ExamGecko
Search Search Login
Home Home / Fortinet / FCP_FGT_AD-7.4

Fortinet FCP_FGT_AD-7.4 Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?
Which three methods are used by the collector agent for AD polling? (Choose three.)
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
Which method allows management access to the FortiGate CLI without network connectivity?

Question 41

Report
Export
Collapse

Which three methods are used by the collector agent for AD polling? (Choose three.)

A.
WinSecLog
A.
WinSecLog
Answers
B.
WMI
B.
WMI
Answers
C.
NetAPI
C.
NetAPI
Answers
D.
FSSO REST API
D.
FSSO REST API
Answers
E.
FortiGate polling
E.
FortiGate polling
Answers
Suggested answer: C, D, E

Explanation:

The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for ActiveDirectory (AD) polling to collect user information:
WinSecLog: Monitors Windows Security Event Logs for login events.WMI: Uses Windows Management Instrumentation to poll user login sessions.NetAPI: Utilizes the Netlogon API to query domain controllers for user session data.These methods allow the FortiGate to gather user logon information and enforce user-basedpolicies effectively.FortiOS 7.4.1 Administration Guide: FSSO Configuration

Question 42

Report
Export
Collapse

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)

A.
If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
A.
If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
Answers
B.
If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
B.
If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
Answers
C.
If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
C.
If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
Answers
D.
If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
D.
If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
Answers
Suggested answer: A, D

Explanation:

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path(ECMP) is configured using the load-balance-mode parameter under SD-WAN settings.However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured underconfig system settings. This flexibility allows FortiGate to control traffic routing behavior basedon the network configuration and requirements.FortiOS 7.4.1 Administration Guide: ECMP Configuration

Question 43

Report
Export
Collapse

What are two features of collector agent advanced mode? (Choose two.)

A.
In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
A.
In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
Answers
B.
Advanced mode supports nested or inherited groups.
B.
Advanced mode supports nested or inherited groups.
Answers
C.
In advanced mode, security profiles can be applied only to user groups, not individual users.
C.
In advanced mode, security profiles can be applied only to user groups, not individual users.
Answers
D.
Advanced mode uses the Windows convention ---NetBios: Domain\Username.
D.
Advanced mode uses the Windows convention ---NetBios: Domain\Username.
Answers
Suggested answer: A, D

Explanation:

Advanced mode allows for configuration as an LDAP client and supports group filtering directlyon the FortiGate, as well as nested or inherited groups.

Question 44

Report
Export
Collapse

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

A.
It uses UDP 8888.
A.
It uses UDP 8888.
Answers
B.
It uses DNS over HTTPS.
B.
It uses DNS over HTTPS.
Answers
C.
It uses DNS over TLS.
C.
It uses DNS over TLS.
Answers
D.
It uses UDP 53.
D.
It uses UDP 53.
Answers
Suggested answer: C

Question 45

Report
Export
Collapse

Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.

Why is the user unable to receive a block replacement message when downloading an infected file for the first time?

A.
The intrusion prevention security profile must be enabled when using flow-based inspection mode.
A.
The intrusion prevention security profile must be enabled when using flow-based inspection mode.
Answers
B.
The option to send files to FortiSandbox for inspection is enabled.
B.
The option to send files to FortiSandbox for inspection is enabled.
Answers
C.
The firewall policy performs a full content inspection on the file.
C.
The firewall policy performs a full content inspection on the file.
Answers
D.
Flow-based inspection is used, which resets the last packet to the user.
D.
Flow-based inspection is used, which resets the last packet to the user.
Answers
Suggested answer: D

Question 46

Report
Export
Collapse

Refer to the exhibits.

FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit.

What would be the expected outcome in the HA cluster?

A.
FGT-1 will remain the primary because FGT-2 has lower priority.
A.
FGT-1 will remain the primary because FGT-2 has lower priority.
Answers
B.
FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.
B.
FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.
Answers
C.
FGT-1 will synchronize the override disable setting with FGT-2.
C.
FGT-1 will synchronize the override disable setting with FGT-2.
Answers
D.
The HA cluster will become out of sync because the override setting must match on all HA members.
D.
The HA cluster will become out of sync because the override setting must match on all HA members.
Answers
Suggested answer: B

Question 47

Report
Export
Collapse

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

A.
Enable match-vip in the Deny policy.
A.
Enable match-vip in the Deny policy.
Answers
B.
Set the Destination address as Webserver in the Deny policy.
B.
Set the Destination address as Webserver in the Deny policy.
Answers
C.
Disable match-vip in the Deny policy.
C.
Disable match-vip in the Deny policy.
Answers
D.
Set the Destination address as Deny_IP in the Allow_access policy.
D.
Set the Destination address as Deny_IP in the Allow_access policy.
Answers
Suggested answer: A, B

Question 48

Report
Export
Collapse

What are three key routing principles in SD-WAN? (Choose three.)

A.

By default. SD-WAN members are skipped if they do not have a valid route to the destination

A.

By default. SD-WAN members are skipped if they do not have a valid route to the destination

Answers
B.

By default. SD-WAN rules are skipped if only one route to the destination is available

B.

By default. SD-WAN rules are skipped if only one route to the destination is available

Answers
C.

By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

C.

By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

Answers
D.

SD-WAN rules have precedence over any other type of routes

D.

SD-WAN rules have precedence over any other type of routes

Answers
E.

Regular policy routes have precedence over SD-WAN rules

E.

Regular policy routes have precedence over SD-WAN rules

Answers
Suggested answer: A, C, D

Explanation:

By default, SD-WAN members are skipped if they do not have a valid route to the destination

SD-WAN ensures that only members with valid routes to the destination are considered during routing decisions.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

If the best route is not an SD-WAN member, SD-WAN rules are bypassed and standard routing takes over.

SD-WAN rules have precedence over any other type of routes

SD-WAN rules are evaluated first, meaning they take precedence over other routing mechanisms, such as static routes or policy-based routes.

Question 49

Report
Export
Collapse

Refer to the exhibits, which show a diagram of a FortiGate device connected to the network. VIP object configuration, and the firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24.

If the host 10.200.3.1 sends a TCP SYN packet on port 8080 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?

A.

10.0.1.254, 10.200.1.10, and 8080, respectively

A.

10.0.1.254, 10.200.1.10, and 8080, respectively

Answers
B.

10.0.1.254, 10.0.1.10, and 80, respectively

B.

10.0.1.254, 10.0.1.10, and 80, respectively

Answers
C.

10.200.3.1, 10.0.1.10, and 80, respectively

C.

10.200.3.1, 10.0.1.10, and 80, respectively

Answers
D.

10.200.3.1, 10.0.1.10, and 8080, respectively

D.

10.200.3.1, 10.0.1.10, and 8080, respectively

Answers
Suggested answer: C

Explanation:

The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).

The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.

The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.

Question 50

Report
Export
Collapse

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

A.

The issuer must be a public CA

A.

The issuer must be a public CA

Answers
B.

The CA extension must be set to TRUE

B.

The CA extension must be set to TRUE

Answers
C.

The Authority Key Identifier must be of type SSL

C.

The Authority Key Identifier must be of type SSL

Answers
D.

The keyUsage extension must be set to

D.

The keyUsage extension must be set to

Answers
Suggested answer: B, C

Explanation:

The CA extension must be set to TRUE

This indicates that the certificate can be used to issue other certificates, a requirement for it to function as a CA.

The keyUsage extension must be set to keyCertSign

This specifies that the certificate can be used to sign other certificates, which is essential for a CA certificate.

Total 86 questions
Go to page: of 9
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms