New Year Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Fortinet FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Exam Practice Test

Page: 1 / 9
Total 86 questions

FCP - FortiGate 7.4 Administrator Questions and Answers

Question 1

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

Options:

A.

It uses UDP 8888.

B.

It uses DNS over HTTPS.

C.

It uses DNS over TLS.

D.

It uses UDP 53.

Question 2

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection

B.

Flow-based inspection optimizes performance compared to proxy-based inspection

C.

FortiGate buffers the whole file but transmits to the client at the same time.

D.

If a virus is detected, the last packet is delivered to the client.

E.

The IPS engine handles the process as a standalone.

Question 3

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.

When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the

and does not block the file allowing it to be downloaded.

The administrator confirms that the traffic matches the configured firewall policy.

What are two reasons for the failed virus detection by FortiGate? (Choose two.)

Options:

A.

The selected SSL inspection profile has certificate inspection enabled

B.

The browser does not trust the FortiGate self-siqned CA certificate

C.

The EICAR test file exceeds the protocol options oversize limit

D.

The website is exempted from SSL inspection

Question 4

An administrator configured a FortiGate to act as a collector for agentless polling mode.

What must the administrator add to the FortiGate device to retrieve AD user group information?

Options:

A.

LDAP server

B.

RADIUS server

C.

DHCP server

D.

Windows server

Question 5

An administrator has configured the following settings:

Question # 5

What are the two results of this configuration? (Choose two.)

Options:

A.

Denied users are blocked for 30 minutes.

B.

A session for denied traffic is created.

C.

The number of logs generated by denied traffic is reduced.

D.

Device detection on all interfaces is enforced for 30 minutes.

Question 6

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)

Options:

A.

If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.

B.

If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.

C.

If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP

D.

If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.

Question 7

Refer to the exhibits.

Question # 7

Question # 7

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

Options:

A.

Apple FaceTime will be allowed, based on the Video/Audio category configuration.

B.

Apple FaceTime will be allowed, based on the Apple filter configuration.

C.

Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

D.

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

Question 8

Refer to the exhibit showing a FortiGuard connection debug output.

Question # 8

Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)

Options:

A.

One server was contacted to retrieve the contract information.

B.

There is at least one server that lost packets consecutively.

C.

A local FortiManaqer is one of the servers FortiGate communicates with.

D.

FortiGate is using default FortiGuard communication settings.

Question 9

Which statement is a characteristic of automation stitches?

Options:

A.

They can be run only on devices in the Security Fabric.

B.

They can be created only on downstream devices in the fabric.

C.

They can have one or more triggers.

D.

They can run multiple actions at the same time.

Question 10

Refer to the exhibit.

Question # 10

Why did FortiGate drop the packet?

Options:

A.

11 matched an explicitly configured firewall policy with the action DENY

B.

It failed the RPF check.

C.

The next-hop IP address is unreachable.

D.

It matched the default implicit firewall policy

Question 11

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

Options:

A.

The issuer must be a public CA

B.

The CA extension must be set to TRUE

C.

The Authority Key Identifier must be of type SSL

D.

The keyUsage extension must be set to

Question 12

An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer.

Which DPD mode on FortiGate meets this requirement?

Options:

A.

On Demand

B.

On Idle

C.

Disabled

D.

Enabled

Question 13

Refer to the exhibits.

Question # 13

Question # 13

Question # 13

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

Options:

A.

Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.

B.

Change the csf setting on both devices to sec downscream-access enable.

C.

Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.

D.

Change the csf setting on ISFW (downstream) to sec configuration-sync local.

Question 14

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.

What is the reason for the certificate warning errors?

Options:

A.

The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.

B.

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

C.

The browser does not recognize the certificate in use as signed by a trusted CA.

D.

With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.

Question 15

Which three CLI commands, can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

Options:

A.

execute ping

B.

execute traceroute

C.

diagnose sys top

D.

get system arp

E.

diagnose sniffer packet any

Question 16

Refer to the exhibit.

Question # 16

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

Options:

A.

Configure a loopback interface with address 203.0.113.2/32.

B.

In the VIP configuration, enable arp-reply.

C.

In the firewall policy configuration, enable match-vip.

D.

Enable port forwarding on the server to map the external service port to the internal service port.

Question 17

Refer to the exhibit, which shows the IPS sensor configuration.

Question # 17

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Options:

A.

The sensor will gather a packet log for all matched traffic.

B.

The sensor will reset all connections that match these signatures.

C.

The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.

D.

The sensor will block all attacks aimed at Windows servers.

Question 18

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

Which order must FortiGate use when the web filter profile has features such as safe search enabled?

Options:

A.

FortiGuard category filter and rating filter

B.

Static domain filter, SSL inspection filter, and external connectors filters

C.

DNS-based web filter and proxy-based web filter

D.

Static URL filter, FortiGuard category filter, and advanced filters

Question 19

Refer to the exhibits.

Question # 19

Question # 19

Question # 19

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

Options:

A.

Enable match-vip in the Deny policy.

B.

Set the Destination address as Webserver in the Deny policy.

C.

Disable match-vip in the Deny policy.

D.

Set the Destination address as Deny_IP in the Allow_access policy.

Question 20

Refer to the exhibit to view the firewall policy.

Question # 20

Why would the firewall policy not block a well-known virus, for example eicar?

Options:

A.

The action on the firewall policy is not set to deny.

B.

The firewall policy is not configured in proxy-based inspection mode.

C.

Web filter is not enabled on the firewall policy to complement the antivirus profile.

D.

The firewall policy does not apply deep content inspection.

Question 21

Refer to the exhibit showing a debug flow output.

Question # 21

What two conclusions can you make from the debug flow output? (Choose two.)

Options:

A.

The debug flow is for ICMP traffic.

B.

A firewall policy allowed the connection.

C.

A new traffic session was created.

D.

The default route is required to receive a reply.

Question 22

Refer to the exhibit.

Question # 22

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?

Options:

A.

The Service DNS is required in the firewall policy.

B.

The user is using an incorrect user name.

C.

The Remote-users group is not added to the Destination.

D.

No matching user account exists for this user.

Question 23

A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad.

Which IPsec Wizard template must the administrator apply?

Options:

A.

Remote Access

B.

Site to Site

C.

Dial up User

D.

iHub-and-Spoke

Question 24

Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)

Options:

A.

Manual with load balancing

B.

Lowest Cost (SLA) with load balancing

C.

Best Quality with load balancing

D.

Lowest Quality (SLA) with load balancing

E.

Lowest Cost (SLA) without load balancing

Question 25

An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

Options:

A.

Strict RPF checks the best route back to the source using the incoming interface.

B.

Strict RPF allows packets back to sources with all active routes.

C.

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

D.

Strict RPF check is run on the first sent and reply packet of any new session.

Page: 1 / 9
Total 86 questions