ExamGecko
Login
Home / Fortinet / FCP_FGT_AD-7.4 / List of questions
Ask Question

Fortinet FCP_FGT_AD-7.4 Practice Test - Questions Answers, Page 5

List of questions

Question 41

Report Export Collapse

Which three methods are used by the collector agent for AD polling? (Choose three.)

WinSecLog
WinSecLog
WMI
WMI
NetAPI
NetAPI
FSSO REST API
FSSO REST API
FortiGate polling
FortiGate polling
Suggested answer: C, D, E
Explanation:

The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for ActiveDirectory (AD) polling to collect user information:
WinSecLog: Monitors Windows Security Event Logs for login events.WMI: Uses Windows Management Instrumentation to poll user login sessions.NetAPI: Utilizes the Netlogon API to query domain controllers for user session data.These methods allow the FortiGate to gather user logon information and enforce user-basedpolicies effectively.FortiOS 7.4.1 Administration Guide: FSSO Configuration

asked 18/09/2024
Alexander Ang
46 questions

Question 42

Report Export Collapse

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)

If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
Suggested answer: A, D
Explanation:

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path(ECMP) is configured using the load-balance-mode parameter under SD-WAN settings.However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured underconfig system settings. This flexibility allows FortiGate to control traffic routing behavior basedon the network configuration and requirements.FortiOS 7.4.1 Administration Guide: ECMP Configuration

asked 18/09/2024
Claudia Arrais
58 questions

Question 43

Report Export Collapse

What are two features of collector agent advanced mode? (Choose two.)

In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
Advanced mode supports nested or inherited groups.
Advanced mode supports nested or inherited groups.
In advanced mode, security profiles can be applied only to user groups, not individual users.
In advanced mode, security profiles can be applied only to user groups, not individual users.
Advanced mode uses the Windows convention ---NetBios: Domain\Username.
Advanced mode uses the Windows convention ---NetBios: Domain\Username.
Suggested answer: A, D
Explanation:

Advanced mode allows for configuration as an LDAP client and supports group filtering directlyon the FortiGate, as well as nested or inherited groups.

asked 18/09/2024
Kamil Stonjek
43 questions

Question 44

Report Export Collapse

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

It uses UDP 8888.
It uses UDP 8888.
It uses DNS over HTTPS.
It uses DNS over HTTPS.
It uses DNS over TLS.
It uses DNS over TLS.
It uses UDP 53.
It uses UDP 53.
Suggested answer: C
asked 18/09/2024
Nathalie Agustin
38 questions

Question 45

Report Export Collapse

Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.

Fortinet FCP_FGT_AD-7.4 image Question 45 25972 09182024185827000000

Why is the user unable to receive a block replacement message when downloading an infected file for the first time?

The intrusion prevention security profile must be enabled when using flow-based inspection mode.
The intrusion prevention security profile must be enabled when using flow-based inspection mode.
The option to send files to FortiSandbox for inspection is enabled.
The option to send files to FortiSandbox for inspection is enabled.
The firewall policy performs a full content inspection on the file.
The firewall policy performs a full content inspection on the file.
Flow-based inspection is used, which resets the last packet to the user.
Flow-based inspection is used, which resets the last packet to the user.
Suggested answer: D
asked 18/09/2024
M S
38 questions

Question 46

Report Export Collapse

Refer to the exhibits.

Fortinet FCP_FGT_AD-7.4 image Question 46 25973 09182024185827000000

Fortinet FCP_FGT_AD-7.4 image Question 46 25973 09182024185827000000

Fortinet FCP_FGT_AD-7.4 image Question 46 25973 09182024185827000000

FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit.

What would be the expected outcome in the HA cluster?

FGT-1 will remain the primary because FGT-2 has lower priority.
FGT-1 will remain the primary because FGT-2 has lower priority.
FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.
FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.
FGT-1 will synchronize the override disable setting with FGT-2.
FGT-1 will synchronize the override disable setting with FGT-2.
The HA cluster will become out of sync because the override setting must match on all HA members.
The HA cluster will become out of sync because the override setting must match on all HA members.
Suggested answer: B
asked 18/09/2024
k Solaimalai Raghu Raman
56 questions

Question 47

Report Export Collapse

Refer to the exhibits.

Fortinet FCP_FGT_AD-7.4 image Question 47 25974 09182024185827000000

Fortinet FCP_FGT_AD-7.4 image Question 47 25974 09182024185827000000

Fortinet FCP_FGT_AD-7.4 image Question 47 25974 09182024185827000000

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

Enable match-vip in the Deny policy.
Enable match-vip in the Deny policy.
Set the Destination address as Webserver in the Deny policy.
Set the Destination address as Webserver in the Deny policy.
Disable match-vip in the Deny policy.
Disable match-vip in the Deny policy.
Set the Destination address as Deny_IP in the Allow_access policy.
Set the Destination address as Deny_IP in the Allow_access policy.
Suggested answer: A, B
asked 18/09/2024
john lopez
34 questions

Question 48

Report Export Collapse

What are three key routing principles in SD-WAN? (Choose three.)

By default. SD-WAN members are skipped if they do not have a valid route to the destination

By default. SD-WAN members are skipped if they do not have a valid route to the destination

By default. SD-WAN rules are skipped if only one route to the destination is available

By default. SD-WAN rules are skipped if only one route to the destination is available

By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

SD-WAN rules have precedence over any other type of routes

SD-WAN rules have precedence over any other type of routes

Regular policy routes have precedence over SD-WAN rules

Regular policy routes have precedence over SD-WAN rules

Suggested answer: A, C, D
Explanation:

By default, SD-WAN members are skipped if they do not have a valid route to the destination

SD-WAN ensures that only members with valid routes to the destination are considered during routing decisions.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

If the best route is not an SD-WAN member, SD-WAN rules are bypassed and standard routing takes over.

SD-WAN rules have precedence over any other type of routes

SD-WAN rules are evaluated first, meaning they take precedence over other routing mechanisms, such as static routes or policy-based routes.

asked 12/11/2024
Chan Sai Yu
50 questions

Question 49

Report Export Collapse

Refer to the exhibits, which show a diagram of a FortiGate device connected to the network. VIP object configuration, and the firewall policy configuration.

Fortinet FCP_FGT_AD-7.4 image Question 49 126268 11122024010310000000

Fortinet FCP_FGT_AD-7.4 image Question 49 126268 11122024010310000000

Fortinet FCP_FGT_AD-7.4 image Question 49 126268 11122024010310000000

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24.

If the host 10.200.3.1 sends a TCP SYN packet on port 8080 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?

10.0.1.254, 10.200.1.10, and 8080, respectively

10.0.1.254, 10.200.1.10, and 8080, respectively

10.0.1.254, 10.0.1.10, and 80, respectively

10.0.1.254, 10.0.1.10, and 80, respectively

10.200.3.1, 10.0.1.10, and 80, respectively

10.200.3.1, 10.0.1.10, and 80, respectively

10.200.3.1, 10.0.1.10, and 8080, respectively

10.200.3.1, 10.0.1.10, and 8080, respectively

Suggested answer: C
Explanation:

The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).

The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.

The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.

asked 12/11/2024
Camrin Schroyer
36 questions

Question 50

Report Export Collapse

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

The issuer must be a public CA

The issuer must be a public CA

The CA extension must be set to TRUE

The CA extension must be set to TRUE

The Authority Key Identifier must be of type SSL

The Authority Key Identifier must be of type SSL

The keyUsage extension must be set to

The keyUsage extension must be set to

Suggested answer: B, C
Explanation:

The CA extension must be set to TRUE

This indicates that the certificate can be used to issue other certificates, a requirement for it to function as a CA.

The keyUsage extension must be set to keyCertSign

This specifies that the certificate can be used to sign other certificates, which is essential for a CA certificate.

asked 12/11/2024
Cesar Castillo
35 questions
Total 88 questions
Go to page: of 9
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?
Refer to the exhibit. FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt. What is the most likely reason for this situation?
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24. Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the and does not block the file allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.)
Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate. Based on the system performance output, what can be the two possible outcomes? (Choose two.)
Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer. Which DPD mode on FortiGate meets this requirement?
A FortiGate firewall policy is configured with active authentication however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?