ExamGecko
Search Search Login
Home Home / Fortinet / FCP_FGT_AD-7.4
Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?
Which three methods are used by the collector agent for AD polling? (Choose three.)
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?
A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?

Question 38 - FCP_FGT_AD-7.4 discussion

Report
Export

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

A.
On HQ-FortiGate, disable Diffie-Helman group 2.
Answers
A.
On HQ-FortiGate, disable Diffie-Helman group 2.
B.
On Remote-FortiGate, set port2 as Interface.
Answers
B.
On Remote-FortiGate, set port2 as Interface.
C.
On both FortiGate devices, set Dead Peer Detection to On Demand.
Answers
C.
On both FortiGate devices, set Dead Peer Detection to On Demand.
D.
On HQ-FortiGate, set IKE mode to Main (ID protection).
Answers
D.
On HQ-FortiGate, set IKE mode to Main (ID protection).
Suggested answer: C, D

Explanation:

To bring Phase 1 up, the following changes can be made:A . On HQ-FortiGate, disable Diffie-Helman group 2: This is incorrect because Diffie-Hellmangroup 2 is already selected on both devices. Disabling it would not help.B . On Remote-FortiGate, set port2 as Interface: This is incorrect as both sides should beconsistent in their interface settings for the IPsec tunnel, and the interface is correctly set toport1 on both FortiGates in the IPsec configuration.C . On both FortiGate devices, set Dead Peer Detection to On Demand: This is a valid option.Setting Dead Peer Detection (DPD) to 'On Demand' helps maintain the IPsec connection bychecking if the peer is still available, which can help in some cases where the connection failsdue to timeouts.D . On HQ-FortiGate, set IKE mode to Main (ID protection): This is also a valid option becausethe Remote-FortiGate is already set to Main mode (ID protection). Ensuring that both ends usethe same mode is crucial for successful phase 1 negotiation.Thus, the correct answers are: C . On both FortiGate devices, set Dead Peer Detection to OnDemand. D . On HQ-FortiGate, set IKE mode to Main (ID protection).

Show Answer
asked 18/09/2024
Jesus Ignacio Morales Vivancos
42 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms