[Oct 22, 2024] Get Latest and 100% Accurate FCP_FGT_AD-7.4 Exam Questions
Maximum Grades By Making ready With FCP_FGT_AD-7.4 Dumps
Fortinet FCP_FGT_AD-7.4 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
| Topic 10 |
|
| Topic 11 |
|
| Topic 12 |
|
NEW QUESTION # 20
Examine the exhibit, which shows a firewall policy configured with multiple security profiles.
Which two security profiles are handled by the IPS engine? (Choose two.)
- A. Application Control
- B. Web Filter
- C. IPS
- D. AntiVirus
Answer: A,C
Explanation:
When the FortiGate is set for proxy inspection mode, the IPS engine will handle the Application Control and IPS security profiles.
The security profiles that will be handled by the IPS engine when the FortiGate is set for proxy inspection mode are Application Control and IPS. In this mode, the FortiGate acts as an intermediary between the client and the server, intercepting and inspecting traffic to enforce security policies. The IPS engine is responsible for analyzing network traffic and identifying any malicious or suspicious activity based on predefined rules and signatures.
NEW QUESTION # 21
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements?
(Choose two.)
- A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
- B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
- C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
- D. Enable Dead Peer Detection
Answer: C,D
Explanation:
To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required:
* A. Enable Dead Peer Detection (DPD): Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down.
* C. Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel: The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly.
The other options are not suitable:
* B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels:
This option is not directly related to the requirements of failover between two IPsec VPN tunnels.
* D. Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel: This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration.
References
* FortiOS 7.4.1 Administration Guide - Configuring IPsec VPN, page 1320.
* FortiOS 7.4.1 Administration Guide - Redundant VPN Configuration, page 1335.
NEW QUESTION # 22
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.
Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?
- A. Enable port forwarding on the server to map the external service port to the internal service port.
- B. In the VIP configuration, enable arp-reply.
- C. Configure a loopback interface with address 203.0.113.2/32.
- D. In the firewall policy configuration, enable match-vip.
Answer: B
Explanation:
In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.
The external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.
Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you.
For this reason, it's a best practice to keep ARP reply enabled.
NEW QUESTION # 23
Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254?
- A. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
- B. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
- C. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
- D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
Answer: C
Explanation:
The correct route to reach 10.20.30.254 would be:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and
10.30.20.0/24) and would therefore be selected as the best match.
NEW QUESTION # 24
An employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?
- A. SSL VPN idle-timeout
- B. SSL VPN login-timeout
- C. SSL VPN dtls-hello-timeout
- D. SSL VPN session-ttl
Answer: C
Explanation:
For a high-latency internet connection, the SSL VPN setting that should be adjusted is:
* C. SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.
The other options are not suitable:
* A. SSL VPN idle-timeout: This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment.
* B. SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.
* D. SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency.
References
* FortiOS 7.4.1 Administration Guide - SSL VPN Configuration, page 1415.
NEW QUESTION # 25
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A. The IPS engine will continue to run in a normal state.
- B. The IPS engine was unable to prevent an intrusion attack.
- C. The IPS engine was inspecting high volume of traffic.
- D. The IPS engine was blocking all traffic.
Answer: C
Explanation:
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode.
In this mode, the IPS engine is still running, but it is not inspecting traffic.
If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
NEW QUESTION # 26
Examine this FortiGate configuration:
Examine the output of the following debug command:
Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?
- A. It is allowed and inspected, as long as the only inspection required is antivirus.
- B. It is dropped.
- C. It is allowed and inspected as long as the inspection is flow based
- D. It is allowed, but with no inspection
Answer: B
Explanation:
C because it exceeded the Extreme memory threshold.
"However, if the memory usage exceeds the extreme threshold, new sessions are ALWAYS DROPPED, regardless of the FortiGate configuration." if the memory usage keeps increasing, it might exceed the extreme threshold. While the memory usage is above this highest threshold, all new sessions are dropped.
Note: "Extreme threshold is when the memory usage goes above 95%, and all NEW sessions are dropped.
NEW QUESTION # 27
Which timeout setting can be responsible for deleting SSL VPN associated sessions?
- A. SSL VPN dtls-hello-timeout
- B. SSL VPN idle-timeout
- C. SSL VPN login-timeout
- D. SSL VPN http-request-body-timeout
Answer: B
Explanation:
SSL VPN idle-timeout
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle- timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.
NEW QUESTION # 28
Which security fabric feature causes an event trigger to monitor the network when a threat is detected?
- A. Automation stiches
- B. Optimization
- C. Security rating
- D. Fabric connectors
Answer: A
Explanation:
Automation stitches
In the context of the Fortinet Security Fabric, automation stitches are responsible for orchestrating responses to security events. When a threat is detected, automation stitches can trigger events to monitor the network, coordinate responses, and ensure a synchronized defense across the entire security fabric. Therefore, option C is the correct answer.
Each automation stitch pairs an event trigger and one or more actions, it allows you to monitor your network and take appropiate action when SecFabric detects a threat.
NEW QUESTION # 29
Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
- A. Trusted authentication
- B. FortiTelemetry
- C. SSH
- D. HTTPS
- E. Trusted host
Answer: C,D,E
Explanation:
To provide secure and restrictive administrative access to FortiGate, the following three settings and protocols can be used:
A. SSH (Secure Shell)
SSH is a secure protocol that allows secure remote access to the FortiGate command-line interface (CLI).
C. Trusted host
Configuring trusted hosts allows you to restrict administrative access to specified IP addresses, providing an additional layer of security.
D. HTTPS (Hypertext Transfer Protocol Secure)
HTTPS is a secure protocol that enables secure access to the FortiGate web-based graphical user interface (GUI).
So, the correct choices are A, C, and D.
NEW QUESTION # 30
An administrator has a requirement to keep an application session from timing out on port 80.
What two changes can the administrator make to resolve the issue without affecting any existing services running through FortiGate? (Choose two.)
- A. Create a new service object for HTTP service and set the session TTL to never
- B. Set the TTL value to never under config system-ttl
- C. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
- D. Set the session TTL on the HTTP policy to maximum
Answer: A,C
Explanation:
The correct answers are:
A: Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy.
B: Create a new service object for HTTP service and set the session TTL to never.
A: By creating a new firewall policy with the new HTTP service and placing it above the existing HTTP policy, the administrator can ensure that this policy takes precedence and keeps the application session from timing out on port 80.
B: Creating a new service object for HTTP service and setting the session TTL to never ensures that the application session on port 80 does not time out.
key is: without affecting any existing services.
So, define new service on TCP80 with no session-ttl expire. Make new FW policy and place above other HTTP policy.
Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-timeout-settings/ta- p/191228
NEW QUESTION # 31
Which three actions are valid for static URL filtering? (Choose three.)
- A. Block
- B. Allow
- C. Shape
- D. Warning
- E. Exempt
Answer: A,B,E
Explanation:
The correct actions for static URL filtering in FortiGate are:
A. Block: This action blocks access to the specified URL or category.
D. Exempt: This action exempts the specified URL or category from filtering.
E. Allow: This action allows access to the specified URL or category.
So, the correct choices are A, D, and E.
NEW QUESTION # 32
Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)
- A. Only the "any" interface can be chosen as an incoming interface.
- B. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
- C. Multiple interfaces can be selected as incoming and outgoing interfaces.
- D. A zone can be chosen as the outgoing interface.
Answer: C,D
Explanation:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.
D. A zone can be chosen as the outgoing interface.
This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.
So, the correct choices are C and D.
NEW QUESTION # 33
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
- A. Detection engine
- B. Antivirus engine
- C. Intrusion prevention system engine
- D. Flow engine
Answer: C
Explanation:
A: Intrusion prevention system engine
IPS Engine is used by Application Control, AV, Web filter and Email filter.
Application control can be configured in proxy-based and flow-based firewall policies. However, because application control uses the IPS engine, which uses flow-based inspection, inspection is always flow- based.
It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is using standard or non-standard protocols and ports.
NEW QUESTION # 34
Refer to the web filter raw logs.
Based on the raw logs shown in the exhibit, which statement is correct?
- A. Social networking web filter category is configured with the action set to authenticate.
- B. The action on firewall policy ID 1 is set to warning.
- C. The name of the firewall policy is all_users_web.
- D. Access to the social networking web filter category was explicitly blocked to all users.
Answer: A
Explanation:
C is correct. We have two logs, first with action deny and second with passthrough.
A incorrect - second log shows: action="passthrough".
B incorrect - Firewall action can be allow or deny.
D incorrect - CLI don't show policy name, only ID.
Remember ... action="passthrough" mean that authentication has occurred/ At first attempt from the same IP source connection is blocked, but a warning message is displayed. At the second attempt with the same IP source connection passtrough, so considering the first block and the second pass, the user must authenticate to be granted with access.
NEW QUESTION # 35
Refer to the exhibit.
An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)
- A. Packet payload
- B. IP header
- C. Application header
- D. Ethernet header
- E. Interface name
Answer: A,B,E
Explanation:
Packet Capture Verbosity Level which is set to 5 in the exhibit, if it was level 6 it should also include ethernet headers. Application headers are never included.
This is Correct:
Packet payload
IP header
Interface name
Sniffer with verbose 5: IP header, IP payload, Port name.
NEW QUESTION # 36
......
Give push to your success with FCP_FGT_AD-7.4 exam questions: https://testking.testpassed.com/FCP_FGT_AD-7.4-pass-rate.html