ExamGecko
Search Search Login
Home Home / Fortinet / FCP_FGT_AD-7.4

Fortinet FCP_FGT_AD-7.4 Practice Test - Questions Answers, Page 4

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?
Which three methods are used by the collector agent for AD polling? (Choose three.)
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?

Question 31

Report
Export
Collapse

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

Which order must FortiGate use when the web filter profile has features such as safe search enabled?

A.
FortiGuard category filter and rating filter
A.
FortiGuard category filter and rating filter
Answers
B.
Static domain filter, SSL inspection filter, and external connectors filters
B.
Static domain filter, SSL inspection filter, and external connectors filters
Answers
C.
DNS-based web filter and proxy-based web filter
C.
DNS-based web filter and proxy-based web filter
Answers
D.
Static URL filter, FortiGuard category filter, and advanced filters
D.
Static URL filter, FortiGuard category filter, and advanced filters
Answers
Suggested answer: D

Question 32

Report
Export
Collapse

FortiGate is integrated with FortiAnalyzer and FortiManager.

When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?

A.
Log ID
A.
Log ID
Answers
B.
Policy ID
B.
Policy ID
Answers
C.
(Sequence ID
C.
(Sequence ID
Answers
D.
Universally Unique Identifier
D.
Universally Unique Identifier
Answers
Suggested answer: D

Question 33

Report
Export
Collapse

An administrator configured a FortiGate to act as a collector for agentless polling mode.

What must the administrator add to the FortiGate device to retrieve AD user group information?

A.
LDAP server
A.
LDAP server
Answers
B.
RADIUS server
B.
RADIUS server
Answers
C.
DHCP server
C.
DHCP server
Answers
D.
Windows server
D.
Windows server
Answers
Suggested answer: A

Explanation:

To retrieve AD user group information in agentless polling mode, the administrator must add anLDAP server to the FortiGate device.

Question 34

Report
Export
Collapse

An administrator manages a FortiGate model that supports NTurbo.

How does NTurbo enhance performance for flow-based inspection?

A.
NTurbo offloads traffic to the content processor.
A.
NTurbo offloads traffic to the content processor.
Answers
B.
NTurbo creates two inspection sessions on the FortiGate device.
B.
NTurbo creates two inspection sessions on the FortiGate device.
Answers
C.
NTurbo buffers the whole file and then sends it to the antivirus engine.
C.
NTurbo buffers the whole file and then sends it to the antivirus engine.
Answers
D.
NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
D.
NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
Answers
Suggested answer: A

Question 35

Report
Export
Collapse

Refer to the exhibit.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.

Which action must the administrator perform to consolidate the two policies into one?

A.
Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy
A.
Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy
Answers
B.
Create an Interface Group that includes port1 and port2 to create a single firewall policy
B.
Create an Interface Group that includes port1 and port2 to create a single firewall policy
Answers
C.
Select port1 and port2 subnets in a single firewall policy.
C.
Select port1 and port2 subnets in a single firewall policy.
Answers
D.
Replace port1 and port2 with the any interface in a single firewall policy.
D.
Replace port1 and port2 with the any interface in a single firewall policy.
Answers
Suggested answer: B

Explanation:

To consolidate the two separate firewall policies for Sales and Engineering departmentsaccessing the same web server, you can create an Interface Group that includes both port1
(Sales) and port2 (Engineering). Once the Interface Group is created, you can use this group as asingle incoming interface in a single firewall policy. This approach reduces the number ofpolicies, making management more efficient.FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration

Question 36

Report
Export
Collapse

Refer to the exhibit, which shows a partial configuration from the remote authentication server.

Why does the FortiGate administrator need this configuration?

A.
To authenticate only the Training user group.
A.
To authenticate only the Training user group.
Answers
B.
To set up a RADIUS server Secret
B.
To set up a RADIUS server Secret
Answers
C.
To authenticate and match the Training OU on the RADIUS server.
C.
To authenticate and match the Training OU on the RADIUS server.
Answers
D.
To authenticate Any FortiGate user groups.
D.
To authenticate Any FortiGate user groups.
Answers
Suggested answer: C

Question 37

Report
Export
Collapse

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24.

Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

A.
10.200.1.1
A.
10.200.1.1
Answers
B.
10.200.1.149
B.
10.200.1.149
Answers
C.
10.200.1.99
C.
10.200.1.99
Answers
D.
10.200.1.49
D.
10.200.1.49
Answers
Suggested answer: D

Question 38

Report
Export
Collapse

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

A.
On HQ-FortiGate, disable Diffie-Helman group 2.
A.
On HQ-FortiGate, disable Diffie-Helman group 2.
Answers
B.
On Remote-FortiGate, set port2 as Interface.
B.
On Remote-FortiGate, set port2 as Interface.
Answers
C.
On both FortiGate devices, set Dead Peer Detection to On Demand.
C.
On both FortiGate devices, set Dead Peer Detection to On Demand.
Answers
D.
On HQ-FortiGate, set IKE mode to Main (ID protection).
D.
On HQ-FortiGate, set IKE mode to Main (ID protection).
Answers
Suggested answer: C, D

Explanation:

To bring Phase 1 up, the following changes can be made:A . On HQ-FortiGate, disable Diffie-Helman group 2: This is incorrect because Diffie-Hellmangroup 2 is already selected on both devices. Disabling it would not help.B . On Remote-FortiGate, set port2 as Interface: This is incorrect as both sides should beconsistent in their interface settings for the IPsec tunnel, and the interface is correctly set toport1 on both FortiGates in the IPsec configuration.C . On both FortiGate devices, set Dead Peer Detection to On Demand: This is a valid option.Setting Dead Peer Detection (DPD) to 'On Demand' helps maintain the IPsec connection bychecking if the peer is still available, which can help in some cases where the connection failsdue to timeouts.D . On HQ-FortiGate, set IKE mode to Main (ID protection): This is also a valid option becausethe Remote-FortiGate is already set to Main mode (ID protection). Ensuring that both ends usethe same mode is crucial for successful phase 1 negotiation.Thus, the correct answers are: C . On both FortiGate devices, set Dead Peer Detection to OnDemand. D . On HQ-FortiGate, set IKE mode to Main (ID protection).

Question 39

Report
Export
Collapse

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.

What is the reason for the certificate warning errors?

A.
The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
A.
The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
Answers
B.
The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
B.
The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
Answers
C.
The browser does not recognize the certificate in use as signed by a trusted CA.
C.
The browser does not recognize the certificate in use as signed by a trusted CA.
Answers
D.
With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
D.
With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
Answers
Suggested answer: C

Question 40

Report
Export
Collapse

Refer to the exhibit.

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?

A.
The Service DNS is required in the firewall policy.
A.
The Service DNS is required in the firewall policy.
Answers
B.
The user is using an incorrect user name.
B.
The user is using an incorrect user name.
Answers
C.
The Remote-users group is not added to the Destination.
C.
The Remote-users group is not added to the Destination.
Answers
D.
No matching user account exists for this user.
D.
No matching user account exists for this user.
Answers
Suggested answer: A

Explanation:

Firewall authentication generally requires the DNS service to be enabled in the firewall policy tocorrectly resolve hostnames during the authentication process. If DNS is not allowed in thefirewall policy, the FortiGate cannot resolve external domains, and as a result, the user may notbe presented with the login prompt when attempting to access an external website.FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration

Total 86 questions
Go to page: of 9
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms