Fortinet FCP_FGT_AD-7.4 Exam Notes

Questions and Answers

Refer to the exhibit. Which route will be selected when trying to reach 10.20.30.254?

• 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
• 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
• 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0] (correct)
• 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

• Fixed port range (correct)
• Overload
• Port block allocation (correct)
• One-to-one

What is eXtended Authentication (XAuth)?

• It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
• It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password). (correct)
• It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
• It is an IPsec extension that authenticates remote VPN peers using digital certificates.

What must you configure to enable proxy-based TCP session failover?

You must configure session-pickup-enable under configure system ha. (D)

An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN. How can this be achieved?

Disabling split tunneling (A)

Which NAT method translates the source IP address in a packet to another IP address?

SNAT (B)

What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?

Both control ECMP algorithms. (C)

Refer to the exhibit. Which statement about the configuration settings is true?

When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens. (C)

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

It limits the scanning of application traffic to the browser-based technology category only. (A)

Refer to the exhibits. Which policy will be highlighted, based on the input criteria?

Policy with ID 5. (C)

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface. In this scenario, what are two requirements for the VLAN ID? (Choose two.)

The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. (B), The two VLAN subinterfaces must have different VLAN IDs. (D)

An administrator has configured a strict RPF check on FortiGate. How does strict RPF check work?

Strict RPF checks the best route back to the source using the incoming interface. (B)

An administrator has configured the following settings: config system settings set ses-denied-traffic enable end config system global set block-session-timer 30 end What are the two results of this configuration? (Choose two.)

A session for denied traffic is created. (C), The number of logs generated by denied traffic is reduced. (D)

Flashcards

What is Carrier-Grade NAT (CGNAT)?

A specific type of NAT used in large-scale networks like carrier networks. It allows multiple users to share a smaller number of public IP addresses.

What is Strict Reverse Path Forwarding (RPF)?

A security feature that checks the source IP address of incoming traffic and verifies that the best route back to the source uses the same interface as the incoming packet.

What is the 'ses-denied-traffic' configuration?

A configuration setting in FortiGate that creates a session for traffic that is denied by the firewall policy, allowing administrators to log and monitor these sessions even though they are blocked. It is not enabled by default.

What is SSL VPN?

A method of connecting to a network over the internet using a secure connection. SSL VPN is often used by remote users who need to access internal resources.

What is the 'downstream-access' setting in the FortiGate Security Fabric?

A configuration option in FortiGate's Security Fabric that allows downstream FortiGate devices to access the fabric objects and configuration from the root FortiGate.

When does FortiGate enter Conserve Mode?

A mode on FortiGate devices where the system reduces resource usage to maintain stability. It may disable non-essential services or reduce the system load to prevent crashes.

What is Flow-based Inspection?

This is the method used by a firewall to inspect traffic based on metadata without actively buffering or reprocessing the complete content. Flow-based inspection is generally more performance-efficient.

What is Source Network Address Translation (SNAT)?

A method of NAT where the source IP address of outgoing traffic is translated to another IP address, usually a public IP address within the NATted network. This is useful for allowing multiple devices on a private network to share a single public IP address.

What is Policy Lookup in FortiGate?

A feature in FortiGate that allows administrators to identify which firewall policies match specific criteria by entering details like source, destination, service, or time.

What is the FortiGate Cluster Protocol (FGCP)?

A protocol used in a FortiGate High Availability (HA) cluster to elect the primary device, synchronize configuration and status, and manage operations.

What is Proxy-Based Inspection?

This is a method of inspecting traffic by proxying connections through the firewall, examining and processing the entire content of each connection. Proxy-based inspection is often more thorough but resource-intensive.

How does an IP Pool work in FortiGate?

This feature in FortiGate allows administrators to specify a range of IP addresses that the device will use for SNAT when traffic from a private network is sent to the internet.

What is FortiGate Security Fabric?

FortiGate Security Fabric is a technology that connects multiple FortiGate devices into a hierarchical network. It allows for centralized management and control of security policies and objects. The root device is the primary management point.

What is the purpose of the 'arp-reply' setting in the VIP configuration?

FortiGate can be configured to respond to Address Resolution Protocol (ARP) requests for the Virtual IP address. This helps ensure that external networks can communicate with the FortiGate's VIP.

What is Dead Peer Detection (DPD)?

A feature in FortiGate that enables the device to detect when a VPN tunnel is no longer working correctly (a dead tunnel). It allows for faster failover by making the device aware of the failed tunnel sooner.

How does application control handle parent and child applications?

This is a feature in FortiGate's application control that allows administrators to define different actions (allow, block, monitor) for parent and child applications. It provides fine-grained control over different components of a web application.

What is SSL VPN Idle Timeout?

This is a type of timeout setting in the SSL VPN configuration that controls how long a session can remain idle before being terminated. If a user connected over SSL VPN does not send any data for a defined time, the session will be closed.

What is Static URL Filtering?

This is a configuration setting that enables a firewall to inspect traffic based on the URL of a website rather than its broader category.

What is a Dialup User remote gateway?

This is a type of remote gateway configuration in FortiGate's IPsec VPN setup. It allows for dynamic IP addresses, with FortiGate managing the connections without requiring a fixed remote IP address.

What is Flow-based Antivirus?

This is a type of antivirus profile used by FortiGate that scans traffic without buffering the entire file. It generally performs better than proxy-based antivirus but may not be as thorough.

What is Zero Trust Network Access (ZTNA)?

This is a type of security model that assumes no user or device can be trusted by default. It focuses on verifying and controlling access based on identity, security posture, and context. It ensures that access to resources is strictly limited based on the user's needs.

What is Pre-shared Key (PSK) authentication?

This is a type of authentication used in IPsec VPN setups that involves using a pre-shared secret key that must be configured on both endpoints of the VPN tunnel. This key is used to verify the authenticity of both endpoints.

What is Certificate inspection in SSL inspection?

This is a type of configuration setting that can be used in an SSL inspection profile that enables FortiGate to examine the certificates presented by websites during the SSL handshake process.

What is Deep Inspection in SSL inspection?

This is a type of SSL inspection profile that enables FortiGate to decrypt and inspect the entire content of SSL traffic. It provides the highest level of security but may affect performance.

What is 'Exempt'?

This is a type of configuration setting in a static URL filter that allows you to specify that an entire URL (inclusive of subpages) be exempt from the filtering policy.

What is 'Monitor'?

This is a type of configuration setting in a static URL filter that allows you to specify that an entire URL (inclusive of subpages) be monitored for traffic. The traffic would be allowed, but the firewall would log and report on it.

What is 'Quick Mode' in IPsec VPN?

This is a method of configuring a VPN connection where each site's configuration includes the network subnets that are part of the tunnel, allowing traffic to transit between those specific subnets.

What is Zero Trust Network Access (ZTNA)?

A security mechanism that allows users to access network resources only after their security posture has been verified, based on their identity, device type, and location. It is applied to both internal and external users.

What is a Static IP address remote gateway?

This is a type of IPsec VPN configuration where the remote peer's IP address is defined as a static IP. The FortiGate will always connect to the VPN using this specific IP address.

What is a Dynamic DNS remote gateway?

This is a type of remote gateway configuration in IPsec VPN. It utilizes a dynamic DNS service where the remote peer's IP address can change and is automatically updated on the FortiGate.

What is a Static Route?

This is a configuration setting in FortiGate that allows you to configure a static route to a specific network, overriding normal routing paths. Static routes are often used to control traffic flow or to reach networks that might not be reachable using normal dynamic routing protocols.

Study Notes

Fortinet FCP_FGT_AD-7.4 Exam Notes

• Exam is about Fortinet Network Security Expert
• Exam contains 232 questions
• Exam covers topics like routing tables, IP pool types, NAT methods, authentication, and firewall policies for carrier-grade NAT deployments.

Description

Prepare for the Fortinet Network Security Expert exam with these comprehensive notes. Covering essential topics such as routing tables, NAT methods, and firewall policies, this resource will help you tackle the 232 questions effectively. Ideal for anyone looking to excel in network security expertise.