Fortinet FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Exam Practice Test

By default, DNS queries to FortiGuard servers use UDP port 53.

Flow-based inspection optimizes performance compared to proxy-based inspection.

Flow-based inspection scans traffic in real-time as it passes through, resulting in better performance compared to proxy-based inspection, which buffers traffic.

FortiGate buffers the whole file but transmits to the client at the same time.

In flow-based inspection, the file is scanned while it is being transmitted, improving speed and reducing latency.

The IPS engine handles the process as a standalone.

In flow-based antivirus inspection, the IPS engine is used to inspect traffic, making it more efficient and integrated within the broader security mechanisms.

The selected SSL inspection profile has certificate inspection enabled

If the SSL inspection profile is set to certificate inspection instead of full SSL inspection, FortiGate will only inspect the certificate of the HTTPS connection but will not decrypt and inspect the actual traffic content, leading to a failure in virus detection.

The website is exempted from SSL inspection

If the website hosting the EICAR test file is exempt from SSL inspection, FortiGate will not decrypt the traffic, meaning it cannot inspect the file content for viruses, resulting in the file being downloaded without detection.

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

A session for denied traffic is created.

The command set ses-denied-traffic enable ensures that sessions for denied traffic are logged, meaning a session will be created for traffic that is denied by security policies.

The number of logs generated by denied traffic is reduced.

The set block-session-timer 30 command sets a timer to prevent excessive logging of denied traffic within a short period, which helps reduce the number of logs generated by repeated denied traffic sessions. This timer blocks sessions for a specified period (30 seconds in this case) to avoid overwhelming the log system with repetitive entries.

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.

References:

FortiOS 7.4.1 Administration Guide: ECMP Configuration

Based on the application sensor configuration and the filter details:

D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting.

The other options are not correct:

A. Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it.

B. Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this.

C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.

References

FortiOS 7.4.1 Administration Guide - Application Control and Filtering, page 978.

FortiOS 7.4.1 Administration Guide - Application Sensor Configuration, page 982.

The debug output indicates that FortiGate connected to one server (173.243.141.16) to retrieve contract information as it shows four FortiGuard requests without any packet loss, which confirms the connection to the server. Additionally, the default FortiGuard communication settings are being used, as indicated by the use of the HTTPS protocol on port 443, which is the default setting for FortiGuard connections.

References:

FortiOS 7.4.1 Administration Guide: FortiGuard Connection Settings

Automation stitches on FortiGate can have one or more triggers, which are conditions or events that activate the automation stitch. The trigger defines when the automation stitch should execute the defined actions. Actions within a stitch can be executed sequentially or in parallel, depending on the configuration.

References:

FortiOS 7.4.1 Administration Guide: Automation Stitches

The debug trace output shows that the packet was "Denied by forward policy check (policy 0)." In FortiGate, policy ID 0 corresponds to the default implicit deny policy. This means that if a packet does not match any configured firewall policies, it is denied by the default implicit policy.

References:

FortiOS 7.4.1 Administration Guide: Firewall Policies​

The CA extension must be set to TRUE

This indicates that the certificate can be used to issue other certificates, a requirement for it to function as a CA.

The keyUsage extension must be set to keyCertSign

This specifies that the certificate can be used to sign other certificates, which is essential for a CA certificate.

The On Demand mode for Dead Peer Detection (DPD) on FortiGate sends DPD probes only when there is outbound traffic and no response from the peer. This mode is used to detect if the peer is still available without continuously sending DPD probes, reducing unnecessary traffic.

The current setting for the root FortiGate (Local-FortiGate) is fabric-object-unification local, which means that new address objects are not shared across the security fabric. Changing this setting to fabric-object-unification default will allow address objects to be synchronized and shared with downstream devices like the ISFW.

The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.

References:

FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

execute ping

This command helps test network connectivity by sending ICMP echo requests to a specified IP address to check if the device is reachable.

execute traceroute

This command traces the route packets take to a destination, which is useful for identifying network hops and potential delays or routing issues.

get system arp

This command shows the ARP (Address Resolution Protocol) table, which is used to map IP addresses to MAC addresses. It's useful for verifying IP-to-MAC address resolution on the network.

In this scenario, the FortiGate device is using a Virtual IP (VIP) to map the public IP address (203.0.113.2) to the internal IP address of the web server (172.16.1.10). The fact that the administrator does not see any sniffer output for incoming traffic suggests that the FortiGate is not responding to ARP requests for the public IP address (203.0.113.2).

Enabling arp-reply in the VIP configuration allows the FortiGate to respond to ARP requests for the public IP, thereby allowing traffic to reach the FortiGate, which will then forward it to the web server based on the VIP mapping.

The IPS sensor configuration shows that:

The Microsoft.Windows.iSCSI.Target.DoS signature is set to "Monitor" with packet logging enabled, meaning that while traffic matching this signature will be allowed, it will also be logged for further analysis.

The generic Windows filter is set to "Block," meaning that all other attacks matching this filter will be blocked. However, the sensor will not reset connections or log packets unless specified.

Therefore, the sensor will allow attackers matching the specific DoS signature while blocking other attacks against Windows.

References:

FortiOS 7.4.1 Administration Guide: IPS Configuration

FortiGate applies web filters in the following order: Static URL filter, FortiGuard category filter, Web content filter, Web script filter, and Antivirus scanning​.

To deny access to the web server for Remote-User2 while allowing Remote-User1 to access the same web server, two configuration changes can be made:

Enable match-vip in the Deny policy:By enabling the match-vip option in the Deny policy, the FortiGate will check for virtual IP (VIP) objects during policy matching. This setting allows the firewall policy to correctly identify and block traffic directed to a specific mapped IP address, such as the web server, when using a VIP configuration.

Set the Destination address as Webserver in the Deny policy:Setting the Destination address to "Webserver" in the Deny policy ensures that the policy specifically targets traffic attempting to reach the web server. This configuration helps to precisely control which traffic should be blocked, focusing the Deny policy on the intended destination.

References:

FortiOS 7.4.1 Administration Guide: Deny matching with a policy with a virtual IP applied​

FortiOS 7.4.1 Administration Guide: Configuring Policies with VIPs

The firewall policy shown in the exhibit is configured in flow-based inspection mode. In flow-based inspection, certain security features, such as deep content inspection, might not be as effective as in proxy-based mode. Proxy-based inspection is necessary for thorough content inspection, which includes identifying and blocking well-known viruses like EICAR.

References:

FortiOS 7.4.1 Administration Guide: Inspection Modes

A- The debug flow is for ICMP traffic.

B. A firewall policy allowed the connection.

C. A new traffic session was created.

D. The default route is required to receive a reply.

The debug flow is for ICMP traffic.

The output shows "proto=1," which indicates that the protocol is ICMP (Internet Control Message Protocol).

A new traffic session was created.

The message "allocate a new session-00003dd5" confirms that a new session was created for this traffic.

Firewall authentication generally requires the DNS service to be enabled in the firewall policy to correctly resolve hostnames during the authentication process. If DNS is not allowed in the firewall policy, the FortiGate cannot resolve external domains, and as a result, the user may not be presented with the login prompt when attempting to access an external website.

References:

FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration

For configuring an IPsec VPN tunnel for a sales employee traveling abroad, the "Remote Access" template is the most appropriate choice. This template is designed to allow remote users to securely connect to the internal network of an organization from any location using FortiClient or a compatible client. The other options, such as "Site to Site," "Dial up User," and "iHub-and-Spoke," are used for connecting different networks or sites, not individual remote users.

References:

FortiOS 7.4.1 Administration Guide: IPsec Wizard Template Types

FortiGate's SD-WAN rule strategies for member selection include the following:

Manual with load balancing: This strategy allows an administrator to manually configure which SD-WAN member interfaces to use for specific traffic.

Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets the SLA requirements.

Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as latency, jitter, or packet loss.

Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without load balancing" contradicts the requirement for load balancing in the strategy name.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Rule Strategies

Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.