Newest Fortinet FCP_FGT_AD-7.4 Dumps (V9.02) – Pass the FCP – FortiGate 7.4 Administrator Exam with the Best Scores

1. Refer to the exhibit.

Which route will be selected when trying to reach 10.20.30.254?

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]

C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]

2. Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A. Port block allocation

B. Fixed port range

C. One-to-one

D. Overload

3. What is eXtended Authentication (XAuth)?

4. What must you configure to enable proxy-based TCP session failover?

5. An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN.

How can this be achieved?

6. Which NAT method translates the source IP address in a packet to another IP address?

7. What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?

8. Refer to the exhibit.

Which statement about the configuration settings is true?

9. What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A. It limits the scanning of application traffic to the browser-based technology category only.

B. It limits the scanning of application traffic to the DNS protocol only.

C. It limits the scanning of application traffic to use parent signatures only.

D. It limits the scanning of application traffic to the application category only.

10. Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

11. FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

12. An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

13. An administrator has configured the following settings:

config system settings

set ses-denied-traffic enable

end

config system global

set block-session-timer 30

end

What are the two results of this configuration? (Choose two.)

14. Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.

Users are given access to the Facebook web application. They can play video content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

15. Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

16. Refer to the exhibits.

Exhibit A shows system performance output.

Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

17. Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

18. An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

A. 192.168.2.0/24

B. 192.168.0.0/8

C. 192.168.1.0/24

D. 192.168.3.0/24

19. Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

20. Which statement correctly describes the use of reliable logging on FortiGate?

21. Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled using IP pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

22. Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

23. Which two statements are true about the FGCP protocol? (Choose two.)

A. FGCP elects the primary FortiGate device.

B. FGCP is not used when FortiGate is in transparent mode.

C. FGCP runs only over the heartbeat links.

D. FGCP is used to discover FortiGate devices in different HA groups.

24. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

25. What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A. FortiGate uses fewer resources.

B. FortiGate performs a more exhaustive inspection on traffic.

C. FortiGate adds less latency to traffic.

D. FortiGate allocates two sessions per connection.

26. FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

A. www.example.com

B. www.example.com/index.html

C. www.example.com:443

D. example.com

27. Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

28. Which three statements explain a flow-based antivirus profile? (Choose three.)

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B. If a virus is detected, the last packet is delivered to the client.

C. The IPS engine handles the process as a standalone.

D. FortiGate buffers the whole file but transmits to the client at the same time.

E. Flow-based inspection optimizes performance compared to proxy-based inspection.

29. Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

A. Services defined in the firewall policy

B. Highest to lowest priority defined in the firewall policy

C. Destination defined as Internet Services in the firewall policy

D. Lowest to highest policy ID number

E. Source defined as Internet Services in the firewall policy

30. What are two functions of ZTNA? (Choose two.)

A. ZTNA manages access through the client only.

B. ZTNA manages access for remote users only.

C. ZTNA provides a security posture check.

D. ZTNA provides role-based access.

31. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

32. Which timeout setting can be responsible for deleting SSL VPN associated sessions?

33. Which statement is correct regarding the use of application control for inspecting web applications?

34. A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.

The administrator confirms that the traffic matches the configured firewall policy.

What are two reasons for the failed virus detection by FortiGate? (Choose two.)

A. The website is exempted from SSL inspection.

B. The EICAR test file exceeds the protocol options oversize limit.

C. The selected SSL inspection profile has certificate inspection enabled.

D. The browser does not trust the FortiGate self-signed CA certificate.

35. Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.

Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B. The traffic sourced from the client and destined to the server is sent to FGT-1.

C. The cluster can load balance ICMP connections to the secondary.

D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them

to the secondary.

36. Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

37. Which two configuration settings are global settings? (Choose two.)

38. Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled?

39. Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)

40. Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.

B. Main mode cannot be used for dialup VPNs, while aggressive mode can.

C. Aggressive mode supports XAuth, while main mode does not.

D. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.

41. What does the command diagnose debug fsso-polling refresh-user do?

42. View the exhibit.

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.

Which two static routes are required in the FortiGate configuration, to route traffic between both subnets through an inter-VDOM link? (Choose two.)

43. An administrator configured the antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.

What is causing this issue?

44. An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.

Which two items must they configure on their FortiGate to accomplish this? (Choose two.)

45. Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)

A. SSH

B. FortiTelemetry

C. Trusted host

D. HTTPS

E. Trusted authentication

46. Which statement about firewall policy NAT is true?

47. Which statement about traffic flow in an active-active HA cluster is true?

A. The SYN packet from the client always arrives at the primary device first.

B. The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client.

C. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.

D. The ACK from the client is received on the physical MAC address of the primary device.

48. Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)

49. View the exhibit.

date=2022-06-14 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=1 sessionid=31232959 user="anonymous" group="ldap_users" srcip=192.168.1.24 srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80 dstintf="port1" service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile" profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304 rcvdbyte=60135 msg="URL belongs to an allowed category in policy" method=domain class=0 cat=140 catdesc="custom1"

What two things does this raw log indicate? (Choose two.)

A. FortiGate allowed the traffic to pass.

B. 192.168.1.24 is the IP address for www.fortinet.com.

C. The traffic matches the webfilter profile on firewall policy ID 2.

D. The traffic originated from 66.171.121.44.

50. Refer to the exhibit.

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?

51. An administrator has configured central DNAT and virtual IPs.

Which item can be selected in the firewall policy Destination field?

52. Which three actions are valid for static URL filtering? (Choose three.)

A. Block

B. Warning

C. Shape

D. Exempt

E. Allow

53. Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)

54. Which two statements about the application control profile mode are true? (Choose two.)

A. It uses flow-based scanning techniques, regardless of the inspection mode used.

B. It cannot be used in conjunction with IPS scanning.

C. It can be selected in either flow-based or proxy-based firewall policy.

D. It can scan only unsecure protocols.

55. Which are two benefits of using SD-WAN? (Choose two.)

56. Which two statements about advanced AD access mode for the FSSO collector, agent are true? (Choose two.)

A. FortiGate can act as an LDAP client to configure the group filters.

B. It uses the Windows convention for naming; that is, DomainUsername.

C. It supports monitoring of nested groups.

D. It is only supported if DC agents are deployed.

57. An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the VDOM named Corporation.

What interface must be used as the source for the firewall policy that will allow this traffic?

58. View the exhibit.

Which two behaviors result from this full (deep) SSL configuration? (Choose two.)

59. Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?

60. Which two IP pool types enable you to identify user connections without having to log user traffic? (Choose two.)

A. Fixed port range

B. Port block allocation

C. One-to-one

D. Overload

61. An administrator wants to block https://www.example.com/videos and allow all other URLs on the website.

What are two configuration changes that the administrator can make to satisfy the requirement? (Choose two.)

62. Which three methods can you use to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)

63. View the exhibit.

A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.

Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF)

checks on this traffic? (Choose two.)

64. Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode, are true? (Choose two.)

65. Which two statements about FortiGate antivirus databases are true? (Choose two.)

66. Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

67. Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.

Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

68. Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

69. Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A. FortiSIEM

B. FortiCloud

C. FortiCache

D. FortiSandbox

E. FortiAnalyzer

70. Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

71. Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings.

Which statement is correct in adding the FTP .Login.Failed signature to the IPS sensor profile?

72. Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

73. Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

A. Local traffic logs

B. Forward traffic logs

C. System event logs

D. Security logs

74. Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A. Proxy-based inspection

B. Certificate inspection

C. Flow-based inspection

D. Full Content inspection

75. An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

76. Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

B. The sensor will block all attacks aimed at Windows servers.

C. The sensor will reset all connections that match these signatures.

D. The sensor will gather a packet log for all matched traffic.

77. Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

A. The Detection Mode setting is not set to Passive.

B. Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C. The configured participants are not SD-WAN members.

D. The Enable probe packets setting is not enabled.

78. Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

79. An administrator does not want to report the login events of service accounts to FortiGate.

What setting on the collector agent is required to achieve this?

80. Which statement about the policy ID number of a firewall policy is true?

A. It is required to modify a firewall policy using the CLI.

B. It represents the number of objects used in the firewall policy.

C. It changes when firewall policies are reordered.

D. It defines the order in which rules are processed.

81. How does FortiGate act when using SSL VPN in web mode?

82. Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

83. Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

B. The client FortiGate requires a manually added route to remote subnets.

C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

84. A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

85. An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.

How must the administrator configure the local quick mode selector for site B?

A. 192.16.3.0/24

B. 192.16.2.0/24

C. 192.16.1.0/24

D. 192.16.0.0/8

86. FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

Which two other security profiles can you apply to the security policy? (Choose two.)

A. Antivirus scanning

B. File filter

C. DNS filter

D. Intrusion prevention

87. Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

A. The subject field in the server certificate

B. The serial number in the server certificate

C. The server name indication (SNI) extension in the client hello message

D. The subject alternative name (SAN) field in the server certificate

E. The host field in the HTTP header

88. Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

89. To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

90. NGFW mode allows policy-based configuration for most inspection rules.

Which security profile's configuration does not change when you enable policy-based inspection?

91. Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

92. Which two statements are true about collector agent standard access mode? (Choose two.)

A. Standard mode uses Windows convention-NetBios: DomainUsername.

B. Standard mode security profiles apply to organizational units (OU).

C. Standard mode security profiles apply to user groups.

D. Standard access mode supports nested groups.

93. What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

94. Which two types of traffic are managed only by the management VDOM? (Choose two.)

95. Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

A. udp-echo

B. DNS

C. TWAMP

D. ping

96. Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

97. Which three methods are used by the collector agent for AD polling? (Choose three.)

A. WMI

B. Novell API

C. WinSecLog

D. NetAPI

E. FortiGate polling

98. If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?