPN to function correctly between two FortiGate devices, the following settings arerequired:
B . The server FortiGate requires a CA certificate to verify the client FortiGate certificate: Theserver FortiGate must have a Certificate Authority (CA) certificate installed to authenticate andverify the certificate presented by the client FortiGate device.
C . The client FortiGate requires a client certificate signed by the CA on the server FortiGate:The client FortiGate must have a client certificate that is signed by the same CA that the serverFortiGate uses for verification. This ensures a secure SSL VPN connection between the twodevices.The other options are not directly necessary for establishing SSL VPN:A . The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: This isincorrect as SSL VPN does not require a specific tunnel interface type; it typically uses an SSLVPN client profile.
D . The client FortiGate requires a manually added route to remote subnets: While routing maybe necessary, it is not specifically required for the SSL VPN functionality between twoFortiGates.ReferenceFortiOS 7.4.1 Administration Guide - Configuring SSL VPN, page 1203.FortiOS 7.4.1 Administration Guide - SSL VPN Authentication, page 1210

asked 18/09/2024
Tyler Smith
48 questions

Question 18

Report Export Collapse

Refer to the exhibit.

Fortinet FCP_FGT_AD-7.4 image Question 18 25945 09182024185827000000

Which statement about this firewall policy list is true?

The Implicit group can include more than one deny firewall policy.
The Implicit group can include more than one deny firewall policy.
The firewall policies are listed by ID sequence view.
The firewall policies are listed by ID sequence view.
The firewall policies are listed by ingress and egress interfaces pairing view.
The firewall policies are listed by ingress and egress interfaces pairing view.
LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
Suggested answer: C
asked 18/09/2024
josh hill
41 questions

Question 19

Report Export Collapse

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Fortinet FCP_FGT_AD-7.4 image Question 19 25946 09182024185827000000

Based on the exhibit, which statement is true?

The underlay zone contains port1 and
The underlay zone contains port1 and
The d-wan zone contains no member.
The d-wan zone contains no member.
The d-wan zone cannot be deleted.
The d-wan zone cannot be deleted.
The virtual-wan-link zone contains no member.
The virtual-wan-link zone contains no member.
Suggested answer: B
asked 18/09/2024
Tural Pashayev
34 questions

Question 20

Report Export Collapse

Which two statements describe how the RPF check is used? (Choose two.)

The RPF check is run on the first sent packet of any new session.
The RPF check is run on the first sent packet of any new session.
The RPF check is run on the first reply packet of any new session.
The RPF check is run on the first reply packet of any new session.
The RPF check is run on the first sent and reply packet of any new session.
The RPF check is run on the first sent and reply packet of any new session.
The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
Suggested answer: A, D
asked 18/09/2024
Mashudu Abraham
40 questions
Total 88 questions
Go to page: of 9
Open VPLUS File
Convert VPLUS to PDF

Related questions

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?
Refer to the exhibit. FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt. What is the most likely reason for this situation?
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24. Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the and does not block the file allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.)
Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate. Based on the system performance output, what can be the two possible outcomes? (Choose two.)
Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer. Which DPD mode on FortiGate meets this requirement?
A FortiGate firewall policy is configured with active authentication however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?